Google challenges hackers to take on Chrome OS

Google challenges hackers to take on Chrome OS

Summary: Google is offering a pi--that's $3.14159 million--in prizes for cracking Chrome OS.


So you think you're a big-time hacker, huh? Well, Google is inviting you to show up at the CanSecWest security conference on March 7 in Vancouver, Canada, to see if you can crack your way into Chrome OS. And, to make it worth your time, Google is offering a pi worth of cash rewards. That's a total prize package of $3.14159 million. I thought that would get your attention.

Google's offering $3.14-million in cold cash to Chrome OS hackers. (Screenshot by Steven J. Vaughan-Nichols/ZDNet)

Along with supporting the Pwn2Own Web browser hacking competition, Google is inviting hackers to try their luck with Chrome OS. According to Chris Evans, the tech lead of the Google Chrome Security Team, Google is putting its Linux-based desktop operating system to the test because, "Security is one of the core tenets of Chrome, but no software is perfect, and security bugs slip through even the best development and review processes. That's why we've continued to engage with the security research community to help us find and fix vulnerabilities."

The rules of the game are: "The attack must be demonstrated against a base (Wi-Fi) model of the Samsung Series 5 550 Chromebook running the latest stable version of Chrome OS. Any installed software (including the kernel and drivers, etc) may be used to attempt the attack. For those without access to a physical device, note that the Chromium OS developer's guide offers assistance on getting up and running inside a virtual machine."

I've also written a helpful guide on running Chrome OS in a virtual machine. It's really not that hard.

In addition, the "Standard Pwnium rules apply: the deliverable is the full exploit plus accompanying explanation and breakdown of individual bugs used. Exploits should be served from a password-authenticated and HTTPS-supported Google property, such as Google App Engine. The bugs used must not be known to us or fixed on trunk. We reserve the right to issue partial rewards for partial, incomplete, or unreliable exploits."

At this time, only the Pwnium rules for the last go-around are available. Other than the details about the prize amounts I expect the rules will otherwise be the same.

The prizes are:

  • $110,000: browser or system level compromise in guest mode or as a logged-in user, delivered via a web page.

  • $150,000: compromise with device persistence--guest to guest with interim reboot, delivered via a web page.

That's real money. I don't know about you, but if I were a serious security and operating system hacker, I'd be working on my hacks now and packing my bags for Vancouver.

Related stories:

Topics: Linux, Browser, Google, Laptops, Security, PCs

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Google challenges hackers to take on Chrome OS

    ChromeOS is based on linux, linux leaves the telnet port open by default, telnet into the laptop and use the default root login/password and its cracked. I'll take my $3.14 million now, thanks Google.
    • Is this telnet server compatible with the telnet server thats in

      windows 2k & Windows XP ? ?
      Anthony E
    • If it's so simple

      I assume it'll be cracked within minutes of the start of the competition.

      Then again, I doubt it's that simple.
      Michael Alan Goff
    • Check your facts

      Chrome does not come with telnet, just ssh. Now Windows 95 right through Windows 8, on the other hand, does come with telnet. I guess that's why Microsoft is not offering anything at pwn2own.
      • Actually

        On all of the above mentioned operating systems this telnet server is not installed by default and quite frankly I do not know many people that actually install it. The telnet client is also not installed by default, this one of course is one of the tools that is indispensible.
        • Actually incorrect

          Windows 2k & Windows XP have telnet server installed by default.. In services they are disabled.. But all that it will take to enable them is go into services and enable or malware can do it for you.

          Older linux distro's had the option to install but have removed it in favor of SSHD.
          Anthony E
          • Oh well

            In any case in all of these instance it is Not enabled by default. And in the case of Xp (released in 2001 I might add) it is only installed on XP Pro, the home edition lacks the telnet server.
    • a little kid trying to talk big!

      so what where you babbling? linux,telnet, login, root ok that's enough it's late now go to sleep!
    • You forgot

      You have not mentioned for quite a while that Linux users need to compile their own software before they can use it. What is the matter, are you starting to lose it?
    • RE: I'll take my $3.14 million now

      Sorry, Mr. Davidson. All you'll get is a mud pie in the face. Why a mud pie? Because of all your mud-slinging towards everything Linux.
      Rabid Howler Monkey
    • Funny, but total fabrication

      I know you're seeing how many ignorant folks will follow you on this one. I just cannot let this one slide.

      No modern Linux distribution comes with a running telnet server, by default. The chromebooks do not even have an ssh daemon running on them. No standard servers on it at all.

      Have fun.
    • Linux hasn't left the telnet port open in years...

      In fact, most release don't even include telnet in the standard distribution: you have to specifically download the package, and then update the firewall/ipchains to open the port.
    • Money talks; BS walks

      LD : You are welcome to attend CanSecWest and submit your exploit. I suspect your prize reward will be $0.
    • WOW LOL

      Thanks for the laugh guys :D

      For those who think this is serious, well...
  • Coincidence? Significance?

    3.14159 is the mathematical constant Pi (someone can look up the asci code if they wish).

    Not a coincidence, but is there any significance to it?

    Maybe I'll collect $$ just for catching on?
    • No coincidence

      Google loves mathematical constants. Another recent example:

      "Cash Rules Everything Around Me In High Stakes Patent Auction, Google Bids Mathematical Constants
      Rabid Howler Monkey
    • I'm gonna give you the benefit of the doubt...

      and assume that you were suggesting that Google has a product / app / OS version named Pi in the works. Seeing as the author already referenced pi in the article.
    • Microsoft should

      respond with a very bold counter challenge offering some other no less fundamental constants* million to whoever hacks their surface or Win8 , choices might be:
      - (the mass of electron in kg)*million dollars
      - (the unv. gravitational constant G in N*(m/kg)^2) * million dollars
    • That's in the article.

      "Google is offering a pi worth of cash rewards." N/T
  • Google putting its money where its OS is.

    I, for one, am proud of Google for putting their OS, and money, on the line at pwn2own 2013. I see the other big sponsor is HP. So where are Apple and Microsoft? Appears they are all talk, as here's an opportunity to put OS security to the test in a head-to-head competition, and Apple and Microsoft are nowhere to be seen.

    We a have a word for that: cowardice.