Pwn2Own hacker contest targets browsers, smart phones

Pwn2Own hacker contest targets browsers, smart phones

Summary: After two straight years of taking dead aim at Macbooks and Windows-powered machines, hackers at this year's CanSecWest conference will have shiny new targets:  Web browsers and mobile phones.According to CanSecWest organisers, there will be two separate Pwn2Own competitions this year -- one pitting hackers against IE8, Firefox 3 and Safari and another targeting Google Android, Apple iPhone, Nokia Symbian and Windows Mobile.

SHARE:

After two straight years of taking dead aim at Macbooks and Windows-powered machines, hackers at this year's CanSecWest conference will have shiny new targets:  Web browsers and mobile phones.

According to CanSecWest organisers, there will be two separate Pwn2Own competitions this year -- one pitting hackers against IE8, Firefox 3 and Safari and another targeting Google Android, Apple iPhone, Nokia Symbian and Windows Mobile.

[ SEE: 10 questions for MacBook hacker Dino Dai Zovi ]

On the browser side, the IE vs Firefox battle is sure to grab headlines although I'm not quite sure why Opera or Google's Chrome was not included in the target list.

The rules of engagement are not yet available but it's a safe bet that a successful attacker would have to exploit a zero-day vulnerability to gain full access to the target computer.

CanSecWest organizers plan to Sony VAIO P running Windows 7 as the platform for the contest.  The successful hacker gets to keep the machine.

[ SEE: Google Android vulnerable to drive-by browser exploit ]

The second contest -- against mobile phone platforms -- will be another closely watched affair.  Hackers have already successfully infiltrated the iPhone and Android platforms and there are known security problems in Symbian and Windows Mobile so we're likely to see a lot of attention paid to this contest.

In 2007, New York-based security researcher Dino Dai Zovi teamed up with Shane Macaulay to hijack a MacBook Pro via a flaw in Apple's QuickTime software.    A year later, hacker Charlie Miller needed just two minutes to exploit a Safari bug to win that contest.

Alex Sotirov also partnered with Macaulay in 2008 to exploit an Adobe Flash vulnerability on a Windows Vista box.  (Thanks to NonZealot for the correction).

* Image source: Channy Yun's Flickr photostream (Creative Commons 2.0)

Topics: Operating Systems, Apple, Browser, Hardware, Mobility, Security, Smartphones, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

35 comments
Log in or register to join the discussion
  • Big correction

    [i]Alex Sotirov also partnered with Macaulay in 2008 to exploit a Windows Vista vulnerability.[/i]

    It was not a Vista vulnerability, it was a Flash vulnerability. The [b]only[/b] OS to fall in its out of the box (plus fully patched) configuration was OS X. Try as they might, no one could break into Vista (or Linux) in its out of the box fully patched configuration. On day 3, you were allowed to install popular 3rd party applications and it was only after installing Flash and taking advantage of a Flash vulnerability that the machine was PWNed. So it is incorrect to say it was a Vista vulnerability. It was a Flash vulnerability.
    NonZealot
    • Corrected

      Yup, you're absolutely right. I've corrected and thanked you on the blog.

      _r
      Ryan Naraine
    • I'm betting Vista will be owned in no time.

      Considering the Conficker worm is making it's rounds.
      Intellihence
      • Windows was patched BEFORE Conficker came out

        Sorry, the rules of PWN2OWN clearly state that all machines are fully patched. No fully patched Vista machine is getting hit with Conficker without the user manually granting it elevated privileges.
        NonZealot
    • Was it only with Windows and not Linux?

      Was it only able to overtake the Windows box
      using the "Flash" vulnerability or could it also
      use the same vulnerability to take over Linux?

      Thanks.
      Joe.Smetona
      • The authors claimed it would work cross platform

        and since it was patched across all platforms to fix the vulnerability, we can assume Adobe at least believed it would've also worked on Linux.
        rtk
        • Yea

          The software doesn't undergo major changes for different platforms. If you can break it on one OS, there's a fair chance you can do it on another as you're targeting the software. The OS doesn't have anything to do with it for the most part.
          Chrissd
  • Reason chrome and opera aren't included...

    Even though they're mainstream, no one cares about them, and csw is about marketing and sales, just like any other conference.
    Spiritusindomit
    • I think they should include Opera for two reasons...

      1) This way they won't complain to the EU that CanSecWest is leaving them out.

      2) This way, when they get pwnd, Microsoft can present that to the EU as proof as to why MS shouldn't have to bundle them. (OK, come on, bring on the flames about IE, but it's MICROSOFT'S IE, so they can bundle it with MICROSOFT'S OS. Let Opera create their own OS and get OEMs to bundle their browswer.)
      MGP2
      • Thank you!

        Let MS bundle what they want with Windows. Let Linux distros bundle Firefox if they want, or Opera, or Chrome, or whatever suits their fancy. Let Apple bundle their browser with OS X. To say the browser should not be included with an OS is completely assanine. Maybe back in '98 that was a legitimate argument, in the modern day it's not. And IE has 60-70% of the market now depending on who's numbers you look at. Apparently if you make a better browser it will be successful. Bundling had nothing to do with the demise of Netscape, being a terrible browser did.
        LiquidLearner
        • complaint against MS isn't bundling

          The biggest beef the competitors have is that MS has stated under oath
          that IE is part of the OS and would be too difficult to remove without
          damaging the rest of the OS. The ability to bundle is NOT the issue.
          Having a browser as part of the OS and it is the only one to use the 'cool'
          abilities only MS knows about is at the heart of the complaints. The
          competition wants to have access to all the same APIs and give the
          consumer the option to use a different browser without being forced to
          use IE. Most new users have no clue they can d/l another browser so the competition wants to have theirs bundled with the OS so users can
          choose.
          Mr_Dave
          • Not quite..

            The complaint is that IE is bundled with Windows.

            Yes, MS says removing would be difficult but they're trying to keep from having to give free advertising to other browsers. They are slightly right however.. IE is linked to quite a bit in the OS that other browsers do not support. But people are still free to download and install other browsers. Most just -choose- not to. Hence the lawsuit. Which is rather pathetic.. MS should be able to bundle what they want.. Opens up a lot of possibilities if MS lose though.
            Chrissd
  • Hence why I don't use flash...

    or quicktime, or the JRE, or firefox, or any of the other overrated or overhyped technologies.
    Spiritusindomit
    • That's no way to live

      I hope you enjoy your static command line life. Btw, those water towers out in the field aren't spaceships.
      fredaaa6
      • Many of us

        don't care for the glitz and glam, we just want to access content and move on. Many of us are annoyed by the flashy carp and want a simple interface to read what is important to us and move on.

        Maybe you like shiny baubles and pointless features that more often than not detract from the end run, but there are a lot of us that don't have the time nor the inclination to be bothered with it. We just want what we are after and with no frills or BS. ]:)
        Linux User 147560
      • LOL!

        lol
        Pembo
      • Good one, Fred :)

        I don't mind a little flash. With some websites, you need it.

        No need to be a total Luddite...
        hasta la Vista, bah-bie
    • I guess you don't use...

      any Web browser, either.
      msalzberg
      • He/she is using Lynx (nt)

        <a href="http://en.wikipedia.org/wiki/File:Lynx-wikipedia.png" target="_blank">Lynx</a> Web browser

        ]:)
        n0neXn0ne
    • No flash or JRE>

      Dude.. You are missing out..

      Also, "other overrated or overhyped technologies"?

      I'd hate to see what computer you're running on.. :p

      And one minor question.. Are you over 50? No offense meant. You just sound like my grandparents.
      Chrissd