Samsung Galaxy S24 and NAS Devices Compromised at Pwn2Own 2024 Conference

News & Trends
Samsung Galaxy S24 and NAS Devices Compromised at Pwn2Own 2024 Conference

Published:

Reading time: 3 min.

Pwn2Own Ireland 2024: A Showcase of Cybersecurity Prowess

In October 2024, security researchers from around the globe converged in Ireland for the highly anticipated Pwn2Own competition, an event that has become synonymous with cutting-edge cybersecurity research and vulnerability discovery. This year, the event unveiled over 70 zero-day vulnerabilities across a range of consumer devices, including the newly launched Samsung Galaxy S24 and popular network-attached storage (NAS) systems. Organized by Trend Micro’s Zero Day Initiative (ZDI), the competition rewarded participants with more than $1 million in total bounties, underscoring the pressing security risks associated with connected devices.

Pwn2Own: From Small Hackathons to Major Cybersecurity Event

Since its inception in 2007 at the CanSecWest security conference in Vancouver, Pwn2Own has transformed from a niche contest into a pivotal event in the cybersecurity landscape. Founded by security researcher Dragos Ruiu, the competition began as a challenge to hack laptops, with participants earning ownership of the devices they successfully compromised.

Today, Pwn2Own encompasses a diverse array of devices and software, including mobile phones, NAS systems, and home IoT products. The contest not only exposes vulnerabilities but also fosters collaboration between security experts and technology companies, promoting responsible bug reporting and the widespread adoption of bug bounty programs across the industry.

Day One: High Payouts and Fast-Paced Exploits

The opening day of Pwn2Own Ireland 2024 was nothing short of exhilarating, with researchers collectively earning nearly $516,000 in awards for hacking various connected devices, including home IoT equipment and networked printers. The Viettel Cyber Security team took an early lead, amassing 13 points through several successful hacks.

In a tweet summarizing the day, the Zero Day Initiative reported, “That’s a wrap on Day 1 of #Pwn2Own Ireland! We awarded $486,250 for 52 unique 0-days. Viettel Cyber Security (@vcslab) has an early lead for Master of Pwn with 13 points, but there’s lots of contest to go. Stay tuned for all of the latest results as Pwn2Own Ireland continues.”

Among the standout achievements was the Summoning Team’s use of nine distinct bugs to breach a QNAP NAS and a TrueNAS Mini X, netting them a remarkable $100,000. Meanwhile, RET2 Systems exploited an “out-of-bounds write” vulnerability in the Sonos Era 300, a memory error that allows unauthorized data manipulation, adding $60,000 to their winnings.

Major Brands Targeted: Samsung Galaxy and Canon Printers Hacked on Day Two

Day two of the competition saw familiar brands like Samsung, Canon, and HP take center stage. Ken Gannon of NCC Group deployed five different exploits on the Samsung Galaxy S24, achieving full shell access and the ability to install unauthorized applications. This impressive feat earned him $50,000 and solidified his team’s standing in the competition.

However, not all attempts were successful; the DEVCORE Internship Program’s multi-device attack was thwarted when the team failed to exploit a targeted printer despite gaining router access. This incident highlighted the unpredictable nature of the competition and the challenges researchers face in their quest to uncover vulnerabilities.

Day Three: NAS, Printers, and IoT Cameras Breached

The momentum continued on the third day, with a series of vulnerabilities exposed in NAS devices, printers, and security cameras. Viettel Cyber Security maintained its dominance, using a command injection to compromise the QNAP TS-464 NAS, earning an additional $10,000. Other notable entries included Team Smoking Barrels, which successfully broke into Synology’s BeeStation through a flaw in its network channel, also earning $10,000.

Throughout the day, “collision” incidents were common, where multiple teams independently exploited the same vulnerability. Viettel Cyber Security, for instance, encountered a collision on a Canon printer vulnerability previously exploited by another team. These repeated discoveries underscored key security gaps and reflected the intense, collaborative spirit of the competition.

Final Day: Payouts Exceed $1 Million as Event Concludes

The fourth and final day of Pwn2Own Ireland 2024 brought the event’s total prize pool to over $1 million. Returning to previously breached devices, Team Cluck used a chain of six exploits on QNAP and Lexmark devices, with one overlap from earlier in the competition. This effort added $23,000 to their total and boosted their standing in the Master of Pwn rankings.

As the competition concluded, the Zero Day Initiative celebrated the achievements of all participants, emphasizing the importance of their work in enhancing the security of consumer devices. The event not only showcased the vulnerabilities present in widely used technology but also highlighted the collaborative efforts of researchers to address these critical security issues.

In summary, Pwn2Own Ireland 2024 was a testament to the evolving landscape of cybersecurity, where researchers continue to push the boundaries of what is possible in the pursuit of a safer digital world. With over 70 vulnerabilities uncovered and more than $1 million awarded, the event solidified its status as a cornerstone of the cybersecurity community, inspiring future innovations and collaborations in the field.

Related articles

Recent articles

Latest news

© 2024 BasicFundas.com [ CYBERSECURITY NEWS UPDATES ] All Rights Reserved.