Web browsers were the big losers and mobile devices the winners during the third annual Pwn2Own contest held this week at the CanSecWest conference.
To get security news and tips delivered to your inbox,
A hacker exploited a zero-day flaw in Internet Explorer 8 using a technique that bypassed Microsoft's Data Execution Prevention technology and Address Space Layout Randomization security features. The hacker, who remained anonymous, then exploited a zero-day flaw in the Apple Safari and Mozilla Firefox browsers. The hacker was rewarded with $15,000 from the coffers of the TippingPoint DVLabs Zero-day Initiative.
A second hacker, Charlie Miller was the first to exploit a browser flaw, cracking into a Macbook via Safari on Mac OS X. Miller, a member of Baltimore-based Independent Security Evaluators, was part of a team that exploited an Apple iPhone flaw in 2007, taking complete control of the phone to send text messages, collect the user's call history, contact information and voice mail data.
security lacking at many businesses: Although smartphone makers are reporting millions of
devices being sold, IT has been slow to address the security issues that arise from their use in
Smartphone security: The growing threat of mobile malware: The increasingly pervasive use of wireless handhelds in the enterprise is just one reason why malware pros are getting serious about mobile malware.
But hackers were unable to crack into mobile phones to win a prize this week. The TippingPoint team provided Blackberry, Android, iPhone, Nokia/Symbian and Windows Mobile devices for anyone attending the conference to break.
It took a team from penetration testing vendor, Core Security Technologies Inc., to demonstrate the security prowess of mobile devices. During a presentation, Core security researchers Alfredo Ortega and Nico Economou demonstrated how to crack into the iPhone, Google Android and Windows Mobile devices using a simulated stack overflow vulnerability.
In an interview with SearchSecurity.com, Ortega said the Apple iPhone had the most security features, making it the most difficult to crack. Windows Mobile was the easiest to pwn, he said. Ortega said Google's Android phone needs further exploring. The team did not test all the security characteristics of Android, he said. Also missing from testing was the long anticipated release of Windows Mobile 7.
"We could make an exploit that works on the three devices so we may be able to say that it's a draw," Ortega said. "But from the research that we could do, in fact the iPhone has better security measures than Android or Windows Mobile."
The iPhone's stack memory is non-executable making it extremely difficult for hackers to crack, Ortega said. The memory security model is absent in Android, he said.
Smartphone operating systems have some of the same built-in security technologies as some desktop systems, said Ivan Arce, Core's chief technology officer. As they mature, mobile device security should improve, he said.
"Operating systems running on smart phones compared to desktop operating systems are somewhat lagging in terms of security mechanisms and protections," Arce said. "Eventually they will catch up and I think they will catch up faster."
Security experts say mobile devices are riddled with flaws. Multiple vulnerabilities have been discovered on all three devices. But the fragmented mobile device market has made it difficult for attackers to make money exploiting mobile device flaws, keeping them relatively safe for now. Arce said the rapid pace of adoption of some smartphones could put them at greater risk.
The market for third-party applications could also put smart phones, such as the iPhone and Android, at greater risk for attack. Both Android and iPhone have opened up the phones to third-party developers. But so far third party applications have not yet become a lucrative target for hackers because they don't have enough critical mass. The payoff would be too low.
"Only a couple of applications, such as mapping applications, are similar on smart phones and people tend to use different configurations," Core's Ortega said. "If you put the numbers together, there are very few third party applications that have enough penetration to make them interesting to attackers. It's mostly games and it's not worth it to exploit games."