Hacking contest to test iPhone's security

Posted:
in iPhone edited January 2014
After being humbled last year at the high-profile CanSecWest security conference, Apple faces further scrutiny as the same event organizers not only plan to test the Mac's defenses but, for the first time, the iPhone's as well.



3Com's security branch, TippingPoint, says that the 2009 edition of the Pwn2Own challenge will ask security experts and others attending the Vancouver, Canada event to hack smartphones, not just computers, in an attempt to find exploits that would allow arbitrary code.



Garnering publicity by way of Fortune, the two-day contest -- which begins along with CanSecWest on March 18th -- will give participants the opportunity to breach the safeguards of any one of five mobile platforms, each represented by a single device. Apple's iPhone will have to compete against the other heavyweights of the cellular world, including a BlackBerry as well as representative models for Android, Symbian and Windows Mobile.



The contestants will have to depend solely on remote access and are thus forced to use techniques that are more likely to be seen in the wild, such as dangerous websites visited through the mobile web browser, harmful e-mail contents, or deliberately malformed SMS text messages.



Sweetening the pot, TippingPoint is offering double the reward it is for more typical computer-borne hacks this year. Every hack that successfully executes code on a phone provides the winning team $10,000; those who are quick enough to hack a phone first wins the hardware along with a one-year contract to use it. Should at least five of the guests succeed, individual $5,000 prizes will also be doled out to those with the best exploits found by the end of the contest's second day.



As in the past, though, Pwn2Own is as much about practical help to the computer industry as it is a matter of bragging rights. As part of TippingPoint's Zero Day Initiative to stop threats before they leave the safety of a test lab, any winning attack will also be bought out and kept secret until the target company's software can be mended to prevent an in-the-wild threat.



The contest may be Apple's first real trial by fire for iPhone security. Although security breaches have often been a staple of jailbreak and unlock attempts, few instances have surfaced of malware coders writing software solely to break Apple's safeguards. For its part, Apple touts the closed distribution model and code signing features of OS X iPhone as essential to user security by making it less likely that harmful apps can be installed and run in the first place.



However, Apple has so far had a poor track record at CanSecWest. The Cupertino, Calfi.-based firm's Mac OS X was infamously the first to be hacked in the 2008 contest and was broken through a hostile web browser link rather than by more complicated tricks. The exploit required a Safari patch the next month.



And while some of OS X iPhone's susceptibility is still up in the air until next month's gathering, Apple may well face a repeat of last year's loss in desktop operating systems: in addition to the smartphone competition, Pwn2Own will also let participants test the security of Firefox and Safari in Mac OS X Leopard versus Chrome, Firefox and Internet Explorer 8 in Microsoft's brand new and reportedly more secure Windows 7.
«1

Comments

  • Reply 1 of 33
    cu10cu10 Posts: 294member
    .w00t.
  • Reply 2 of 33
    I wonder if the iPhone being hacked will be jailbroken. Jailbroken iPhones will no doubt have reduced security, depending on the software installed...
  • Reply 3 of 33
    I don't think these contests are fair or useful at all. No real security expert would hold back a hack so they could use it for a contest, these contests are for jerks and wanna-be's. They just lead to a lot of bad press based on biased crap and bragging rights for the hackers. For instance, the main meme that came out of last years version, repeated here:

    Quote:
    Originally Posted by AppleInsider View Post


    However, Apple has so far had a poor track record at CanSecWest. The Cupertino, Calfi.-based firm's Mac OS X was infamously the first to be hacked in the 2008 contest and was broken through a hostile web browser link rather than by more complicated tricks. The exploit required a Safari patch the next month..



    Is seriously misleading.



    The media (as above) always focusses on "who get's hacked first" when it's essentially meaningless as a measure of which system is the most secure. They also, (as above) conveniently leave out the fact that no one could hack the Mac at all on the first two days, and that the hacker was the very first to attempt to hack *any* of the three machines. So while the story is reported as an embarrassing situation for Apple and played as if the Mac is somehow less secure than the other systems, it's nothing of the sort.



    The mac got hacked first because the best hacker at the contest chose to focus on the Mac, primarily because it would give him the most "cred." It has nothing to do with the relative security of the platform over any other platform. The other machines didn't get hacked, because no one tried to.



    Almost certainly, the iPhone will also be "the first to be hacked" at this one, and for the same reasons.



    All the press, including AppleInsider apparently, will publish stories about how "insecure" the iPhone is, and goofy little boys commenting on Giz, Engadget and TUAW will all crow away as the meme of the iPhone's "insecurity" sweeps around the internet until it becomes a known fact, even though it won't actually be true at all.



    What a waste of time.
  • Reply 4 of 33
    While I agree with most of what Virgil-TB2 stated, he did leave out one very important fact. The guy who HACKED the MAC on the 3rd day stated on record that he could have used his HACK to gain access to any of the machines but chose the Mac Book Air because he wanted it.



    He WANTED it.



    Any machine can be hacked, if you do the wrong things, go the wrong places, your machine will get jacked. Just like cars, the thief is one step ahead of the security pro's. Any car can be jacked at any time, any place. Most thief's will go for the easiest target so if you have safe guards in place, you probably won't get hit. This is probably the same with computers, however with botnets and such, any machine can be hit if you are doing the wrong things.



    If you play in the dirty streets, your gonna get infected.



    LanPhantom
  • Reply 5 of 33
    nagrommenagromme Posts: 2,834member
    I can't speak for everyone who joins the contest--I can see why people should report something immediately and not wait for a contest, but $10,000 is an incentive to bad behavior in that regard.



    But aside from that one issue, the contest itself seems useful to the industry, and done in a responsible way (in that the flaws are not released publicly, but sent to the vendors to be fixed).



    I have a problem with those who publicize a flaw immediately out of a desire to "burn the vendor." But that's not what this is. This can lead to actual improvements.
  • Reply 6 of 33
    Hmmm.



    People with way too much time on their hands.
  • Reply 7 of 33
    Can we maybe not give them their own local account on the machine this time around?
  • Reply 8 of 33
    Quote:
    Originally Posted by Virgil-TB2 View Post


    I don't think these contests are fair or useful at all.



    Damn right. It just encourages people to hack, promotes paranoia, and creates a profitable industry for the likes of symantec.

    I'm not one for regulation but I would be in favor of banning these events altogether.
  • Reply 9 of 33
    Quote:
    Originally Posted by monstrosity View Post


    Damn right. It just encourages people to hack, promotes paranoia, and creates a profitable industry for the likes of symantec.

    I'm not one for regulation but I would be in favor of banning these events altogether.



    So you'd prefer it if these exploits went unpatched or, even worse, were discovered by someone with malicious intentions?
  • Reply 10 of 33
    Quote:

    "those who are quick enough to hack a phone first wins the hardware along with a one-year contract to use it"



    Phew, for a brief moment I thought you were saying they'd have a year contract to use their hacking method :o



    I think it's a good idea to promote hacking for good (plus 10 grand, anyway). It ensures that the nice guys in the hacking world are giving you safer products.
  • Reply 11 of 33
    richlrichl Posts: 2,213member
    Can anyone find a full list of the phones being used? I assume BB Storm, Nokia 5800, HTC G1 and HTC Touch HD.
  • Reply 12 of 33
    be first out, I bet.
  • Reply 13 of 33
    Quote:
    Originally Posted by Shookster View Post


    So you'd prefer it if these exploits went unpatched or, even worse, were discovered by someone with malicious intentions?



    I believe that many of the people involved in these events themselves have malicious intentions. Many of these 'security' companies have had dubious past histories, often founded by hackers turned 'legit'.
  • Reply 14 of 33
    If this event is for the good of the industry and those who use it, let's see it run next year with NO prizes. I wonder how many hackers will show up "just for the good of the industry."
  • Reply 15 of 33
    Quote:
    Originally Posted by Dorotea View Post


    Hmmm.



    People with way too much time on their hands.



    LOL...and they are probably gonna get 100k jobs at software companies to help with security.
  • Reply 16 of 33
    Quote:
    Originally Posted by Virgil-TB2 View Post


    I don't think these contests are fair or useful at all. No real security expert would hold back a hack so they could use it for a contest, these contests are for jerks and wanna-be's. They just lead to a lot of bad press based on biased crap and bragging rights for the hackers. For instance, the main meme that came out of last years version, repeated here:



    Is seriously misleading.



    The media (as above) always focusses on "who get's hacked first" when it's essentially meaningless as a measure of which system is the most secure. They also, (as above) conveniently leave out the fact that no one could hack the Mac at all on the first two days, and that the hacker was the very first to attempt to hack *any* of the three machines. So while the story is reported as an embarrassing situation for Apple and played as if the Mac is somehow less secure than the other systems, it's nothing of the sort.



    The mac got hacked first because the best hacker at the contest chose to focus on the Mac, primarily because it would give him the most "cred." It has nothing to do with the relative security of the platform over any other platform. The other machines didn't get hacked, because no one tried to.



    Almost certainly, the iPhone will also be "the first to be hacked" at this one, and for the same reasons.



    All the press, including AppleInsider apparently, will publish stories about how "insecure" the iPhone is, and goofy little boys commenting on Giz, Engadget and TUAW will all crow away as the meme of the iPhone's "insecurity" sweeps around the internet until it becomes a known fact, even though it won't actually be true at all.



    What a waste of time.



    I don't agree that it is a total waste of time. Apple set themselves up & touted themselves as this great invincible OS. I think it is good for them to get humbled every once in a while, keeps them aware that they aren't perfect & makes them become more proactive on looking for creative exploits.



    I've dealt with a lot of programmers in my IT career & one thing I've found is that many (not all) have a sense of smugness about what they program. When something doesn't work right they tend to blame the issues on everything but their programming. Quite often though, after digging back into their code, they end up finding that they did in fact overlook something.



    Unix is a great OS but there is more to OS X than the Unix core. Many of these exploits come through bugs in standalone apps like safari & quicktime anyway. OS X is quite secure by itself, but you are only as secure as your weakest link.
  • Reply 17 of 33
    Quote:
    Originally Posted by Ryan F View Post


    Phew, for a brief moment I thought you were saying they'd have a year contract to use their hacking method :o



    I think it's a good idea to promote hacking for good (plus 10 grand, anyway). It ensures that the nice guys in the hacking world are giving you safer products.



    If you give them a forum to hack things legally it may also help keep them from getting caught up in illegal activity. Many of the best hackers get into trouble only because they get bored.
  • Reply 18 of 33
    Quote:
    Originally Posted by monstrosity View Post


    I believe that many of the people involved in these events themselves have malicious intentions. Many of these 'security' companies have had dubious past histories, often founded by hackers turned 'legit'.



    I think that comment makes no sense, what is their malicious intent? They have business intent, & many of these things are funded by companies that care a lot about security. They want to know what they are up against so that when they go in to tell a business they have created for them a secure environment, they understand exactly what they are talking about.



    As far as giving prizes goes, it's great incentive & since it isn't your money they're giving away what do you care anyway.
  • Reply 19 of 33
    make it a real challenge and prevent physical access to the test machines.

    No social engineering tricks should be allowed.
  • Reply 20 of 33
    meelashmeelash Posts: 1,045member
    Quote:

    The contestants will have to depend solely on remote access and are thus forced to use techniques that are more likely to be seen in the wild



    .... yeah, for the first day. Then when the iPhone is not hacked they'll "loosen" the rules on the second day so that they can get some juicy headlines.



    Isn't that what happened last year?



    Given that fact, why is anyone even paying attention to these jokers?
Sign In or Register to comment.