Familiar faces, new names step up at Pwn2Own hacking contest

Past winner, target of Sony lawsuit, others prep for $125,000 contest

The Pwn2Own hacking contest next month will feature its largest-ever crew of contestants, including past winners, a French security firm armed with a bagful of bugs and an iPhone jailbreak expert who has been sued by Sony.

"The major difference this year is the sheer number of interested parties," said Aaron Portnoy, manager of TippingPoint's security research team. "Either the contest is becoming more popular or more people are comfortable exploiting mobile devices this year."

TippingPoint is again sponsoring Pwn2Own, a hacking challenge now in its fifth year. The contest will kick off March 9 at the CanSecWest security conference in Vancouver, British Columbia.

Eleven individuals or teams have registered for Pwn2Own, which will pit the researchers against four Web browsers -- Apple's Safari, Google's Chrome, Microsoft's Internet Explorer (IE) and Mozilla's Firefox -- as well as against smartphones running Apple's iOS, Google's Android, Microsoft's Windows 7 Phone and RIM's BlackBerry OS. The cash prizes for this year's Pwn2Own total $125,000, also a record.

More of the eleven entries will take on the smartphones than the browsers, another first for Pwn2Own.

Among the entries -- four of which granted anonymity by TippingPoint -- are both familiar names and new faces.

Charlie Miller, the only researcher to have won at Pwn2Own three years running , will go for a "four-peat" by trying to exploit Safari, and with Dion Blazakis, who like Miller works for the Baltimore-based consulting firm Independent Security Evaluators, will also tackle the iPhone.

Dan Holden, the director of HP DVLabs, the research arm of TippingPoint, highlighted several of the new faces, including George Hotz, Jon Oberheide and the French security firm Vupen.

Hotz, a well-known iPhone hacker, made news last month when he and others were sued by Sony after he showed how to jailbreak a Sony PlayStation 3 game console. Based on a random drawing, Hotz will get first crack at a Dell Venue smartphone running Windows Phone 7.

Oberheide, co-founder and chief technology officer at two-factor authentication software company Duo Security, is first in line to exploit a Samsung Nexus S running Android.

"What Pwn2Own is good at is getting incredibly bright people, who are well-known in the security community, but then making them visible to the IT industry in general," said Holden.

Vupen, meanwhile, is the first security company to field a team at Pwn2Own, and will be the first to take on Safari and the second to attack IE.

"We know the Vupen guys very well, and they know vulnerability discovery very well," Holden said. "We're glad Vupen's involved because they bring a new element -- a brand associated with the contest, rather than just individuals."

Vupen is known for taking a different tack than most security researchers: The company only reports bugs to vendors that have contracted for its services. In several cases last year and so far in 2011 , Vupen has been among the first to break news of a bug in Microsoft's Windows operating system.

Both of Vupen's hacking attempts will be based on unreported vulnerabilities, confirmed Chaouki Bekrar, the company's CEO and head of research.

"To target Safari on Mac OS X Snow Leopard, we will use a highly reliable exploit taking advantage of a critical and unreported vulnerability," Bekrar said in an e-mail reply to questions.

Its hack of IE will be a first of its kind, added Bekrar, because it will bypass the browser's sandbox, dubbed Protected Mode. "This is the first time such a critical weakness has been discovered in Protected Mode," said Bekrar.

Vupen may not get a chance to win the $15,000 prize for IE if Stephen Fewer, who has drawn first shot at Microsoft's browser, succeeds. Fewer is the founder of Harmony Security, and frequently reports bugs to TippingPoint's Zero Day Initiative (ZDI) bounty program.

Last year, Fewer found a critical flaw in IE that Microsoft patched in December .

"Being first [in line] at Pwn2Own is very important," acknowledged Holden. Only the first researcher to successfully exploit each browser or smartphone is eligible for a cash prize.

Holden is looking forward to Pwn2Own, which he said had a break-out 2010.

"We had a groundbreaking year with ZDI last year, and we can directly correlate that with Pwn2Own," said Holden. "It really started for us in April, after [2010's] Pwn2Own. Aaron [Portnoy] and the team came back and the queue was filled with vulnerabilities, good vulnerabilities."

TippingPoint runs the ZDI bug bounty program to acquire unreported vulnerabilities, which it then analyzes so it can add protection against those bugs to the security tools and intrusion prevention system (IPS) appliances HP sells.

In other words, Holden said, the increasing attention paid to Pwn2Own has paid off. Last year, TippingPoint received more than 300 vulnerability submissions, a ZDI record. "Pwn2Own was responsible for that," Holden said.

The company also hired one of the winners from last year -- Peter Vreugdenhil, then an independent Dutch researcher -- based on his skill bypassing Windows 7's anti-exploit defenses, ASLR and DEP. Vreugdenhil, who cannot compete because he now works for TippingPoint, will serve as one of the contest's judges. But Holden declined to say whether another past winner, a German computer science student known only as "Nils," is among the anonymous entries. In 2010, Nils won $10,000 for compromising Firefox on Windows 7, while he walked off with $15,000 the year before for hacking Firefox, Safari and IE8 on the same day.

On Thursday, Holden echoed an earlier prediction by Portnoy that Google's Chrome -- which has never fallen at Pwn2Own -- will survive the first day of the contest, but probably drop the second or third days, when the rules change.

Google has promised to pay $20,000 to the first researcher who can hack Chrome and escape its sandbox on Day 1, when only vulnerabilities in Google's own code will be allowed. On the second and third days, researchers can employ a non-Chrome bug -- one in Windows, for example -- to break out of the sandbox. A successful attack on the second or third day will still put $20,000 in the researcher's pocket, but Google and TippingPoint will split the check.

"What's cool about Pwn2Own is that it's a way to take this amazing reverse engineering work that people have done, than then put it in a lasered approach to show exploits in the real world," said Holden. "In security, we don't know what we don't know, and we're always learning something new."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Topic Center.

Copyright © 2011 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon