The four-day event of Pwn2Own has ended with white hat hackers earning nearly a million dollars this year.
Together, all the teams have found 63 zero-day vulnerabilities in several devices of various OEMs dealing in technology. Teams hitting Samsung’s Galaxy S22 have been the highlight of Pwn2Own 2022, as it was breached four times throughout the event.
Pwn2Own 2022 Statistics
To the unknown, Pwn2Own is an annual event where ethical hackers compete to find bugs in several of the participating OEM devices and get paid for successfully surfacing any unknown bugs. This year, the Pwn2Own held in Toronto gave a total of $989,750 to all the contestants for their contributions.
Ending the four-day event on December 9th, Pwn2Own organizers said there were about 63 zero-day exploits (and multiple bug collisions) found by 26 teams and security researchers in various consumer products like mobile phones, home automation hubs, printers, wireless routers, network-attached storage, and smart speakers categories.
The final numbers for #Pwn2Own Toronto 2022:
63 unique 0-days
36 different teams representing 14+ countries
See you at #Pwn2Own Miami in February!
— Zero Day Initiative (@thezdi) December 9, 2022
All the concerned devices are up-to-date in their software versions and in their default configuration while being hacked. While no one signed up for hacking the Apple iPhone 13 and Google Pixel 6 smartphones, Samsung’s Galaxy S22 was hacked four times throughout the event!
The first one was claimed by STAR Labs on Day 1, where it exploited an input validation bug to earn $50,000 and 5 Master of Pwn points. It was followed by Chim to exploit the same zero-day bug for $25,000 and Interrupt Labs and Pentest Limited in consecutive days.
Pentest Limited, in special, has demonstrated its zero-day exploit in just 55 seconds! Devices of other brands being hit in the event include Canon, HP, Mikrotik, NETGEAR, Sonos, TP-Link, Lexmark, Synology, Ubiquiti, Western Digital, Mikrotik, and HP.
All these OEMs will be given 120 days to release patches for the surfaced bugs before ZDI publicly discloses them.