or Connect
AppleInsider › Forums › Mobile › iPhone › Hacking contest to test iPhone's security
New Posts  All Forums:Forum Nav:

Hacking contest to test iPhone's security

post #1 of 34
Thread Starter 
After being humbled last year at the high-profile CanSecWest security conference, Apple faces further scrutiny as the same event organizers not only plan to test the Mac's defenses but, for the first time, the iPhone's as well.

3Com's security branch, TippingPoint, says that the 2009 edition of the Pwn2Own challenge will ask security experts and others attending the Vancouver, Canada event to hack smartphones, not just computers, in an attempt to find exploits that would allow arbitrary code.

Garnering publicity by way of Fortune, the two-day contest -- which begins along with CanSecWest on March 18th -- will give participants the opportunity to breach the safeguards of any one of five mobile platforms, each represented by a single device. Apple's iPhone will have to compete against the other heavyweights of the cellular world, including a BlackBerry as well as representative models for Android, Symbian and Windows Mobile.

The contestants will have to depend solely on remote access and are thus forced to use techniques that are more likely to be seen in the wild, such as dangerous websites visited through the mobile web browser, harmful e-mail contents, or deliberately malformed SMS text messages.

Sweetening the pot, TippingPoint is offering double the reward it is for more typical computer-borne hacks this year. Every hack that successfully executes code on a phone provides the winning team $10,000; those who are quick enough to hack a phone first wins the hardware along with a one-year contract to use it. Should at least five of the guests succeed, individual $5,000 prizes will also be doled out to those with the best exploits found by the end of the contest's second day.

As in the past, though, Pwn2Own is as much about practical help to the computer industry as it is a matter of bragging rights. As part of TippingPoint's Zero Day Initiative to stop threats before they leave the safety of a test lab, any winning attack will also be bought out and kept secret until the target company's software can be mended to prevent an in-the-wild threat.

The contest may be Apple's first real trial by fire for iPhone security. Although security breaches have often been a staple of jailbreak and unlock attempts, few instances have surfaced of malware coders writing software solely to break Apple's safeguards. For its part, Apple touts the closed distribution model and code signing features of OS X iPhone as essential to user security by making it less likely that harmful apps can be installed and run in the first place.

However, Apple has so far had a poor track record at CanSecWest. The Cupertino, Calfi.-based firm's Mac OS X was infamously the first to be hacked in the 2008 contest and was broken through a hostile web browser link rather than by more complicated tricks. The exploit required a Safari patch the next month.

And while some of OS X iPhone's susceptibility is still up in the air until next month's gathering, Apple may well face a repeat of last year's loss in desktop operating systems: in addition to the smartphone competition, Pwn2Own will also let participants test the security of Firefox and Safari in Mac OS X Leopard versus Chrome, Firefox and Internet Explorer 8 in Microsoft's brand new and reportedly more secure Windows 7.
post #2 of 34
.w00t.
post #3 of 34
I wonder if the iPhone being hacked will be jailbroken. Jailbroken iPhones will no doubt have reduced security, depending on the software installed...
post #4 of 34
I don't think these contests are fair or useful at all. No real security expert would hold back a hack so they could use it for a contest, these contests are for jerks and wanna-be's. They just lead to a lot of bad press based on biased crap and bragging rights for the hackers. For instance, the main meme that came out of last years version, repeated here:
Quote:
Originally Posted by AppleInsider View Post

However, Apple has so far had a poor track record at CanSecWest. The Cupertino, Calfi.-based firm's Mac OS X was infamously the first to be hacked in the 2008 contest and was broken through a hostile web browser link rather than by more complicated tricks. The exploit required a Safari patch the next month..

Is seriously misleading.

The media (as above) always focusses on "who get's hacked first" when it's essentially meaningless as a measure of which system is the most secure. They also, (as above) conveniently leave out the fact that no one could hack the Mac at all on the first two days, and that the hacker was the very first to attempt to hack *any* of the three machines. So while the story is reported as an embarrassing situation for Apple and played as if the Mac is somehow less secure than the other systems, it's nothing of the sort.

The mac got hacked first because the best hacker at the contest chose to focus on the Mac, primarily because it would give him the most "cred." It has nothing to do with the relative security of the platform over any other platform. The other machines didn't get hacked, because no one tried to.

Almost certainly, the iPhone will also be "the first to be hacked" at this one, and for the same reasons.

All the press, including AppleInsider apparently, will publish stories about how "insecure" the iPhone is, and goofy little boys commenting on Giz, Engadget and TUAW will all crow away as the meme of the iPhone's "insecurity" sweeps around the internet until it becomes a known fact, even though it won't actually be true at all.

What a waste of time.
In Windows, a window can be a document, it can be an application, or it can be a window that contains other documents or applications. Theres just no consistency. Its just a big grab bag of monkey...
Reply
In Windows, a window can be a document, it can be an application, or it can be a window that contains other documents or applications. Theres just no consistency. Its just a big grab bag of monkey...
Reply
post #5 of 34
While I agree with most of what Virgil-TB2 stated, he did leave out one very important fact. The guy who HACKED the MAC on the 3rd day stated on record that he could have used his HACK to gain access to any of the machines but chose the Mac Book Air because he wanted it.

He WANTED it.

Any machine can be hacked, if you do the wrong things, go the wrong places, your machine will get jacked. Just like cars, the thief is one step ahead of the security pro's. Any car can be jacked at any time, any place. Most thief's will go for the easiest target so if you have safe guards in place, you probably won't get hit. This is probably the same with computers, however with botnets and such, any machine can be hit if you are doing the wrong things.

If you play in the dirty streets, your gonna get infected.

LanPhantom
post #6 of 34
I can't speak for everyone who joins the contest--I can see why people should report something immediately and not wait for a contest, but $10,000 is an incentive to bad behavior in that regard.

But aside from that one issue, the contest itself seems useful to the industry, and done in a responsible way (in that the flaws are not released publicly, but sent to the vendors to be fixed).

I have a problem with those who publicize a flaw immediately out of a desire to "burn the vendor." But that's not what this is. This can lead to actual improvements.
post #7 of 34
Hmmm.

People with way too much time on their hands.
post #8 of 34
Can we maybe not give them their own local account on the machine this time around?
post #9 of 34
Quote:
Originally Posted by Virgil-TB2 View Post

I don't think these contests are fair or useful at all.

Damn right. It just encourages people to hack, promotes paranoia, and creates a profitable industry for the likes of symantec.
I'm not one for regulation but I would be in favor of banning these events altogether.
post #10 of 34
Quote:
Originally Posted by monstrosity View Post

Damn right. It just encourages people to hack, promotes paranoia, and creates a profitable industry for the likes of symantec.
I'm not one for regulation but I would be in favor of banning these events altogether.

So you'd prefer it if these exploits went unpatched or, even worse, were discovered by someone with malicious intentions?
post #11 of 34
Quote:
"those who are quick enough to hack a phone first wins the hardware along with a one-year contract to use it"

Phew, for a brief moment I thought you were saying they'd have a year contract to use their hacking method :o

I think it's a good idea to promote hacking for good (plus 10 grand, anyway). It ensures that the nice guys in the hacking world are giving you safer products.
post #12 of 34
Can anyone find a full list of the phones being used? I assume BB Storm, Nokia 5800, HTC G1 and HTC Touch HD.
post #13 of 34
be first out, I bet.

We mean Apple no harm.

People are lovers, basically. -- Engadget livebloggers at the iPad mini event.

Reply

We mean Apple no harm.

People are lovers, basically. -- Engadget livebloggers at the iPad mini event.

Reply
post #14 of 34
Quote:
Originally Posted by Shookster View Post

So you'd prefer it if these exploits went unpatched or, even worse, were discovered by someone with malicious intentions?

I believe that many of the people involved in these events themselves have malicious intentions. Many of these 'security' companies have had dubious past histories, often founded by hackers turned 'legit'.
post #15 of 34
If this event is for the good of the industry and those who use it, let's see it run next year with NO prizes. I wonder how many hackers will show up "just for the good of the industry."
My Android phone is the worst phone I've ever owned.
Reply
My Android phone is the worst phone I've ever owned.
Reply
post #16 of 34
Quote:
Originally Posted by Dorotea View Post

Hmmm.

People with way too much time on their hands.

LOL...and they are probably gonna get 100k jobs at software companies to help with security.
post #17 of 34
Quote:
Originally Posted by Virgil-TB2 View Post

I don't think these contests are fair or useful at all. No real security expert would hold back a hack so they could use it for a contest, these contests are for jerks and wanna-be's. They just lead to a lot of bad press based on biased crap and bragging rights for the hackers. For instance, the main meme that came out of last years version, repeated here:

Is seriously misleading.

The media (as above) always focusses on "who get's hacked first" when it's essentially meaningless as a measure of which system is the most secure. They also, (as above) conveniently leave out the fact that no one could hack the Mac at all on the first two days, and that the hacker was the very first to attempt to hack *any* of the three machines. So while the story is reported as an embarrassing situation for Apple and played as if the Mac is somehow less secure than the other systems, it's nothing of the sort.

The mac got hacked first because the best hacker at the contest chose to focus on the Mac, primarily because it would give him the most "cred." It has nothing to do with the relative security of the platform over any other platform. The other machines didn't get hacked, because no one tried to.

Almost certainly, the iPhone will also be "the first to be hacked" at this one, and for the same reasons.

All the press, including AppleInsider apparently, will publish stories about how "insecure" the iPhone is, and goofy little boys commenting on Giz, Engadget and TUAW will all crow away as the meme of the iPhone's "insecurity" sweeps around the internet until it becomes a known fact, even though it won't actually be true at all.

What a waste of time.

I don't agree that it is a total waste of time. Apple set themselves up & touted themselves as this great invincible OS. I think it is good for them to get humbled every once in a while, keeps them aware that they aren't perfect & makes them become more proactive on looking for creative exploits.

I've dealt with a lot of programmers in my IT career & one thing I've found is that many (not all) have a sense of smugness about what they program. When something doesn't work right they tend to blame the issues on everything but their programming. Quite often though, after digging back into their code, they end up finding that they did in fact overlook something.

Unix is a great OS but there is more to OS X than the Unix core. Many of these exploits come through bugs in standalone apps like safari & quicktime anyway. OS X is quite secure by itself, but you are only as secure as your weakest link.
post #18 of 34
Quote:
Originally Posted by Ryan F View Post

Phew, for a brief moment I thought you were saying they'd have a year contract to use their hacking method :o

I think it's a good idea to promote hacking for good (plus 10 grand, anyway). It ensures that the nice guys in the hacking world are giving you safer products.

If you give them a forum to hack things legally it may also help keep them from getting caught up in illegal activity. Many of the best hackers get into trouble only because they get bored.
post #19 of 34
Quote:
Originally Posted by monstrosity View Post

I believe that many of the people involved in these events themselves have malicious intentions. Many of these 'security' companies have had dubious past histories, often founded by hackers turned 'legit'.

I think that comment makes no sense, what is their malicious intent? They have business intent, & many of these things are funded by companies that care a lot about security. They want to know what they are up against so that when they go in to tell a business they have created for them a secure environment, they understand exactly what they are talking about.

As far as giving prizes goes, it's great incentive & since it isn't your money they're giving away what do you care anyway.
post #20 of 34
make it a real challenge and prevent physical access to the test machines.
No social engineering tricks should be allowed.
post #21 of 34
Quote:
The contestants will have to depend solely on remote access and are thus forced to use techniques that are more likely to be seen in the wild

.... yeah, for the first day. Then when the iPhone is not hacked they'll "loosen" the rules on the second day so that they can get some juicy headlines.

Isn't that what happened last year?

Given that fact, why is anyone even paying attention to these jokers?
post #22 of 34
Quote:
Originally Posted by meelash View Post

.... yeah, for the first day. Then when the iPhone is not hacked they'll "loosen" the rules on the second day so that they can get some juicy headlines.

Isn't that what happened last year?

They never allowed physical access, they loosened the rules so the contestant could ask an operator on the laptop to do typical tasks. In this cas he asked the operator to visit a website which contained an exploit code using a flaw in Safari.
I think this is a perferctly valid hack, thanks to the hacker to have discovered the flaw and thanks to Apple to have fixed it.
post #23 of 34
Quote:
Originally Posted by cozagada View Post

They never allowed physical access, they loosened the rules so the contestant could ask an operator on the laptop to do typical tasks. In this cas he asked the operator to visit a website which contained an exploit code using a flaw in Safari.
I think this is a perferctly valid hack, thanks to the hacker to have discovered the flaw and thanks to Apple to have fixed it.

The fact that they "loosened" the rules at all shows what they're really about- headlines.

It wouldn't have been very exciting if the end of the conference summary was that nobody won....
post #24 of 34
Quote:
Originally Posted by Dorotea View Post

Hmmm.

People with way too much time on their hands.

Like the morons posting here whining about this.

It's super useful to have these devices hacked in a controlled setting instead of going undiscovered for months while the real bad guys are stealing your info. Ohhh, and watch out for those (hushed tone)... h-a-c-k-e-r-s. (hold me, I'm scared!)
post #25 of 34
Quote:
Originally Posted by AppleInsider View Post

After being humbled last year at the high-profile CanSecWest security conference, Apple faces further scrutiny as the same event organizers not only plan to test the Mac's defenses but, for the first time, the iPhone's as well.

3Com's security branch, TippingPoint, says that the 2009 edition of the Pwn2Own challenge will ask security experts and others attending the Vancouver, Canada event to hack smartphones, not just computers, in an attempt to find exploits that would allow arbitrary code.

I wish this TippingPoint thing would die. There were so many problems with how that contest was conducted and reported that it really just boiled down to being a publicity stunt for the event.

It was reported like it was a methodical security test when in fact the contestants got to walk away with any hacked machines. Therefore it's no surprise the highly desireable Macbook Air was the first to be targeted and the first to go down. Second, the hackers only failed to get Windows first because it was running a service pack none of them expected. Third, OS X and Windows were both only compromised *after* the hackers were allowed to direct a user's behavior on the machines which, in effect, equals physical access which pretty much nullifies any conclusions you might want to draw about security.

You know, the tech press had a field day with that event and they let the real headline walk right by them: the fact that all three platforms withstood the network-based attacks of the first day. That's amazingly good news and shows how far security on *all* platforms has come, but I didn't see anyone other than me in my blog reporting that.
post #26 of 34
well said.
post #27 of 34
Will they allow bluetooth access?

Hopefully that will stop the constant complaints about the iPhones's disabled bluetooth stack.

If not maybe a bluetooth exploit can be triggered by something contained in an MMS?
A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this...
Reply
A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this...
Reply
post #28 of 34
Quote:
Originally Posted by teslacoil6603 View Post

make it a real challenge and prevent physical access to the test machines.
No social engineering tricks should be allowed.

I think both physical access and social engineering should be included. These are part of the real-world security challenge that we face and want to be protected from.

Many of the most important software concepts were invented in the 70s and forgotten in the 80s.

Reply

Many of the most important software concepts were invented in the 70s and forgotten in the 80s.

Reply
post #29 of 34
Quote:
Originally Posted by PXT View Post

I think both physical access and social engineering should be included. These are part of the real-world security challenge that we face and want to be protected from.

Yeah, because in the real-world strangers have physical access to my PC. \

And, by definition, no one can protect you against social engineering except yourself.
post #30 of 34
allow mms attacks. that makes the whole thing less interesting...

TERRI FORSLOF WED 25 FEB 2009 00:09A

Quote:
Winning scenarios against the mobile devices include attacks that can be exploited via email, SMS text, website browsing and other general actions a normal user would take while using the device. Physical access will not be granted to the mobile devices, and proving successful exploitation of one of the mobile devices will be verified by our team of hardware hacker judges on the ground at the event.

We mean Apple no harm.

People are lovers, basically. -- Engadget livebloggers at the iPad mini event.

Reply

We mean Apple no harm.

People are lovers, basically. -- Engadget livebloggers at the iPad mini event.

Reply
post #31 of 34
Can you use a real virus that already exists?

Just send an SMS containing a link to the SymbOS/Yxes worm as soon as you can get a phone number, Game Over Symbian within seconds.
A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this...
Reply
A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this...
Reply
post #32 of 34
Quote:
Originally Posted by hezekiahb View Post

I think that comment makes no sense, what is their malicious intent? .

To create security problems where there was once no security problems, come on wise up These companies want to build a hacker base for the iphone... and make profit on it.

Its bad for everyone bar them, dont kid yourself they are nice friendly folk doing good deeds.
post #33 of 34
I take it from the lack of screaming headlines that the hacker's attempts were somewhat unsuccessful.
A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this...
Reply
A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this...
Reply
post #34 of 34
Quote:
Originally Posted by hill60 View Post

I take it from the lack of screaming headlines that the hacker's attempts were somewhat unsuccessful.

Another bump:

http://www.engadget.com/2010/03/25/i...t-11/#comments

iPad2 16 GB
iPhone 5 32 GB

Reply

iPad2 16 GB
iPhone 5 32 GB

Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
AppleInsider › Forums › Mobile › iPhone › Hacking contest to test iPhone's security