Researcher awarded $50,000 for discovering Samsung Galaxy S21 hack

UK researcher Sam Thomas won the Pwn2Own bounty using a "unique three-bug chain"
Samsung Galaxy S21 Ultra 5G

5 November 2021

A senior UK-based cyber security researcher has been awarded $50,000 for successfully hacking a Samsung Galaxy S21 device using a novel exploit.

Sam Thomas, director of research at Pentest Limited, broke into one of Samsung’s premium smartphones while competing in Pwn2Own Austin, a regular hacking competition run by Trend Micro’s Zero Day Initiative (ZDI).

Thomas used a “unique three-bug chain” to compromise the Samsung Galaxy S21, a feat no other competitor was able to achieve.




The specific methods Thomas used to achieve compromise the device have not been detailed by either the researcher or the ZDI.

The researcher’s success came a day after two other researchers from Singapore-based StarLabs also successfully achieved code execution on the Samsung Galaxy S21.

In Pwn2Own competitions, researchers are required to enter a disclosure room with the affected vendor after the competition round is over to detail the vulnerability they exploited. At this stage, it was revealed that the bug StarLabs researchers used to break the smartphone was already known to Samsung, though not known to the public.

Because of this, the STARLabs researchers were given a reduced prize of $25,000 (£18,620). Thomas received the biggest prize due to the novel nature of the exploit he used.

A day before Thomas’ Samsung success, he also demonstrated how a different three-bug chain could be used to achieve code execution on a My Cloud Pro Series PR4100 network attached storage (NAS) device. The chain included an unsafe redirect and a command injection – a piece of work which earned Thomas a further $40,000 in prize money.

Pwn2Own tournaments see security experts compete against each other in a series of rounds over a number of days to accumulate prize money and ‘Master of Pwn’ points. The researcher with the most points wins the competition, a trophy, a champion’s jersey, and 65,000 ZDI points.

The ZDI points give the researcher Platinum status in the ZDI, meaning they receive a one-time payout of $25,000, a 25% bonus on rewards for any future vulnerability disclosures, and a 50% point multiplier for further discoveries.

At the time of writing, and with one day remaining in the event, Thomas sits in fourth place with a total of nine points and $90,000 in accumulated prize money.

The devices to be targeted in Pwn2Own competitions are chosen before each event by the organisers. NAS drives were introduced last year, returning this year, with printers also being included as a new addition to the competition.

Apple’s iPhone 12 and Google’s Pixel 5 were both in the smartphone category for this year, but no attempts had been made on either of them at the time of writing.

The full list of device categories for Pwn2Own 2021 includes smartphones, printers, NAS drives, home automation, televisions, routers, and external SSDs.

So far, the ZDI has awarded $1,016,250 (£756,908) in prize money with one day left to go.

In previous Pwn2Own events, high-profile disclosures have been found in major products such as Microsoft Teams, Apple’s iPhone, Zoom, Adobe Reader, Oracle VirtualBox, Google Chrome and many more.

Future Publishing

Read More:

Back to Top ↑