Skip to content

Galaxy S22 hacked twice at Pwn2Own hacking competition

  • by
  • 2 min read

Samsung’s flagship phone, the Galaxy S22, was hacked twice by two participants on day one of the Pwn2Own Toronto 2022 hacking competition. Both participants demoed their exploits on the phone by executing an improper input validation attack. 

The first team to breach the device was Star Labs, who successfully exploited a zero-day vulnerability on their third attempt. Another contestant, Chim, followed this, who also demoed a similar exploit. Both participants have been awarded $50,000 and $25,000, respectively, with five Master of Pwn points each. 

It took Star Labs three attempts, but they did manage to be the first ones to breach the phone.

Per the contest rules, the phone was running the latest version of Android, and the latest security updates were installed during both attempts. 

Pwn2Own Toronto is a hacking competition that allows attackers to work on different devices such as phones, printers, routers, NAS, smart speakers and home automation hubs, among others from several different manufacturers, including Apple, Canon, Google, Mikrotik, Netgear, TP-Link, Lexmark, Synology and HP. 

Chim’s exploit revolves around an improper validation exploit in the S22’s calculator.

Phones, especially the Google Pixel 6 and iPhone 13, carry the highest rewards, with cash prizes going as high as $200,000. There’s also a $50,000 bonus if the exploits execute with kernel-level privileges. 

26 teams have registered for the event to try and exploit the 66 registered targets across all categories. The event has been extended to four days between December 6 and 8. As for the S22, Interrupt Labs hackers will take another jab at the device on day two of the competition.

In the News: Google Search’s ‘continuous scroll’ comes to desktops in USA

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>