Smartphones 1, Hackers 0
There were several $10,000 prizes at stake — as well as some free mobile phones — but at the end of the three-day Pwn2Own smartphone hacking contest at the big CamSecWest conference in Vancouver, British Columbia, which closed on Friday, none of the devices had been cracked.
The contest, sponsored by 3Com’s (COMS) TippingPoint computer security division, pitted some of the world's sharpest hackers and computer security experts against five smartphones: an Apple (AAPL) iPhone, a Research in Motion (RIMM) BlackBerry and phones running on Google’s (GOOG) Android, Microsoft’s (MSFT) Windows Mobile and Nokia’s (NOK) Symbian operating systems.
Although the rules were relaxed each day to make hacking easier, the phones managed to withstand the few attempts that were made to "pwn" them — Internet-gamer slang meaning to conquer or gain ownership.
The Web browsers were not so lucky. In a separate contest, now in its third year, the security barriers of Apple's Safari, Mozilla's Firefox and Microsoft's Internet Explorer were breached in the first day — Safari's in less than 10 seconds using an exploit prepared before the contest. The latest version of Microsoft's Web browser — IE8 — fell even before the browser's official release. Only Google's Chrome survived day one. See here.
It's not clear why the smartphones did so well and the browsers so badly. It may be that the devices are too new to have been studied closely. "There's a lot we don't know yet about them," Charlie Miller, the man who cracked Safari so quickly, told CNet's Elinor Mills (link). In fact, there were very few attempts made. Tipping Point's twitter feed mentioned only two: one against a BlackBerry and another against a Nokia phone running Symbian.
But there's no question that smartphones are vulnerable to attack. SearchSecurity.com reports that during one conference presentation a team from Core Security Technologies, a Boston-based penetration testing company, demonstrated how to crack into the iPhone, Google Android and Windows Mobile devices using something called a simulated stack overflow vulnerability.
According to Alfredo Ortega, one of the Core researchers, the iPhone had the most security features, making it the most difficult to crack. Windows Mobile, he said, was the easiest to defeat. (link)
When it’s not running contests, TippingPoint operates its ZeroDay Initiative, in which it pays computer security specialists — also known as “white hat hackers” — a bounty for previously undiscovered vulnerabilities in return for a promise not to exploit them.
TippingPoint, in turn, notifies the vendor and simultaneously develops a patch that it offers to its security clients. Once the vendor has developed its own patch, TippingPoint and the vendor coordinate public disclosure. The researcher can either be given credit for the discovery or, if he or she prefers, remain anonymous.
See also: White hat hackers target the iPhone
Below the fold: the rules of the contest as posted on the CamSecWest website here.
Phones (and associated test platform)
- Blackberry(TBA)
- Android(Dev G1)
- iPhone(locked 2.0)
- Nokia/Symbian(N95-1)
- Windows Mobile (HTC Touch)
Day 1 (Raw functionality out of the box, users configured for service) post phone, post email
- SMS
- MMS
- Email (arrival only)
- wifi on if default
- bluetooth on if default
- Radio stack
Day 2
- All of Day 1
- Email/SMS/MMS (reading only – no secondary actions)
- wifi on
- bluetooth on (not accept pairing by default. Paired with a headset. pairing process not visible)
Day 3
- All of Day 1 and 2
- one level of user interaction with default applications
- bluetooth on (not accept pairing by default. Paired with a headset/other devices upon request. pairing process visible)
What is owned? Must demonstrate…
- loss of information (user data)
- incur financial cost
@George
What about CTF at DefCon? Heck there are many people from 3 letter agencies there, to learn from the talks and to recruit talent.
I'm pretty sure most hackers would be reluctant to show up for a contest… that would just make finding them easier for big business and the govt.
I'll have to go with Admiral Ackbar here, "It's a Trap!"
I'm pretty sure most hackers would be reluctant to show up for a contest… that would just make finding them easier for big business and the govt.
I'll have to go with Admiral Ackbar here, "It's a Trap!"
RE: last comment by Anonymous (Do you think that someone will Hack into these phones for a measly 10,000.00. People spend more money on a computer set up. Add up the anty to 500,000.00 and you will be closer.)
You're wrong. Hackers are like Analysts and bloggers; they will do anything or say anything to get attention.
ex ped: I don't know about the attention part, but the same guys were willing to hack Safari, IE8 and Firefox for a measly $5,000 per exploit.
RE: last comment by Anonymous (Do you think that someone will Hack into these phones for a measly 10,000.00. People spend more money on a computer set up. Add up the anty to 500,000.00 and you will be closer.)
You're wrong. Hackers are like Analysts and bloggers; they will do anything or say anything to get attention.
ex ped: I don't know about the attention part, but the same guys were willing to hack Safari, IE8 and Firefox for a measly $5,000 per exploit.
Do you think that someone will Hack into these phones for a measly 10,000.00. People spend more money on a computer set up. Add up the anty to 500,000.00 and you will be closer.
Do you think that someone will Hack into these phones for a measly 10,000.00. People spend more money on a computer set up. Add up the anty to 500,000.00 and you will be closer.
@George
What about CTF at DefCon? Heck there are many people from 3 letter agencies there, to learn from the talks and to recruit talent.