Pwn2Own hackers use five zero-days to hack Galaxy S24 smartphone
Elite hackers have gathered in Ireland this week for a hacking competition known as Pwn2Own. The lure is twofold: more than $1,000,000 in bounty rewards to be won, but more importantly, the kudos that come with being awarded the title of Master of Pwn. One of the highest-profile hacks to have been pulled off during the zero-day hacking spree happened on Oct. 23, as Ken Gannon of the NCC Group exploited five security vulnerabilities to compromise a Samsung Galaxy 24 smartphone by getting shell access and installing an arbitrary application.
What Is Pwn2Own?
Pwn2Own is a hacking event with a history stretching back to 2007 and attracting some of the best ethical hackers and security researchers on the planet. The twice-yearly event brings these elite hackers together to “pwn” target devices, including the Samsung Galaxy S24 this year, by employing zero-day exploits against them. These are security attacks that use vulnerabilities device vendors and security professionals alike are not yet aware exist. Samsung has a history of being pwned during these events as it is one of the sponsors that readily give up their devices to find any security vulnerabilities unknown to the company, and so ultimately help protect end users.
The Samsung Galaxy S24 Irish Zero-Day
Previous events have seen a Samsung Galaxy S10 hacked, the Samsung Galaxy S22 hacked twice in 24 hours, and most recently a Samsung Galaxy S23 fall to the hacking elite. Now the Samsung Galaxy S24 smartphone can be added to the pwned list.
This is a good thing, as it means there is one less exploit waiting to be discovered by cybercriminal hackers to either run riot with or, as is often the case, sell to the highest bidder when it comes to particularly valuable zero-days. Money plays a part here, of course, with Gannonj being awarded a bounty of $50,000 for the exploit in question. The technical details of the exploit will be kept close to the chest of Samsung, and the Pwn2Own organisers the Trend Micro Zero-Day Initiative. Samsung will be given a 90 day grace period during which the vulnerabilities can be patched before the exploit proof of concept and details can be disclosed publicly.
