White hat hackers target the iPhone
How secure is your smartphone? We may find out next month.
Hackers and computer security experts gathering on March 18 in Vancouver, British Columbia, for the third annual Pwn2Own contest will be targeting five smartphones: an Apple (AAPL) iPhone, a Research in Motion (RIMM) BlackBerry and phones running on Google’s (GOOG) Android, Microsoft’s (MSFT) Windows Mobile and Nokia’s (NOK) Symbian operating systems.
The contest, sponsored by 3Com’s (COMS) TippingPoint computer security division, will award $10,000 prizes to anyone who can break into one of the phones and “pwn” it — hacker and Internet-gamer slang meaning to conquer or gain ownership. The smartphones themselves will be awarded as prizes to whomever cracks them first.
Under the rules of the contest, the organizers will reduce the difficulty each day that the smartphones are able fend off the attacks. The first day the phones with be “raw metal,” with no applications installed, forcing contestants to use Wi-Fi or network exploits. On the second day, the rules will be relaxed to allow the applications that come installed with the phones, including e-mail and Web browsers, but no third-party apps or downloads.
A second Pwn2Own contest track will pit hackers against browsers, with $5,000 prizes for contestants who can break the security of one of these five Web browser configurations: Internet Explorer 8, Firefox or Chrome installed on a Sony (SNE) Vaio running Windows 7 as well as Safari or Firefox installed on a Macbook running Mac OS X.
The prizes are awarded on a “per bug” basis. If more than five people win prizes, TippingPoint will award additional $5,000 bonus prizes for Most Interesting Browser flaw, Most Interesting Mobile Device Flaw, and Best in Show.
The Pwn2Own contest is run in conjunction with the annual CanSecWest security conference, now in its 10th year. The contest made headlines in the Apple press last year when Charlie Miller, a former National Security Agency employee, broke into a MacBook Air in less than two minutes under the second day’s relaxed rules, which permitted him to direct the laptop to a website preloaded with an exploit code. See here.
When it’s not running contests, TippingPoint operates a so-called ZeroDay Initiative in which it pays computer security specialists — also known as “white hat hackers” — a bounty for previously undiscovered vulnerabilities in return for a promise not to exploit them.
TippingPoint, in turn, notifies the vendor and simultaneously develops a patch that it offers to its security clients. Once the vendor has developed its own patch, TippingPoint and the vendor coordinate public disclosure. The researcher can either be given credit for the discovery or, if he or she prefers, remain anonymous.
Pwn2Own 2009 runs from March 18-20. The rules and prizes are posted here.