Hacking contest to test iPhone's security
After being humbled last year at the high-profile CanSecWest security conference, Apple faces further scrutiny as the same event organizers not only plan to test the Mac's defenses but, for the first time, the iPhone's as well.
3Com's security branch, TippingPoint, says that the 2009 edition of the Pwn2Own challenge will ask security experts and others attending the Vancouver, Canada event to hack smartphones, not just computers, in an attempt to find exploits that would allow arbitrary code.
Garnering publicity by way of Fortune, the two-day contest -- which begins along with CanSecWest on March 18th -- will give participants the opportunity to breach the safeguards of any one of five mobile platforms, each represented by a single device. Apple's iPhone will have to compete against the other heavyweights of the cellular world, including a BlackBerry as well as representative models for Android, Symbian and Windows Mobile.
The contestants will have to depend solely on remote access and are thus forced to use techniques that are more likely to be seen in the wild, such as dangerous websites visited through the mobile web browser, harmful e-mail contents, or deliberately malformed SMS text messages.
Sweetening the pot, TippingPoint is offering double the reward it is for more typical computer-borne hacks this year. Every hack that successfully executes code on a phone provides the winning team $10,000; those who are quick enough to hack a phone first wins the hardware along with a one-year contract to use it. Should at least five of the guests succeed, individual $5,000 prizes will also be doled out to those with the best exploits found by the end of the contest's second day.
As in the past, though, Pwn2Own is as much about practical help to the computer industry as it is a matter of bragging rights. As part of TippingPoint's Zero Day Initiative to stop threats before they leave the safety of a test lab, any winning attack will also be bought out and kept secret until the target company's software can be mended to prevent an in-the-wild threat.
The contest may be Apple's first real trial by fire for iPhone security. Although security breaches have often been a staple of jailbreak and unlock attempts, few instances have surfaced of malware coders writing software solely to break Apple's safeguards. For its part, Apple touts the closed distribution model and code signing features of OS X iPhone as essential to user security by making it less likely that harmful apps can be installed and run in the first place.
However, Apple has so far had a poor track record at CanSecWest. The Cupertino, Calfi.-based firm's Mac OS X was infamously the first to be hacked in the 2008 contest and was broken through a hostile web browser link rather than by more complicated tricks. The exploit required a Safari patch the next month.
And while some of OS X iPhone's susceptibility is still up in the air until next month's gathering, Apple may well face a repeat of last year's loss in desktop operating systems: in addition to the smartphone competition, Pwn2Own will also let participants test the security of Firefox and Safari in Mac OS X Leopard versus Chrome, Firefox and Internet Explorer 8 in Microsoft's brand new and reportedly more secure Windows 7.
3Com's security branch, TippingPoint, says that the 2009 edition of the Pwn2Own challenge will ask security experts and others attending the Vancouver, Canada event to hack smartphones, not just computers, in an attempt to find exploits that would allow arbitrary code.
Garnering publicity by way of Fortune, the two-day contest -- which begins along with CanSecWest on March 18th -- will give participants the opportunity to breach the safeguards of any one of five mobile platforms, each represented by a single device. Apple's iPhone will have to compete against the other heavyweights of the cellular world, including a BlackBerry as well as representative models for Android, Symbian and Windows Mobile.
The contestants will have to depend solely on remote access and are thus forced to use techniques that are more likely to be seen in the wild, such as dangerous websites visited through the mobile web browser, harmful e-mail contents, or deliberately malformed SMS text messages.
Sweetening the pot, TippingPoint is offering double the reward it is for more typical computer-borne hacks this year. Every hack that successfully executes code on a phone provides the winning team $10,000; those who are quick enough to hack a phone first wins the hardware along with a one-year contract to use it. Should at least five of the guests succeed, individual $5,000 prizes will also be doled out to those with the best exploits found by the end of the contest's second day.
As in the past, though, Pwn2Own is as much about practical help to the computer industry as it is a matter of bragging rights. As part of TippingPoint's Zero Day Initiative to stop threats before they leave the safety of a test lab, any winning attack will also be bought out and kept secret until the target company's software can be mended to prevent an in-the-wild threat.
The contest may be Apple's first real trial by fire for iPhone security. Although security breaches have often been a staple of jailbreak and unlock attempts, few instances have surfaced of malware coders writing software solely to break Apple's safeguards. For its part, Apple touts the closed distribution model and code signing features of OS X iPhone as essential to user security by making it less likely that harmful apps can be installed and run in the first place.
However, Apple has so far had a poor track record at CanSecWest. The Cupertino, Calfi.-based firm's Mac OS X was infamously the first to be hacked in the 2008 contest and was broken through a hostile web browser link rather than by more complicated tricks. The exploit required a Safari patch the next month.
And while some of OS X iPhone's susceptibility is still up in the air until next month's gathering, Apple may well face a repeat of last year's loss in desktop operating systems: in addition to the smartphone competition, Pwn2Own will also let participants test the security of Firefox and Safari in Mac OS X Leopard versus Chrome, Firefox and Internet Explorer 8 in Microsoft's brand new and reportedly more secure Windows 7.
Comments
However, Apple has so far had a poor track record at CanSecWest. The Cupertino, Calfi.-based firm's Mac OS X was infamously the first to be hacked in the 2008 contest and was broken through a hostile web browser link rather than by more complicated tricks. The exploit required a Safari patch the next month..
Is seriously misleading.
The media (as above) always focusses on "who get's hacked first" when it's essentially meaningless as a measure of which system is the most secure. They also, (as above) conveniently leave out the fact that no one could hack the Mac at all on the first two days, and that the hacker was the very first to attempt to hack *any* of the three machines. So while the story is reported as an embarrassing situation for Apple and played as if the Mac is somehow less secure than the other systems, it's nothing of the sort.
The mac got hacked first because the best hacker at the contest chose to focus on the Mac, primarily because it would give him the most "cred." It has nothing to do with the relative security of the platform over any other platform. The other machines didn't get hacked, because no one tried to.
Almost certainly, the iPhone will also be "the first to be hacked" at this one, and for the same reasons.
All the press, including AppleInsider apparently, will publish stories about how "insecure" the iPhone is, and goofy little boys commenting on Giz, Engadget and TUAW will all crow away as the meme of the iPhone's "insecurity" sweeps around the internet until it becomes a known fact, even though it won't actually be true at all.
What a waste of time.
He WANTED it.
Any machine can be hacked, if you do the wrong things, go the wrong places, your machine will get jacked. Just like cars, the thief is one step ahead of the security pro's. Any car can be jacked at any time, any place. Most thief's will go for the easiest target so if you have safe guards in place, you probably won't get hit. This is probably the same with computers, however with botnets and such, any machine can be hit if you are doing the wrong things.
If you play in the dirty streets, your gonna get infected.
LanPhantom
But aside from that one issue, the contest itself seems useful to the industry, and done in a responsible way (in that the flaws are not released publicly, but sent to the vendors to be fixed).
I have a problem with those who publicize a flaw immediately out of a desire to "burn the vendor." But that's not what this is. This can lead to actual improvements.
People with way too much time on their hands.
I don't think these contests are fair or useful at all.
Damn right. It just encourages people to hack, promotes paranoia, and creates a profitable industry for the likes of symantec.
I'm not one for regulation but I would be in favor of banning these events altogether.
Damn right. It just encourages people to hack, promotes paranoia, and creates a profitable industry for the likes of symantec.
I'm not one for regulation but I would be in favor of banning these events altogether.
So you'd prefer it if these exploits went unpatched or, even worse, were discovered by someone with malicious intentions?
"those who are quick enough to hack a phone first wins the hardware along with a one-year contract to use it"
Phew, for a brief moment I thought you were saying they'd have a year contract to use their hacking method
I think it's a good idea to promote hacking for good (plus 10 grand, anyway). It ensures that the nice guys in the hacking world are giving you safer products.
So you'd prefer it if these exploits went unpatched or, even worse, were discovered by someone with malicious intentions?
I believe that many of the people involved in these events themselves have malicious intentions. Many of these 'security' companies have had dubious past histories, often founded by hackers turned 'legit'.
Hmmm.
People with way too much time on their hands.
LOL...and they are probably gonna get 100k jobs at software companies to help with security.
I don't think these contests are fair or useful at all. No real security expert would hold back a hack so they could use it for a contest, these contests are for jerks and wanna-be's. They just lead to a lot of bad press based on biased crap and bragging rights for the hackers. For instance, the main meme that came out of last years version, repeated here:
Is seriously misleading.
The media (as above) always focusses on "who get's hacked first" when it's essentially meaningless as a measure of which system is the most secure. They also, (as above) conveniently leave out the fact that no one could hack the Mac at all on the first two days, and that the hacker was the very first to attempt to hack *any* of the three machines. So while the story is reported as an embarrassing situation for Apple and played as if the Mac is somehow less secure than the other systems, it's nothing of the sort.
The mac got hacked first because the best hacker at the contest chose to focus on the Mac, primarily because it would give him the most "cred." It has nothing to do with the relative security of the platform over any other platform. The other machines didn't get hacked, because no one tried to.
Almost certainly, the iPhone will also be "the first to be hacked" at this one, and for the same reasons.
All the press, including AppleInsider apparently, will publish stories about how "insecure" the iPhone is, and goofy little boys commenting on Giz, Engadget and TUAW will all crow away as the meme of the iPhone's "insecurity" sweeps around the internet until it becomes a known fact, even though it won't actually be true at all.
What a waste of time.
I don't agree that it is a total waste of time. Apple set themselves up & touted themselves as this great invincible OS. I think it is good for them to get humbled every once in a while, keeps them aware that they aren't perfect & makes them become more proactive on looking for creative exploits.
I've dealt with a lot of programmers in my IT career & one thing I've found is that many (not all) have a sense of smugness about what they program. When something doesn't work right they tend to blame the issues on everything but their programming. Quite often though, after digging back into their code, they end up finding that they did in fact overlook something.
Unix is a great OS but there is more to OS X than the Unix core. Many of these exploits come through bugs in standalone apps like safari & quicktime anyway. OS X is quite secure by itself, but you are only as secure as your weakest link.
Phew, for a brief moment I thought you were saying they'd have a year contract to use their hacking method
I think it's a good idea to promote hacking for good (plus 10 grand, anyway). It ensures that the nice guys in the hacking world are giving you safer products.
If you give them a forum to hack things legally it may also help keep them from getting caught up in illegal activity. Many of the best hackers get into trouble only because they get bored.
I believe that many of the people involved in these events themselves have malicious intentions. Many of these 'security' companies have had dubious past histories, often founded by hackers turned 'legit'.
I think that comment makes no sense, what is their malicious intent? They have business intent, & many of these things are funded by companies that care a lot about security. They want to know what they are up against so that when they go in to tell a business they have created for them a secure environment, they understand exactly what they are talking about.
As far as giving prizes goes, it's great incentive & since it isn't your money they're giving away what do you care anyway.
No social engineering tricks should be allowed.
The contestants will have to depend solely on remote access and are thus forced to use techniques that are more likely to be seen in the wild
.... yeah, for the first day. Then when the iPhone is not hacked they'll "loosen" the rules on the second day so that they can get some juicy headlines.
Isn't that what happened last year?
Given that fact, why is anyone even paying attention to these jokers?