Pwn2Own 2010: Bulls-eye on smartphones, browsers

The organizers of this year's CanSecWest Pwn2Own challenge have painted a big bulls-eye on mobile devices, offering up an whopping $60,000 in prizes to entice hackers to exploit vulnerabilities on iPhones, Android, Nokia and BlackBerry smartphones.

At Pwn2Own 2010, which takes place in Vancouver on March 24, 2010, contest sponsors TippingPoint ZDI has set the booty at US$100,000 with two main technology targets -- smartphones and Web browsers/OS pairings.

According to ZDI's Aaron Portnoy, the big focus this year will be on vulnerabilities affecting mobile devices.

The second portion of Pwn2Own 2010 offers bounties for vulnerabilities affecting mobile phones. The increased presence and capabilities of smart phones has brought with it the same security issues and attention traditionally reserved for non hand-held platforms. Vulnerabilities in parsing media, dynamic web content, e-mail, and other client-side issues have been published in the past. Additionally, many of the communication protocols that mobile phones implement are the focus of a burgeoning field of security research (ex: Lackey, Langlois, Bailey).

Portnoy said that $60,000 of the total $100,000 cash prize pool is set aside for the mobile phone portion of the contest, with each target worth $15,000.

He said a  successful hack on these targets must result in code execution with little to no user-interaction. The targets this year are:

• Apple iPhone 3GS
• RIM Blackberry Bold 9700
• A Nokia device running Symbian S60 (likely the E62)
• A Motorola phone running Android (likely the Droid)

Mobile phones were in play at last year's contest but there was little activity from hackers. Instead, the security researchers focused mainly on Web browsers, bringing down the three main browsers -- Internet Explorer, Firefox and Safari -- on the first day.

The remainding $40,000 will be assigned to targets this year that include the latest versions of Microsoft Internet Explorer, Mozilla Firefox, Google Chrome and Apple Safari.

The browsers will be paired with a fully patched operating system. On day one, Portnoy said the following targets will be in play:

• Microsoft Internet Explorer 8 on Windows 7
• Mozilla Firefox 3 on Windows 7
• Google Chrome 4 on Windows 7
• Apple Safari 4 on MacOS X Snow Leopard

On the second day, older OS versions will be added to the mix:

• Microsoft Internet Explorer 7 on Windows Vista
• Mozilla Firefox 3 on Windows Vista
• Google Chrome 4 on Windows Vista
• Apple Safari 4 on MacOS X Snow Leopard

The contest will be expanded on Day 3 to include even older OS/browser pairings:

• Mozilla Firefox 3 on Windows XP
• Google Chrome 4 on Windows XP
• Apple Safari 4 on MacOS X Snow Leopard

ALSO READ:

• Pwn2Own 2009: Safari/MacBook falls in seconds
• Questions for Pwn2Own hacker Charlie Miller
• Pwn2Own trifecta: Hacker exploits IE8, Firefox, Safari
• Nils2Own: 'I want to see security flaws fixed'