Chainspotting 2: The Unofficial Sequel to the 2018 Talk "Chainspotting"
Ken Gannon
OffensiveCon 2025 · Day 1 · Main
Ken Gannon was the sole phone entrant at Pwn2Own Ireland 2024 and successfully compromised the Samsung Galaxy S24 using an unbroken chain of five logic bugs — zero memory corruption required. Starting from a browsable intent vulnerability in Samsung Gaming Hub (version 7.1.01.7), the chain exploits a JavaScript enable bypass, an arbitrary intent launch primitive, and an unsigned-APK installation flaw in Samsung Smart Switch Agent (version 2.0.002.24) to install and launch Drozer on the target device. ---
AI review
Five chained logic bugs, zero memory corruption, one-click Samsung Galaxy S24 compromise demonstrated live at Pwn2Own — and Gannon was the only researcher who bothered to show up for phones. The `startsWith()` JavaScript whitelist bypass is embarrassing for Samsung, the `intent://` C2 channel is a clever force-multiplier primitive, and the whole chain is a masterclass in methodical attack surface expansion. Strong accept.