IT Pro
A senior UK-dependent cyber security researcher has been awarded $50,000 (£37,168) for properly hacking a Samsung Galaxy S21 device making use of a novel exploit.
Sam Thomas, director of investigation at Pentest Confined, broke into just one of Samsung’s high quality smartphones while competing in Pwn2Individual Austin, a regular hacking level of competition operate by Trend Micro’s Zero Day Initiative (ZDI).
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
Thomas applied a “unique three-bug chain” to compromise the Samsung Galaxy S21, a feat no other competitor was able to attain.
Verified! Sam Thomas (@_s_n_t) from staff Pentest Confined (@pentestltd) made use of a unique 3-bug chain to compromise the Samsung Galaxy S21. He earns himself $50,000 and 5 details towards Master of Pwn. His contest full is $90K and 9 factors. #Pwn2Possess #P2OAustin
— Zero Day Initiative (@thezdi) November 4, 2021
The precise approaches Thomas utilised to accomplish compromise the device have not been in depth by both the researcher or the ZDI. IT Pro contacted Thomas for additional information but he did not reply at the time of publication.
The researcher’s accomplishment came a working day following two other scientists from Singapore-dependent STARLabs also successfully reached code execution on the Samsung Galaxy S21.
In Pwn2Possess competitions, scientists are needed to enter a disclosure area with the afflicted vendor just after the competitors round is more than to element the vulnerability they exploited. At this phase, it was unveiled that the bug STARLabs scientists applied to crack the smartphone was now identified to Samsung, although not known to the general public.
Since of this, the STARLabs scientists had been specified a lessened prize of $25,000 (£18,620). Thomas obtained the most significant prize because of to the novel mother nature of the exploit he applied.
A working day in advance of Thomas’ Samsung achievement, he also shown how a various three-bug chain could be utilised to accomplish code execution on a My Cloud Pro Sequence PR4100 network hooked up storage (NAS) product. The chain bundled an unsafe redirect and a command injection – a piece of do the job which earned Thomas a even more $40,000 (£29,790) in prize income.
Pwn2Very own tournaments see security gurus contend from each individual other in a series of rounds about a range of days to accumulate prize cash and ‘Master of Pwn’ points. The researcher with the most points wins the opposition, a trophy, a champion’s jersey, and 65,000 ZDI points.
The ZDI points give the researcher Platinum status in the ZDI, indicating they get a just one-time payout of $25,000 (£18,620), a 25% bonus on benefits for any future vulnerability disclosures, and a 50% place multiplier for even further discoveries.
At the time of composing, and with one day remaining in the occasion, Thomas sits in fourth area with a total of nine points and $90,000 (£66,960) in accrued prize income.
The units to be specific in Pwn2Individual competitions are picked out ahead of each and every celebration by the organisers. NAS drives were being introduced past yr, returning this 12 months, with printers also being involved as a new addition to the levels of competition.
Apple’s iPhone 12 and Google’s Pixel 5 have been both equally in the smartphone category for this calendar year, but no tries had been created on possibly of them at the time of producing.
The complete record of system categories for Pwn2Have 2021 involves smartphones, printers, NAS drives, house automation, televisions, routers, and external SSDs.
So far, the ZDI has awarded $1,016,250 (£756,908) in prize income with a single working day still left to go.
In former Pwn2Individual situations, higher-profile disclosures have been observed in significant items these types of as Microsoft Groups, Apple’s iPhone, Zoom, Adobe Reader, Oracle VirtualBox, Google Chrome and several much more.
Some elements of this posting are sourced from:
www.itpro.co.uk