iPhone, BlackBerry tumble to Pwn2Own hackers
Charlie Miller, a staple at the hacking contest, becomes 'Mr. Four-peat'
Computerworld - Apple's iPhone 4 and RIM's BlackBerry Torch 9800 both succumbed to hackers today at Pwn2Own, but two other smartphones running Android and Windows Phone 7 were unchallenged, the contest's sponsor said.
Charlie Miller became the first "four-peat" at Pwn2Own when he teamed with Dion Blazakis to take down the iPhone. Both Miller and Blazakis work for the Baltimore-based consulting firm Independent Security Evaluators (ISE).
Miller has walked off with winnings from Pwn2Own four years running -- 2008 through 2011 -- twice as many times as anyone else.
"Every other year I've had an exploit ready to go for months," said Miller in an interview after the win. "But this was a different experience, working under the time pressure because we were working on [the iPhone] exploit the night before."
Miller credited his partner for much of the work. "Dion's a really good researcher in his own right," said Miller.
Miller and Blazakis worked on their iPhone exploit for months, Miller said. "This one was pretty hard. Different bugs take different exploits, and this one was hard to exploit."
Pwn2Own winners are forbidden from discussing technical details of the vulnerabilities they exploit, or to release the attack code they've used. Instead, they turn over their findings and code to HP TippingPoint, the contest sponsor. TippingPoint in turn reports the vulnerabilities to vendors, who have six months to patch the bugs before TippingPoint publicly releases any information.
On the BlackBerry, a multi-national team composed of Vincenzo Iozzo, Ralf-Philipp Weinmann and a third researcher from the Netherlands, matched Miller and Blazakis by hacking the Torch. Iozzo and Weinmann were old hands at Pwn2Own, having partnered in 2010 to successfully break into an iPhone 3GS at that year's contest.
Iozzo is an engineer at Zynamics GmbH, the German reverse engineering tool maker headed by noted researcher Thomas Dullien, better known as Halvar Flake. Zynamics was acquired by Google earlier this month for an undisclosed sum.
Weinmann, meanwhile, is a post-doctoral researcher at the Laboratory of Algorithms, Cryptology and Security at the University of Luxembourg.
Both teams were busy tweaking their exploits before today's round, said Peter Vreugdenhil, a former Pwn2Own winner who now works for TippingPoint, and served as a contest judge this year.
"Both were actually tweaking their exploits at the [CanSecWest] conference," said Vreugdenhil, referring to the Vancouver, British Columbia security conference where Pwn2Own takes place.
The iPhone and BlackBerry Torch hacks, however, were over in seconds. "They hooked up their computers to the phones, and that was it," said Vreugdenhil.
The teams each will receive a check for $15,000 from TippingPoint, as well as the smartphones they exploited, in a ceremony Friday at CanSecWest.
- iPhone, BlackBerry tumble to Pwn2Own hackers
- Researcher chains three exploits to take down IE8 at Pwn2Own
- Safari, IE hacked first at Pwn2Own
- Researcher blows $15K by reporting bug to Google
- Microsoft won't patch IE before Pwn2Own
- Apple to patch Safari before Pwn2Own, say researchers
- Mozilla follows Google, patches Firefox as prep for Pwn2Own
- Three-time Pwn2Own winner knocks hacking contest rules
- Familiar faces, new names step up at Pwn2Own hacking contest
- Update: Firefox update will patch CSRF bug, Mozilla says
- Step Out of the Bull's-Eye Learn about the evolution of targeted attacks, the latest in security intelligence, and strategic steps to keep your business safe.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- What Does it Take to Deliver a Superior Customer Experience? The Two Top-Rated Online Retailers, B&H Photo and Crutchfield Electronics, Share Their Secrets Discuss practical CX tools and service methods such as contact center agents and the use of realtime speech analytics to help contact center... All Cybercrime and Hacking White Papers | Webcasts