Google's $2.7m Pwnium hackathon : Go break an ARM

This March, hackers can win some serious cash and have a go at hacking both ARM and Intel Chromebooks.


Google has announced the hosting of the fourth Pwnium competition, which will set hackers against Chrome OS-running ARM and Intel Chromebooks in order to earn some serious cash.

The hackathon, Pwnium 4, will take place this March at the CanSecWest security conference in Vancouver. The contest focuses on Chrome OS, and the tech giant will be offering a total of $2.71828 million in prizes -- mathematically geeky, being the constant e -- for security researchers and white hat hackers that deliver compromises and exploits which successfully infiltrate the operating system.

In a blog post, Jorge Lucángeli Obes, Google Security Engineer and Master of Ceremonies said that Pwnium rewards will be offered at a number of levels. Security researchers that demonstrate browser or system-level compromises in guest mode or as a logged-in user, delivered via web pages, are eligible for rewards of up to $110,000. Chrome OS exploits with "device persistence," guest-to-guest access with interim rebook and delivery via web pages can earn their developers up to $150,000.

This year, Google is also considering "significant" bonus rewards for particularly impressive or persistent exploits, such as defeating kASLR, exploiting memory corruption in the 64-bit browser process or exploiting the kernel directly from a renderer process.

In Pwnium 4, competitors can choose between an ARM-based Chromebook -- the HP Chromebook 11 -- or an Intel-based model, the Acer C720 Chromebook. Attacks must be demonstrated against these devices running stable versions of Chrome OS.

The announcement says that standard Pwnium rules apply, "the deliverable is the full exploit, with explanations for all individual bugs used (which must be unknown); and exploits should be served from a password-authenticated and HTTPS-supported Google App Engine URL."

If you're interested in registering, you can do so by emailing before 5pm PST, March 10th.

In related news, Google has recently shut down a researcher who claims an exploit he discovered could allow cyberattackers to spy on phone calls or other conversations using speech recognition and microphone features. Researcher Tal Ater reported the security flaw in September, where Google engineers later suggested patches to fix the exploit, which can be activated if a user accepts a request to enable speech recognition on a website. However, a patch was never issued.

Ater says this leaves Chrome vulnerable, whereas a Google spokesperson said: "The security of our users is a top priority, and this feature was designed with security and privacy in mind. We've re-investigated and this is not eligible for a reward, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C specification."