Pwn2Own hackers use five zero days to hack Galaxy S24 smartphone
Update, October 26, 2024: This story, originally published on October 24, includes the final results of the Pwn2Own Ireland 2024 hack event.
Elite hackers have gathered in Ireland this week for a hacking competition known as Pwn2Own. The lure is two-fold: more than $1,000,000 in prizes to be won, but more importantly, the accolades that come with being awarded the Master of Pwn title. One of the highest-profile hacks carried out during the zero-day hacking spree occurred on October 23, after Ken Gannon of NCC Group exploited five security vulnerabilities to compromise a Samsung Galaxy 24 smartphone by gaining shell access and installing a arbitrary application.
What is Pwn2Own?
Pwn2Own is a hacking event with a history that stretches back to 2007 and attracts some of the best ethical hackers and security researchers on the planet. The twice-yearly event brings together these elite hackers to “pwn” target devices, including this year’s Samsung Galaxy S24, using zero-day exploits against them. These are security attacks that exploit vulnerabilities that hardware vendors and security professionals are not yet aware exist. Samsung has a history of stumbling during these events as it is one of the sponsors that readily gives up their devices to find any security vulnerabilities unknown to the company, and thus ultimately helps protect end users.
Samsung Galaxy S24 Irish Zero-Day
Previous events have seen a Samsung Galaxy S10 hacked, the Samsung Galaxy S22 hacked twice in 24 hours, and recently a Samsung Galaxy S23 has fallen to the hacker elite. Now the Samsung Galaxy S24 smartphone can be added to the pwned list.
That’s a good thing, as it means there’s one less exploit waiting to be discovered by cybercriminal hackers to wreak havoc or, as is often the case, sell to the highest bidder when it comes to zero-days especially valuable. Money plays a role here, of course, with Gannon being awarded a $50,000 bounty for said exploit. The technical details of the exploit will be kept close to the chest of Samsung, and the organizers of Pwn2Own, the Trend Micro Zero-Day Initiative. Samsung will be given a 90-day grace period during which the vulnerabilities can be patched before the proof-of-concept exploit and details can be publicly disclosed.
Pwn2Own Ireland 2024 is over—Samsung Galaxy S24 has only been hacked once
While in previous years there have been numerous successes when it comes to hacking the Samsung Galaxy S24 smartphone, this year’s event from Ireland has now ended with just that one successful compromise. With a total of $1,066,625 awarded in rewards for discovering an outstanding vulnerability over 70+ zero days, the focus has been primarily on network storage devices and printers. It will be interesting to see what happens at the next Pwn2Own competition in Tokyo, scheduled to take place between January 22 and 24, 2025, if more of the emphasis shifts to smartphones.
The hackers who make up the Viettel Cyber Security team won the overall Master of Pwn title with 33 points and, are you ready, a whopping $205,000 in cash.
Pwn2Own Ireland 2024 Final Leaderboard
“This makes 4 contests in a row that have surpassed the million dollar mark,” said a ZDI spokesperson.