Pwn2Own hacker uses 5 zero-days to hack Galaxy S24 smartphones
Updated October 26, 2024: This article was originally published on October 24 and contains the final results of the Pwn2Own Ireland 2024 hacking event.
Elite hackers gathered in Ireland this week for a hacking competition known as Pwn2Own. There are two attractions. Over $1,000,000 in prize money is up for grabs, but more importantly is the honor that comes with earning the title of Master of Pwn. One of the most high-profile zero-day hacks occurred on October 23rd. NCC Group’s Ken Gannon exploited five security vulnerabilities to gain shell access and access arbitrary applications.
What is Pwn2Own?
Pwn2Own is a hacking event with a history dating back to 2007 that brings together some of the best ethical hackers and security researchers on the planet. The twice-yearly event brings together these elite hackers to “buy” targeted devices, such as this year’s Samsung Galaxy S24, with zero-day exploits. These are security attacks that exploit vulnerabilities that device vendors and security experts don’t yet know exist. Samsung has a history of being acquired during these events as it is one of the sponsors who are quick to part with devices to find security vulnerabilities that they don’t know about, ultimately helping protect end users. There is.
Samsung Galaxy S24 Irish Zero Day
In previous events, the Samsung Galaxy S10 was hacked, the Samsung Galaxy S22 was hacked twice in 24 hours, and recently the Samsung Galaxy S23 fell into the hands of the hacking elite. Now you can add your Samsung Galaxy S24 smartphone to the pwned list.
This is good. Especially when it comes to valuable zero-days, it means one less exploit waiting to be discovered for cybercriminal hackers to run wild with or, as is often the case, sell it to the highest bidder. Of course, money plays a role here, with Ganonji being given a $50,000 bounty for the exploit in question. The technical details of this exploit are being kept confidential by Samsung and the Trend Micro Zero-Day Initiative, the organizers of Pwn2Own. Samsung will have a 90-day grace period to patch the vulnerability before the proof of concept and details of the exploit are released to the public.
Pwn2Own Ireland 2024 ends—Samsung Galaxy S24 hacked once and for all
While there are usually multiple success stories when it comes to hacking Samsung Galaxy S24 smartphones, this year’s event in Ireland ended with just one successful breach. A total of $1,066,625 was awarded for disclosing over 70 zero-day vulnerabilities, primarily focused on network storage devices and printers. It will be interesting to see what happens at the next Pwn2Own competition in Tokyo, scheduled to take place from January 22nd to 24th, 2025, once smartphones become a focus again.
The hackers who make up the Viettel Cyber Security team won the overall Master of Pwn title with 33 points and a whopping $205,000 in cash.
Pwn2Own Ireland 2024 Final Leaderboard
“This marks the fourth consecutive contest that has exceeded $1 million,” a ZDI spokesperson said.
