Hackers at Pwn2Own to compete for $100K in prizes
Contest targets to include iPhone, Droid and BlackBerry, IE, Firefox and Chrome
Computerworld - A hacking contest next month will award cash prizes of $15,000 to anyone who can break into an iPhone, BlackBerry Bold, Droid or Nokia smartphone.
The prizes are 50% more than the top awards given last year at Pwn2Own, which will kick off March 24 at the CanSecWest security conference in Vancouver, British Columbia. Altogether, $100,000 could be handed out by 3Com TippingPoint, the contest sponsor.
Pwn2Own will again offer a dual-track challenge with both browser and mobile OS targets, said Aaron Portnoy, a TippingPoint security research team lead, on a company blog that announced details of this year's contest.
Now in its fourth year, Pwn2Own has repeatedly made headlines for hacks of Apple's Mac OS X and Microsoft's Internet Explorer. In 2009, for example, researcher Charlie Miller broke into a Mac in less than five seconds to win $5,000.
This year, hackers will take on an iPhone 3GS, a Blackberry Bold 9700, an unspecified Nokia smartphone running the Symbian S60 platform and a Motorola, most likely a Droid, powered by Google's Android. A successful hack must result in code execution with little to no user-interaction, according to Portnoy.
Any exploited phone wins its attacker $10,000 in cash, the phone and enough points in TippingPoint's Zero Day Initiative (ZDI) bug-bounty program to qualify for another one-time payment of $5,000.
But the $60,000 that TippingPoint plans to put up for the mobile part of Pwn2Own may be safe: All five smartphones in last year's contest came through unscathed.
As in past challenges, Pwn2Own's browser track will pit hackers against the latest versions of Chrome, Firefox and IE on Windows, and Safari on Mac OS X. On the first day of the three-day contest, said Portnoy, a prize-winning hack "must overcome the latest and greatest flagship operating system with all exploit mitigations activated in their default state." The three Windows browsers will be installed on Windows 7, Microsoft newest, and theoretically most secure OS. When a browser goes down, its attacker will be awarded $10,000 -- double last year's reward -- and the notebook it was running on. Once hacked, a browser is removed from competition.
Untouched browsers continue into day two, when Chrome, Firefox and IE7 -- the 2006 predecessor to the newer IE8 -- are installed on systems running the older Windows Vista. Any browser that survives to the third day is installed on Windows XP, by Microsoft's own accounting, a softer target than Vista or Windows 7. (Safari remains on Mac OS X 10.6, aka Snow Leopard, throughout.)
In 2009, Firefox, Safari and a preview of IE8 were successfully beaten by hackers; only Chrome was not, though Google revealed several weeks later that it had been vulnerable to the same bug a German college student used to bring down Safari.
Last year, TippingPoint paid out $5,000 for each browser bug demonstrated, for a total of $20,000 in prizes.
TippingPoint purchases the rights to the vulnerabilities and exploit code used during the contest. It does not publicly release details of the Pwn2Own bugs, but instead reports them to the vendors, who then patch the flaws at their own pace. The vulnerability Miller used last year to hack Mac OS X, for example, was patched by Apple about two months after Pwn2Own concluded.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Microsoft defends Windows 7 security after Pwn2Own hacks
- Pwn2Own winner tells Apple, Microsoft to find their own bugs
- Hacker busts IE8 on Windows 7 in 2 minutes
- iPhone, Safari, IE8, Firefox all fall on day one of Pwn2Own
- iPhone falls in Pwn2Own hacking contest
- Former winners defend titles at Pwn2Own hacking contest
- Hackers at Pwn2Own to compete for $100K in prizes
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts