Researcher awarded $50,000 for discovering Samsung Galaxy S21 hack

A photograph of the Samsung Galaxy S21 5G's camera array
(Image credit: IT Pro)

A senior UK-based cyber security researcher has been awarded $50,000 (£37,168) for successfully hacking a Samsung Galaxy S21 device using a novel exploit.

Sam Thomas, director of research at Pentest Limited, broke into one of Samsung's premium smartphones while competing in Pwn2Own Austin, a regular hacking competition run by Trend Micro's Zero Day Initiative (ZDI).

Thomas used a "unique three-bug chain" to compromise the Samsung Galaxy S21, a feat no other competitor was able to achieve.

The specific methods Thomas used to achieve compromise the device have not been detailed by either the researcher or the ZDI. IT Pro contacted Thomas for further details but he did not reply at the time of publication.

The researcher's success came a day after two other researchers from Singapore-based STARLabs also successfully achieved code execution on the Samsung Galaxy S21.

In Pwn2Own competitions, researchers are required to enter a disclosure room with the affected vendor after the competition round is over to detail the vulnerability they exploited. At this stage, it was revealed that the bug STARLabs researchers used to break the smartphone was already known to Samsung, though not known to the public.

Because of this, the STARLabs researchers were given a reduced prize of $25,000 (£18,620). Thomas received the biggest prize due to the novel nature of the exploit he used.

A day before Thomas' Samsung success, he also demonstrated how a different three-bug chain could be used to achieve code execution on a My Cloud Pro Series PR4100 network attached storage (NAS) device. The chain included an unsafe redirect and a command injection - a piece of work which earned Thomas a further $40,000 (£29,790) in prize money.

Pwn2Own tournaments see security experts compete against each other in a series of rounds over a number of days to accumulate prize money and 'Master of Pwn' points. The researcher with the most points wins the competition, a trophy, a champion's jersey, and 65,000 ZDI points.

The ZDI points give the researcher Platinum status in the ZDI, meaning they receive a one-time payout of $25,000 (£18,620), a 25% bonus on rewards for any future vulnerability disclosures, and a 50% point multiplier for further discoveries.

At the time of writing, and with one day remaining in the event, Thomas sits in fourth place with a total of nine points and $90,000 (£66,960) in accumulated prize money.


Explaining the UK’s supply chain crisis

Sample our exclusive Business Briefing content


The devices to be targeted in Pwn2Own competitions are chosen before each event by the organisers. NAS drives were introduced last year, returning this year, with printers also being included as a new addition to the competition.

Apple's iPhone 12 and Google's Pixel 5 were both in the smartphone category for this year, but no attempts had been made on either of them at the time of writing.

The full list of device categories for Pwn2Own 2021 includes smartphones, printers, NAS drives, home automation, televisions, routers, and external SSDs.

So far, the ZDI has awarded $1,016,250 (£756,908) in prize money with one day left to go.

In previous Pwn2Own events, high-profile disclosures have been found in major products such as Microsoft Teams, Apple's iPhone, Zoom, Adobe Reader, Oracle VirtualBox, Google Chrome and many more.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.