IoT Security

Pwn2Own Toronto 2022, Day 1: Hackers Earn $400,000 for Galaxy S22, SOHO Exploits

On the first day of the Pwn2Own Toronto 2022 hacking competition, participants earned a total of $400,000 for new exploits targeting phones, printers, routers and NAS devices.

Eduard Kovacs

December 7, 2022

On the first day of the Pwn2Own Toronto 2022 hacking competition, participants earned a total of $400,000 for new exploits targeting phones, printers, routers and NAS devices.

The competition organized by Trend Micro’s Zero Day Initiative (ZDI) offers significant prizes for hacking mobile phones, wireless routers, home automation hubs, printers, smart speakers, and NAS devices.

The highest single reward on the first day went to the Devcore team, which participated in several Pwn2Own contests in the past years. They earned $100,000 for hacking a MikroTik router and a Canon printer connected to the router.

This reward is part of a new Pwn2Own category called “SOHO Smashup”, where a small office / home office (SOHO) scenario is simulated, with the goal being to hack a router on the WAN interface and then pivoting to the LAN, where a second device is hacked, such as a NAS appliance, a smart speaker, or a printer.

Printer hacked at Pwn2Own

The team Neodyme also had a successful entry in the SOHO Smashup category, earning $50,000 for hacking a Netgear router and an HP printer.

The Star Labs team also earned $50,000, for hacking a Samsung Galaxy S22 smartphone. A participant named Chim also managed to hack the Samsung phone, for a reward of $25,000.

Researchers at industrial and IoT cybersecurity firm Claroty earned $40,000 for hacking a Synology DiskStation NAS device.

There were also multiple $20,000 rewards for hacking Canon, HP and Lexmark printers, and TP-Link and Synology routers. Two teams earned $10,000 each for Synology NAS and HP printer hacks.

Excluding the SOHO Smashup entry, Netgear router exploits earned smaller rewards. For some contestants, including Tenable, their Netgear exploits were neutralized just days before the competition started by a last-minute hotfix released by the vendor.

Pwn2Own Toronto 2022 spans four days, with 26 contestants signing up for 66 exploits. ZDI said the number is unprecedented, and it has decided to only award the full cash prize to the first winner of each target, with subsequent exploits getting 50% of the prize money.

Written By Eduard Kovacs

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Latest News

Click to comment

Dealing With the Carcinization of Security

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Marc Solomon

Stop, Collaborate and Listen: Disrupting Cybercrime Networks Requires Private-Public Cooperation

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Derek Manky

How the Atomized Network Changed Enterprise Protection

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud, and edge.

Matt Wilson

Mapping Threat Intelligence to the NIST Compliance Framework Part 2

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Landon Winkelvoss

Password Dependency: How to Break the Cycle

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the password dependency cycle. But how can this be done?

Torsten George