Pwn2Own 2010: Bulls-eye on smartphones, browsers

Pwn2Own 2010: Bulls-eye on smartphones, browsers

Summary: This year's CanSecWest Pwn2Own contest are offering up an whopping $60,000 in prizes to entice hackers to exploit vulnerabilities on iPhones, Android, Nokia and BlackBerry smartphones.

SHARE:

The organizers of this year's CanSecWest Pwn2Own challenge have painted a big bulls-eye on mobile devices, offering up an whopping $60,000 in prizes to entice hackers to exploit vulnerabilities on iPhones, Android, Nokia and BlackBerry smartphones.

At Pwn2Own 2010, which takes place in Vancouver on March 24, 2010, contest sponsors TippingPoint ZDI has set the booty at US$100,000 with two main technology targets -- smartphones and Web browsers/OS pairings.

According to ZDI's Aaron Portnoy, the big focus this year will be on vulnerabilities affecting mobile devices.

The second portion of Pwn2Own 2010 offers bounties for vulnerabilities affecting mobile phones. The increased presence and capabilities of smart phones has brought with it the same security issues and attention traditionally reserved for non hand-held platforms. Vulnerabilities in parsing media, dynamic web content, e-mail, and other client-side issues have been published in the past. Additionally, many of the communication protocols that mobile phones implement are the focus of a burgeoning field of security research (ex: Lackey, Langlois, Bailey).

Portnoy said that $60,000 of the total $100,000 cash prize pool is set aside for the mobile phone portion of the contest, with each target worth $15,000.

He said a  successful hack on these targets must result in code execution with little to no user-interaction. The targets this year are:

  • Apple iPhone 3GS
  • RIM Blackberry Bold 9700
  • A Nokia device running Symbian S60 (likely the E62)
  • A Motorola phone running Android (likely the Droid)

Mobile phones were in play at last year's contest but there was little activity from hackers. Instead, the security researchers focused mainly on Web browsers, bringing down the three main browsers -- Internet Explorer, Firefox and Safari -- on the first day.

The remainding $40,000 will be assigned to targets this year that include the latest versions of Microsoft Internet Explorer, Mozilla Firefox, Google Chrome and Apple Safari.

The browsers will be paired with a fully patched operating system. On day one, Portnoy said the following targets will be in play:

  • Microsoft Internet Explorer 8 on Windows 7
  • Mozilla Firefox 3 on Windows 7
  • Google Chrome 4 on Windows 7
  • Apple Safari 4 on MacOS X Snow Leopard

On the second day, older OS versions will be added to the mix:

  • Microsoft Internet Explorer 7 on Windows Vista
  • Mozilla Firefox 3 on Windows Vista
  • Google Chrome 4 on Windows Vista
  • Apple Safari 4 on MacOS X Snow Leopard

The contest will be expanded on Day 3 to include even older OS/browser pairings:

  • Mozilla Firefox 3 on Windows XP
  • Google Chrome 4 on Windows XP
  • Apple Safari 4 on MacOS X Snow Leopard

ALSO READ:

Topics: Security, Apple, Software, Smartphones, Operating Systems, Mobility, Microsoft, Hardware, Browser, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • Let's See How Apple Fairs.

    It will be interesting to see how Apple will fair this year. The last two years were not very kind with OS X and Safari.
    mikefarinha
  • Nice!

    Let's compare a phone that just came out with one that's already matured over several generations. Great idea!
    AzuMao
  • @AzuMao: What are you referring to?

    Nt
    PlayFair
    • Android vs iPhone

      [b] [/b]
      AzuMao
  • Typo or intentional?

    "Apple Safari 4 on MacOS X Snow Leopard" is listed under "fully patched", "older OS/browser" and "even older OS/browser".

    As well, why isn't Fx being tested on anything but MS OS's?
    rtk
    • I was wondering that, too...

      I was wondering that, too. Shouldn't it be Safari 4 on 10.5 and 10.4?
      olePigeon
  • Hacked in this order

    in computer OS- 1) M$ IE8 on Windoze 7 - 2) Safari Snow Leopard - 3) Firefox on Windoze 7

    on phones- 1) Apple iPhone - 2) RIM Blackberry 3) Symbian S60
    Ron Bergundy
    • Do me a favor

      While you're at the prognostication, tell me what 6 numbers to play in the Lotto this week!

      :D
      use_what_works_4_U
    • Last 2 years OS-X fell first and quickly

      We'll see this year.

      Note Windows fell through 3rd party plug-in Quicktime (an apple product).

      Many of the hacks on Windows utilize non-microsoft apps. QuickTime, Adobe Flash and PDF files, Not directly through the OS and browser on there own.

      The browser that was most resistant was Chrome even on Windows.

      Champion Pwn2Own Charlie Miller had good things to say about windows security.
      DevGuy_z
    • Wrong info

      Apple will be the first to fall, as it has every year so far.

      Also it should be noted that IE8 only fell because it was in beta last year, if they had held off one day the hack that was used would not have worked (when IE8 went live).

      Wonder why they are not doing Linux this year.
      Cobra7fac
      • Too much work to crack it. nt

        nt
        T1Oracle
    • You got it wrong linooze head all the way

      First to fall always is: OS X
      then anything Open Source of course.

      Just google "most vulnerable" and see what comes back...

      And while you're at it can you explain this: (Why Linux/Unix vulnerabilities always hover at 3x those of Windows?)


      ========================================================================

      The Secunia Weekly Advisory Summary
      2009-12-31 - 2010-01-07

      This week: 81 advisories

      ========================================================================
      This weeks Secunia Advisories had the following spread across platforms and criticality ratings:

      Platforms:
      Windows : 10 Secunia Advisories
      Unix/Linux : 27 Secunia Advisories
      Other : 3 Secunia Advisories
      Cross platform : 41 Secunia Advisories

      Criticality Ratings:
      Extremely Critical : 0 Secunia Advisories
      Highly Critical : 11 Secunia Advisories
      Moderately Critical : 32 Secunia Advisories
      Less Critical : 35 Secunia Advisories
      Not Critical : 3 Secunia Advisories

      ========================================================================

      ========================================================================

      The Secunia Weekly Advisory Summary
      2010-01-07 - 2010-01-14

      This week: 63 advisories

      ========================================================================
      Platforms:
      Windows : 6 Secunia Advisories
      Unix/Linux : 27 Secunia Advisories
      Other : 2 Secunia Advisories
      Cross platform : 28 Secunia Advisories

      Criticality Ratings:
      Extremely Critical : 1 Secunia Advisory
      Highly Critical : 12 Secunia Advisories
      Moderately Critical : 14 Secunia Advisories
      Less Critical : 35 Secunia Advisories
      Not Critical : 1 Secunia Advisory

      ========================================================================
      ========================================================================

      The Secunia Weekly Advisory Summary
      2010-01-14 - 2010-01-21

      This week: 54 advisories

      ========================================================================
      Platforms:
      Windows : 10 Secunia Advisories
      Unix/Linux : 21 Secunia Advisories
      Other : 2 Secunia Advisories
      Cross platform : 21 Secunia Advisories

      Criticality Ratings:
      Extremely Critical : 1 Secunia Advisory
      Highly Critical : 5 Secunia Advisories
      Moderately Critical : 21 Secunia Advisories
      Less Critical : 25 Secunia Advisories
      Not Critical : 2 Secunia Advisories

      ========================================================================
      ========================================================================

      The Secunia Weekly Advisory Summary
      2010-01-21 - 2010-01-28

      This week: 56 advisories

      ========================================================================
      Platforms:
      Windows : 2 Secunia Advisories
      Unix/Linux : 28 Secunia Advisories
      Other : 3 Secunia Advisories
      Cross platform : 23 Secunia Advisories

      Criticality Ratings:
      Extremely Critical : 0 Secunia Advisories
      Highly Critical : 6 Secunia Advisories
      Moderately Critical : 21 Secunia Advisories
      Less Critical : 24 Secunia Advisories
      Not Critical : 5 Secunia Advisories

      ========================================================================

      Want more???

      Oh, it's like this in February 2010. And it was like that in 2009, and 2008, and 2007.

      Care to explain why you Linooze / OS X freaks don't get your heads out of your b....???
      WinTard
      • How can you expect to be taken seriously...

        When your name is a derogatory term. I've told you before wintard is a
        portmanteau of "Windows and Retard!"
        webmaster@...
    • "Windoze"? What is that? (nt)

      nt
      Hallowed are the Ori
  • Call a bookie!!!

    Put a grand on Apple across the board to be the first to fall.

    It'll likely be the easiest money you ever make.
    Hallowed are the Ori
  • RE: Pwn2Own 2010: Bulls-eye on smartphones, browsers

    why linux os never comes into pic in case of browser wars?!
    always windows os !!!!!!
    skbhat03
    • Because Apple and MS pay them not to include it.

      [b] [/b]
      AzuMao
  • No Windows Mobile?

    What is with the exclusion of Windows Mobile in the
    smartphone arena? Surely it is vulnerable as well and is
    in widespread use. What gives!
    bpunk88
  • RE: Pwn2Own 2010: Bulls-eye on smartphones, browsers

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">sesli sohbet</a> <a href="http://www.yuregininsesi.com">sesli chat</a>
    efsane