iPhone, BlackBerry tumble to Pwn2Own hackers
Charlie Miller, a staple at the hacking contest, becomes 'Mr. Four-peat'
Computerworld - Apple's iPhone 4 and RIM's BlackBerry Torch 9800 both succumbed to hackers today at Pwn2Own, but two other smartphones running Android and Windows Phone 7 were unchallenged, the contest's sponsor said.
Charlie Miller became the first "four-peat" at Pwn2Own when he teamed with Dion Blazakis to take down the iPhone. Both Miller and Blazakis work for the Baltimore-based consulting firm Independent Security Evaluators (ISE).
Miller has walked off with winnings from Pwn2Own four years running -- 2008 through 2011 -- twice as many times as anyone else.
"Every other year I've had an exploit ready to go for months," said Miller in an interview after the win. "But this was a different experience, working under the time pressure because we were working on [the iPhone] exploit the night before."
Miller credited his partner for much of the work. "Dion's a really good researcher in his own right," said Miller.
Miller and Blazakis worked on their iPhone exploit for months, Miller said. "This one was pretty hard. Different bugs take different exploits, and this one was hard to exploit."
Pwn2Own winners are forbidden from discussing technical details of the vulnerabilities they exploit, or to release the attack code they've used. Instead, they turn over their findings and code to HP TippingPoint, the contest sponsor. TippingPoint in turn reports the vulnerabilities to vendors, who have six months to patch the bugs before TippingPoint publicly releases any information.
On the BlackBerry, a multi-national team composed of Vincenzo Iozzo, Ralf-Philipp Weinmann and a third researcher from the Netherlands, matched Miller and Blazakis by hacking the Torch. Iozzo and Weinmann were old hands at Pwn2Own, having partnered in 2010 to successfully break into an iPhone 3GS at that year's contest.
Iozzo is an engineer at Zynamics GmbH, the German reverse engineering tool maker headed by noted researcher Thomas Dullien, better known as Halvar Flake. Zynamics was acquired by Google earlier this month for an undisclosed sum.
Weinmann, meanwhile, is a post-doctoral researcher at the Laboratory of Algorithms, Cryptology and Security at the University of Luxembourg.
Both teams were busy tweaking their exploits before today's round, said Peter Vreugdenhil, a former Pwn2Own winner who now works for TippingPoint, and served as a contest judge this year.
"Both were actually tweaking their exploits at the [CanSecWest] conference," said Vreugdenhil, referring to the Vancouver, British Columbia security conference where Pwn2Own takes place.
The iPhone and BlackBerry Torch hacks, however, were over in seconds. "They hooked up their computers to the phones, and that was it," said Vreugdenhil.
The teams each will receive a check for $15,000 from TippingPoint, as well as the smartphones they exploited, in a ceremony Friday at CanSecWest.
- iPhone, BlackBerry tumble to Pwn2Own hackers
- Researcher chains three exploits to take down IE8 at Pwn2Own
- Safari, IE hacked first at Pwn2Own
- Researcher blows $15K by reporting bug to Google
- Microsoft won't patch IE before Pwn2Own
- Apple to patch Safari before Pwn2Own, say researchers
- Mozilla follows Google, patches Firefox as prep for Pwn2Own
- Three-time Pwn2Own winner knocks hacking contest rules
- Familiar faces, new names step up at Pwn2Own hacking contest
- Update: Firefox update will patch CSRF bug, Mozilla says
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- How WAN Optimization Helps Enterprises Reduce Costs If you wanted to break down innovation into a tidy equation, it might go something like this: Technology + Connectivity = Productivity. Productivity...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Cybercrime and Hacking White Papers | Webcasts