Pwn2Own goes mobile: $200,000 prizes for iOS, Android, BlackBerry zero-day attack

Conference organizers at the EuSecWest are dangling cash prizes for any hacker who can demo a successful zero-day attack on mobile web browsers, Near Field Communication (NFC), Short Message Service (SMS) and the cellular baseband.
Written by Ryan Naraine, Contributor
(This was the scene at the very first iPhone hack at the CanSecWest Pwn2Own contest in 2010 when Vicenzo Iozzo teamed up with Ralf Philipp Weinmann to pop Apple's iPhone device).

Conference organizers at EuSecWest in Amsterdam are dangling $200,000 in cash prizes to security researchers who demonstrate zero-day attacks against the most widely deployed smart phones.

The cash bounty will form part of Mobile Pwn2Own 2012, a special edition of the hacker challenge that pits vulnerability finders and exploit writers against fully patched computers and smart phones.

[SEE: Pwn2Own 2010: iPhone hacked, SMS database hijacked ]

TippingPoint ZDI, which is sponsoring the contest along with AT&T and BlackBerry, says the primary goal is to demonstrate the current security posture of the most prevalent mobile technologies in use today; including attacks on mobile web browsers, Near Field Communication (NFC), Short Message Service (SMS), and the cellular baseband.  

The organizers plan to shell out a $100,000 prize for a successful hack of Cellular Baseband and $40,000 each for zero-day exploits against NFC and SMS.   For a mobile web browser hack, Pwn2Own will pay $20,000.

TippingPoint ZDI says each contestant will be allowed to select the device they wish to compromise during a pre-registration process. 

"The only requirement is that it be a current device and running the latest operating system.  The exact OS version, firmware and model numbers will be coordinated with the pre-registered researcher," the company said. 

Some examples of devices include:

  • BlackBerry Bold 9930
  • Samsung Galaxy SIII
  • Nokia Lumia 900
  • Apple iPhone 4S

For an attack to be deemed successful, it must use a zero-day vulnerability and must require "little or no user interaction."

To win the prize, hackers must also compromise or exfiltrate useful data from the phone.

"Any attack that can incur cost upon the owner of the device (such as silently calling long-distance numbers, eavesdropping on conversations, and so forth) is within scope," the company explained.

A special RF isolation enclosure will be provided to facilitate hacks without breaking local laws. 

Mobile platforms have been a staple at previous Pwn2Own contests but, apart from a few hits on Apple's iPhone and RIM's BlackBerry, they have emerged mostly unscathed.

Editorial standards