Linux triumphant: Chrome OS resists cracking attempts

Linux, once again, proved to be far more secure than most other operating systems as Google's Linux-based Chrome OS shrugged off its attackers at the $3.14-million Pwnium cracking competition.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

The Chrome web browser on Windows is breakable, but its little brother, the Linux-based Chrome OS, proved to be essentially uncrackable at the CanSecWest conference in Vancouver, Canada,

Google's Linux-based Chrome OS defied attempts to crack it in the Pwnium hacking competition.
Image: Google

In a separate security contest from the HP Zero Day Initiative's (ZDI) Pwn2Own competition, Microsoft's IE 10, Google's Chrome, and Mozilla's Firefox web browsers were all cracked. Java was also cracked multiple times.

In addition, Google is offering a total prize package of $3.14159 million in its own Pwnium 3 Chrome OS cracking contest.

Specifically, here are the prizes that Google is proposing:

  • $110,000: Browser- or system-level compromise — in guest mode or as a logged-in user — delivered via a web page.

  • $150,000: Compromise with device persistence — guest to guest with interim reboot — delivered via a web page.

Google is offering multiple prizes for each crack up to a maximum of $3.14 million for all winners.

Winning attacks had to "be demonstrated against a base (wi-fi) model of the Samsung Series 5 550 Chromebook running the latest stable version of Chrome OS. Any installed software (including the kernel and drivers, etc) may be used to attempt the attack".

That's serious money for serious cracking. Google did this, according to Chris Evans, the tech leader of the Google Chrome Security Team, because "Security is one of the core tenets of Chrome, but no software is perfect, and security bugs slip through even the best development and review processes. That's why we've continued to engage with the security research community to help us find and fix vulnerabilities".

A few days before the contest, Google pushed out 10 Chrome browser security fixes and then the games were on.

Even with millions of dollars in prizes at stake, no one was truly successful in taking down the Linux-based Chrome OS. The Google Chrome team reported on Google+ that even though the competition deadline had been extended at the would-be crackers' request, "We just closed out the competition. We did not receive any winning entries but we are evaluating some work that may qualify as partial exploits."

Further details are not available at this time, but clearly, given the failure of all browsers on Windows in Pwn2Own and yet another wave of critical Windows vulnerabilities in Chrome OS in specific, and Linux in general, remains the best choice for security-conscious desktop users.

Related stories

Editorial standards