All five smartphones survive PWN2OWN hacker contest

One researcher refused to part with iPhone bug for $10k, says contest sponsor

By Gregg Keizer

March 24, 2009 12:00 PM ET

Comments

Top Stories

Computerworld - None of the five smartphones slated for attack at last week's PWN2OWN hacking contest was compromised, a sign that security researchers have yet to adapt to the limitations of mobile, said the company that put up the prize money.

"With the mobile devices so limited on memory and processing power, a lot of [researchers'] main exploit techniques are not able to work," said Terri Forslof, manager of security response at 3Com Inc.'s TippingPoint unit, which sponsored the contest.

Although three of the four browsers that were targets at PWN2OWN quickly fell to a pair of researchers -- netting one of contestants $5,000 and the other $15,000 -- none of the smartphones was successfully exploited. TippingPoint had offered $10,000 for each exploit of any of the phones, which included Apple Inc.'s iPhone and the Research in Motion Ltd.'s BlackBerry, as well as phones running the Windows Mobile, Symbian and Android operating systems.

"Take for example, Nils' Safari exploit," said Forslof, referring to the German computer science student's hack of the Apple browser, just one of three browsers he broke in short order. "People wondered why wouldn't it work on the iPhone, why didn't he go for the $10,000?" she said. "The vulnerability is absolutely there, but it's a lot tougher to exploit on the iPhone."

Even though there were no winners last week, Forslof said TippingPoint is planning to include a mobile component in next year's PWN2OWN contest, which is held at the CanSecWest security conference in Vancouver, British Columbia, each March. "Where there is an opportunity, our [security] community finds a way," she said. "I am expecting, absolutely, that the research community will find ways around the limitations of mobile.

"I'm feeling pretty confident that those barriers to exploit mobile will be overcome in the next year," Forslof added.

Another issue TippingPoint identified in its inaugural mobile hacking contest was the fact that the various combinations of handsets, operating systems and carriers add unexpected complications to the exploit equation. "We didn't realize how complicated it was" until it was too late, she said. As a result, in some cases TippingPoint wasn't able to pin down the exact phone or operating system version early enough to give researchers the lead time they needed to work up an exploit of a vulnerability they might have already uncovered.

Comment Recommend Digg Twitter ShareThis

Email Print Send Feedback Reprints

Jump to comments

PWN2OWN

Additional Resources

WHITE PAPER

Do You Know the 7 Steps to Successful Data Migration?

Approximately 60 percent of data migration projects overrun time or budget, while some fail completely. Download this white paper, "Enhancing Your Chance for Successful Data Migration," to learn the critical steps you need to take to execute a data migration project with minimum cost and risk to your business.

WHITE PAPER

Total Cost of Ownership of Server Computing Vs. PCs

Read the Gartner research note to learn why the TCO of a server-based computing deployment used to deliver all applications to users is around 50% lower than that of an unmanaged desktop deployment.

WHITE PAPER

IDC White Paper: Linux in a Global Recession

Economic downturns have a tendency to accelerate emerging technologies, boost the adoption of effective solutions, and punish solutions that are not cost competitive or that are out of synch with industry trends. This IDC White Paper presents the results of an IDC survey of 330 companies in Western Europe, Asia/Pacific and the Americas that measures the receptiveness to Linux and takes into consideration changing views driven by the disruptive economic environment that businesses face today.