Pwn2Own Toronto 2022, Day 1: Hackers Earn $400,000 for Galaxy S22, SOHO Exploits

On the first day of the Pwn2Own Toronto 2022 hacking competition, participants earned a total of $400,000 for new exploits targeting phones, printers, routers and NAS devices.

The competition organized by Trend Micro’s Zero Day Initiative (ZDI) offers significant prizes for hacking mobile phones, wireless routers, home automation hubs, printers, smart speakers, and NAS devices.

The highest single reward on the first day went to the Devcore team, which participated in several Pwn2Own contests in the past years. They earned $100,000 for hacking a MikroTik router and a Canon printer connected to the router.

This reward is part of a new Pwn2Own category called “SOHO Smashup”, where a small office / home office (SOHO) scenario is simulated, with the goal being to hack a router on the WAN interface and then pivoting to the LAN, where a second device is hacked, such as a NAS appliance, a smart speaker, or a printer.

Printer hacked at Pwn2Own

The team Neodyme also had a successful entry in the SOHO Smashup category, earning $50,000 for hacking a Netgear router and an HP printer.

The Star Labs team also earned $50,000, for hacking a Samsung Galaxy S22 smartphone. A participant named Chim also managed to hack the Samsung phone, for a reward of $25,000.

Researchers at industrial and IoT cybersecurity firm Claroty earned $40,000 for hacking a Synology DiskStation NAS device.

There were also multiple $20,000 rewards for hacking Canon, HP and Lexmark printers, and TP-Link and Synology routers. Two teams earned $10,000 each for Synology NAS and HP printer hacks.

Excluding the SOHO Smashup entry, Netgear router exploits earned smaller rewards. For some contestants, including Tenable, their Netgear exploits were neutralized just days before the competition started by a last-minute hotfix released by the vendor.

Pwn2Own Toronto 2022 spans four days, with 26 contestants signing up for 66 exploits. ZDI said the number is unprecedented, and it has decided to only award the full cash prize to the first winner of each target, with subsequent exploits getting 50% of the prize money.


Leave a Comment

Your email address will not be published. Required fields are marked *

Leave a Replay

Leave a Replay