Samsung Galaxy S22 Hacked Again On Second Day of Pwn2Own

Contestants hacked the Samsung Galaxy S22 again during the second day of the consumer-focused Pwn2Own 2022 competition in Toronto, Canada. They also demoed exploits targeting zero-day vulnerabilities in routers, printers, smart speakers, and Network Attached Storage (NAS) devices from HP, NETGEAR, Synology, Sonos, TP-Link, Canon, Lexmark, and Western Digital. BleepingComputer reports: Security researchers representing the vulnerability research company Interrupt Labs were the ones to demonstrate a successful exploit against Samsung's flagship device on Wednesday. They executed an improper input validation attack and earned $25,000, 50% of the total cash award, because this was the third time the Galaxy S22 was hacked during the competition.

On the first day of Pwn2Own Toronto, the STAR Labs team and a contestant known as Chim demoed two other zero-day exploits as part of successful improper input validation attacks against the Galaxy S22. In all three cases, according to the contest rules, the devices ran the latest version of the Android operating system with all available updates installed.

The second day of Pwn2Own Toronto wrapped up with Trend Micro's Zero Day Initiative awarding $281,500 for 17 unique bugs across multiple categories. This brings the first two days of Pwn2Own total to $681,250 awarded for 46 unique zero-days, as ZDI's Head of Threat Awareness Dustin Childs revealed. The full schedule for Pwn2Own Toronto 2022's second day and the results for each challenge are available here. You can also find the complete schedule of the competition here.

It's why...

[fbobraga]

...to use a proper patched OS, like lineages.org, is so good (Android distributions from the makers of the devices are, generally, full of stupid system apps with a tons of unnecessary permissions...)

Re:

[kwalker]

Good luck doing that on any Samsung device, my friend.

Re:

[fbobraga]

My phone is a Samsung device, friend - several support it: https://wiki.lineageos.org/devices/#samsung [lineageos.org]

Re:

[war4peace]

I have a Note9 which I planned to repurpose, but it looks like LineageOS doesn't have it in the list.

Re:

[fbobraga]

Yeap: I recommend OnePlus devices (works very good with lineageos: I'm waiting one device purchased to arrive :-])

Re:

[war4peace]

I'm just a regular consumer, willing to experiment with older phones. Not going to go out of my way to buy a brand new one and experiment with it, sorry.

Re: It's why...

[fbobraga]

Probably there's other ROMs that support it, look in https://forum.xda-developers.c... [xda-developers.com]

Re:

[NoMoreACs]

Probably there's other ROMs that support it, look in https://forum.xda-developers.c... [xda-developers.com]

ROMs.

What an ignorant misuse of an acronym. It is not a "Read-Only-Memory"!

Not your fault; but to name a piece of Firmware that is to be loaded into a Reprogrammable Hardware, after a piece of Non-Reprogammable piece of Hardware, is just a symptom of the constant march of Idiocracy!

I'd expect that in a newspaper article; but not on a Geek Site like Slashdot. . .

Call it what it is, FFS! Firmware.

Just like the ignoramouses that call a desktop computer a "Hard Drive". Grrr!

EndOfRant.

Re: It's why...

[fbobraga]

The correct name is "firmware": get over it

Re:

[aRTeeNLCH]

You're correct of course, but the complete term for such third party firmwares is Custom ROM, due to the memory being read only when the system is booted up. Perhaps it's not the case anymore today, not sure.

Re: It's why...

[fbobraga]

https://forum.xda-developers.c... [xda-developers.com]

These bounties are laughable

[RemindMeLater]

$25k for a zero day of one of the world's most popular phones? Almost insulting. Samsung should add another zero at least.

Duh, try to hack the iPhone for a change

[thesjaakspoiler]

if you're up for a challenge

Just when I switched back.

[bjwest]

I bought an S22 back in August after my LG G8 started acting up. I was torn between the S22, Pixel 6 or waiting a few of months for the Pixel 7, but I was tired of dealing with the problems that the LG had developed, so I wanted a new phone now. The Pixel 6 was still having reported problems, and I didn't want to purchase the 7 right out of the door in case it did as well, so decided to go with the Samsung S22, whch I purchased unlocked directly from Samsung. My last Samsung was the S4, which I'd kept for five years or so before moving on, and I've had a few Samsung tablets. I never have liked One UI, but deal with it on the tablets, and figured I'd get used to it on the phone, which I have, but still don't care for it.

After reading about this security issue with Samsung's phones, I'm done with them. Yesterday, I ordered a Pixel 7 direct from Google. They offered me a $600 trade in from my S22, which left the Pixel 7 costing me $155 including tax.

TLDR: Fuck Samsung.

Nice deal

[Big Hairy Gorilla]

Good for you. Now as soon as you get it, you should install linage or graphene. I run lineage on a bunch of older samsungs, and a nexus4 and love it. Fast and reliable in my experience. I've read credibly good things about graphene, but can't recommend from personal use yet.

Put wireguard on, connect to your own VPN, and don't forget to encrypt your DNS lookups, and you have the best online privacy you can reasonably achieve.

I can't say much about the security of the device itself, but I think graphene addr

Repeat after me...

[coofercat]

Repeat after me... Samsung can't "do" software.

They're good at hardware (for sure), they're also quite good at picking features to offer, but every single time... their software sucks.

F-Droid

[aRTeeNLCH]

Wait , does this mean there could be a way to install F-Droid and have it do updates itself, without regular rooting?