Success at Pwn2Own Toronto 2023

As the days get shorter and the weather starts to turn, we know it’s that time of year again. No, not the build-up to Halloween, or even Christmas, it’s time for Pwn2Own! For those of you unaware of the event, Pwn2Own is one of the preeminent global zero-day competitions, where researchers attempt to find previously unknown vulnerabilities in popular consumer devices such as mobile phones, printers, smart speakers, google devices and home surveillance systems in return for cash prizes and points towards the overall Master of Pwn competition. 

2023 marks the 4th year that we’ve taken part in the competition and for those who want to know more about the format, you can check out our 2021 overview here. 

This year Sam Thomas, our Research Director, and the team decided to pit their skills against two devices – the Western Digital My Cloud Pro Series PR4100 (NAS Category) and the Samsung Galaxy S23 (Mobile Category). We’ve had previous success in the NAS Category, and with Samsung mobile devices, and were able to build on the skills and knowledge gained over the years to find novel vulnerabilities and create working exploits for both again this year. 

Whilst we can’t go into exact detail about vulnerabilities found – they are with the vendors to fix; we can give you a brief overview of the types of vulnerabilities and the Pwn2Own results. 

Western Digital My Cloud Pro Series PR4100 (Network Attached Storage device) 

In the PR4100, we discovered two zero-days which could be chained together to create an exploit using DoS (Denial of Service) and SSRF (Server-Side Request Forgery) to fully compromise the device, allowing arbitrary RCE (Remote Code Execution). 

For this successful attack we were awarded $40,000 for the zero-days and 4 Master of Pwn points towards the overall competition. (See the attempt video here)

Pentest Pwn2Own Toronto Western Digital My Cloud Pro Series PR4100

Samsung Galaxy S23 (Mobile handset)  

For the third year running, the team were able to fully compromise Samsung’s latest Galaxy mobile device – this year the S23, which is an outstanding achievement against the flagship device of one of the world’s largest tech companies. 

Using a single unique zero-day we were able to bypass an “Improper Input Validation” check on the device. This allowed us to install and launch an app without user consent in effect fully compromising the device.  

For this successful attack we were awarded $50,000 and 5 Master of Pwn points (See the attempt video here)

Pentest Pwn2Own Toronto Samsung Galaxy S23

The result  

With a lucky draw, all our entries taking place on the first day, we had managed to earn the most money and the 2nd most points on day one of the competition and could sit back and enjoy the rest of the competition safe in the knowledge that we’d done our bit, and that the demo gods had been kind to us. Ultimately, we finished the competition with an impressive 5th place finish in the Master of Pwn competition.

Pwn2Own Toronto 2023 Master of Pwn Final Leaderboard

Overall, it’s been an amazing result and we’ve learnt a huge amount, showing once again, we can compete against some of the best research teams in the world. And it doesn’t hurt to get some nice attention and make some headlines of the back of it: 

Bleeping Computer
Tech Radar
Security Affairs
Security Week
GB Hackers

Hopefully we can go further next year, target some more devices and go all out for that Master of Pwn title. Watch out world!

Looking for more than just a test provider?

Get in touch with our team and find out how our tailored services can provide you with the cybersecurity confidence you need.