Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Pwn2Own Toronto 2022, Day 1: Hackers Earn $400,000 for Galaxy S22, SOHO Exploits

On the first day of the Pwn2Own Toronto 2022 hacking competition, participants earned a total of $400,000 for new exploits targeting phones, printers, routers and NAS devices.

On the first day of the Pwn2Own Toronto 2022 hacking competition, participants earned a total of $400,000 for new exploits targeting phones, printers, routers and NAS devices.

The competition organized by Trend Micro’s Zero Day Initiative (ZDI) offers significant prizes for hacking mobile phones, wireless routers, home automation hubs, printers, smart speakers, and NAS devices.

The highest single reward on the first day went to the Devcore team, which participated in several Pwn2Own contests in the past years. They earned $100,000 for hacking a MikroTik router and a Canon printer connected to the router.

This reward is part of a new Pwn2Own category called “SOHO Smashup”, where a small office / home office (SOHO) scenario is simulated, with the goal being to hack a router on the WAN interface and then pivoting to the LAN, where a second device is hacked, such as a NAS appliance, a smart speaker, or a printer.

Printer hacked at Pwn2Own

The team Neodyme also had a successful entry in the SOHO Smashup category, earning $50,000 for hacking a Netgear router and an HP printer.

The Star Labs team also earned $50,000, for hacking a Samsung Galaxy S22 smartphone. A participant named Chim also managed to hack the Samsung phone, for a reward of $25,000.

Researchers at industrial and IoT cybersecurity firm Claroty earned $40,000 for hacking a Synology DiskStation NAS device.

There were also multiple $20,000 rewards for hacking Canon, HP and Lexmark printers, and TP-Link and Synology routers. Two teams earned $10,000 each for Synology NAS and HP printer hacks.

Excluding the SOHO Smashup entry, Netgear router exploits earned smaller rewards. For some contestants, including Tenable, their Netgear exploits were neutralized just days before the competition started by a last-minute hotfix released by the vendor.

Pwn2Own Toronto 2022 spans four days, with 26 contestants signing up for 66 exploits. ZDI said the number is unprecedented, and it has decided to only award the full cash prize to the first winner of each target, with subsequent exploits getting 50% of the prize money.

Related: Over $1.1 Million Awarded at Pwn2Own Vancouver 2022 for 25 Zero-Day Vulnerabilities

Related: Microsoft Teams Exploits Earn Hackers $450,000 at Pwn2Own 2022

Related: $200,000 Awarded for Zero-Click Zoom Exploit at Pwn2Own

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.