VANCOUVER, BC -- Hackers have an opportunity to win thousands of dollars cracking into popular mobile devices, including Apples iPhone 3GS and Google's new smartphone, the Nexus One at the 2010 CanSecWest Applied Security Conference this week.
The conference kicks off today with a presentation by well known network security researcher, Marcus Ranum of Tenable Network Security. It also includes a number of highly anticipated sessions, including one from Miller who is reportedly expected to reveal how he discovered 20 flaws in Mac OS X. Meanwhile, researchers at Core Security Technologies say they will demonstrate new automated methods to test for SQL injection vulnerabilities.
2009 Pwn2Own contest:
But the Pwn2Own contest draws a lot of attention. The sponsor of the contest, TippingPoint's DVLabs Zero-day Initiative, has raised the cash prizes. The organizers will award up to $100,000 to hackers who successfully crack into one of four mobile devices or discover a browser exploit to compromise several laptops.
TippingPoint security researcher Aaron Portnoy, who is organizing the contest, said mobile device hacking is more difficult because of a lack publicly available research on the subject. Mobile devices also use fewer memory resources further complicating pulling off a successful exploit.
"Most of these phones didn't have the capabilities that they have now," Portnoy said. "There's so much new functionality that has generally been coming out the last few years."
So far up to nine hackers are signed up to participate in the contest. Charlie Miller of Baltimore-based Independent Security Evaluators, who was first to exploit a browser flaw last year, will make another attempt on Apple Safari 4 on Mac OS X.
However, all eyes will be on the smartphones, watching to see how they will weather the hacking onslaught. Last year, hackers failed to hack into smartphones. Portnoy said hackers have had more time to find ways to pull off a compromise. In addition to the iPhone and Nexus One, hackers can attempt to hack a RIM Blackberry Bold 9700 and a Nokia E72 device running Nokia's Symbian OS. To win a $15,000 prize, hackers must be able to execute code on the device with little or no user interaction.
Security experts say mobile devices may be the next big target of attackers, as they become more powerful, running third-party applications that may contain the necessary vulnerabilities to gain access to the device's firmware. Multiple vulnerabilities have been discovered on all of the devices. Apple recently updated the iPhone, correcting security issues prior to the event. But so far the fragmented mobile device market has not made it lucrative for attackers to target smartphones.
Hackers will also try to crack browsers running on Windows 7 in day one of the contest. It will focus on Microsoft Internet Explorer (IE) 8, Mozilla Firefox 3 and Google Chrome 4 on Windows 7 as well as Apple Safari 4 on Mac OS X Snow Leopard. Day 2 and day 3 set up the browsers (IE 7) on Windows Vista and Windows XP. Both Apple and Mozilla issued browser updates ahead of the contest.
The cash prize pool for exploiting a browser zero-day vulnerability is set at $40,000. The hacker who finds a vulnerability will receive a $10,000 cash prize and the underlying laptop that was compromised.
"Once a target has been successfully compromised, it will be removed from the competition," wrote TippingPoint's Aaron Portnoy, who is overseeing the contest. "Thus, a successful day one attack on a specific browser must overcome the latest and greatest flagship operating system with all exploit mitigations activated in their default state."