Google's $2.7m Pwnium hackathon : Go break an ARM

Google's $2.7m Pwnium hackathon : Go break an ARM

Summary: This March, hackers can win some serious cash and have a go at hacking both ARM and Intel Chromebooks.

SHARE:
TOPICS: Security, Google
2
pinkie_pie_chrome

Google has announced the hosting of the fourth Pwnium competition, which will set hackers against Chrome OS-running ARM and Intel Chromebooks in order to earn some serious cash.

The hackathon, Pwnium 4, will take place this March at the CanSecWest security conference in Vancouver. The contest focuses on Chrome OS, and the tech giant will be offering a total of $2.71828 million in prizes -- mathematically geeky, being the constant e -- for security researchers and white hat hackers that deliver compromises and exploits which successfully infiltrate the operating system.

In a blog post, Jorge Lucángeli Obes, Google Security Engineer and Master of Ceremonies said that Pwnium rewards will be offered at a number of levels. Security researchers that demonstrate browser or system-level compromises in guest mode or as a logged-in user, delivered via web pages, are eligible for rewards of up to $110,000. Chrome OS exploits with "device persistence," guest-to-guest access with interim rebook and delivery via web pages can earn their developers up to $150,000.

This year, Google is also considering "significant" bonus rewards for particularly impressive or persistent exploits, such as defeating kASLR, exploiting memory corruption in the 64-bit browser process or exploiting the kernel directly from a renderer process.

In Pwnium 4, competitors can choose between an ARM-based Chromebook -- the HP Chromebook 11 -- or an Intel-based model, the Acer C720 Chromebook. Attacks must be demonstrated against these devices running stable versions of Chrome OS.

The announcement says that standard Pwnium rules apply, "the deliverable is the full exploit, with explanations for all individual bugs used (which must be unknown); and exploits should be served from a password-authenticated and HTTPS-supported Google App Engine URL."

If you're interested in registering, you can do so by emailing security@chromium.org before 5pm PST, March 10th.

In related news, Google has recently shut down a researcher who claims an exploit he discovered could allow cyberattackers to spy on phone calls or other conversations using speech recognition and microphone features. Researcher Tal Ater reported the security flaw in September, where Google engineers later suggested patches to fix the exploit, which can be activated if a user accepts a request to enable speech recognition on a website. However, a patch was never issued.

Ater says this leaves Chrome vulnerable, whereas a Google spokesperson said: "The security of our users is a top priority, and this feature was designed with security and privacy in mind. We've re-investigated and this is not eligible for a reward, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C specification."

Topics: Security, Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • My Chromebook already hacked by Google

    Isn't my Chromebook basically a hack device for Google? I mean its all about Google and we know Google tracks everything or it would not require you to have a Google account to use a Chromebook. I have no doubt a Chromebook can be hacked but what would anyone gain from it? Much of the hacking would be to access a device that basically stores so little locally. Unless you could also gain access to Google drive for a user. The information on a Chromebook would be of little use. Of course my question after owning a Chromebook for about a year. Is what kind of security is Chrome OS really using? I can't really use a third party to scan for malware and I have had malware like Ransom attacks lock up Chrome browser and force a reboot. So their is some success even if it does not fully take over the device.
    JohnnyES-25227553276394558534412264934521
  • My Chromebook already hacked by Google

    Isn't my Chromebook basically a hack device for Google? I mean its all about Google and we know Google tracks everything or it would not require you to have a Google account to use a Chromebook. I have no doubt a Chromebook can be hacked but what would anyone gain from it? Much of the hacking would be to access a device that basically stores so little locally. Unless you could also gain access to Google drive for a user. The information on a Chromebook would be of little use. Of course my question after owning a Chromebook for about a year. Is what kind of security is Chrome OS really using? I can't really use a third party to scan for malware and I have had malware like Ransom attacks lock up Chrome browser and force a reboot. So their is some success even if it does not fully take over the device.
    JohnnyES-25227553276394558534412264934521