Mobile phones win during Pwn2Own contest

By Robert Westervelt, News Editor 20 Mar 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Web browsers were the big losers and mobile devices the winners during the third annual Pwn2Own contest held this week at the CanSecWest conference.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

A hacker exploited a zero-day flaw in Internet Explorer 8 using a technique that bypassed Microsoft's Data Execution Prevention technology and Address Space Layout Randomization security features. The hacker, who remained anonymous, then exploited a zero-day flaw in the Apple Safari and Mozilla Firefox browsers. The hacker was rewarded with $15,000 from the coffers of the TippingPoint DVLabs Zero-day Initiative.

A second hacker, Charlie Miller was the first to exploit a browser flaw, cracking into a Macbook via Safari on Mac OS X. Miller, a member of Baltimore-based Independent Security Evaluators, was part of a team that exploited an Apple iPhone flaw in 2007, taking complete control of the phone to send text messages, collect the user's call history, contact information and voice mail data.

Smartphone security: Smartphone security lacking at many businesses: Although smartphone makers are reporting millions of devices being sold, IT has been slow to address the security issues that arise from their use in the office. Smartphone security: The growing threat of mobile malware: The increasingly pervasive use of wireless handhelds in the enterprise is just one reason why malware pros are getting serious about mobile malware.

But hackers were unable to crack into mobile phones to win a prize this week. The TippingPoint team provided Blackberry, Android, iPhone, Nokia/Symbian and Windows Mobile devices for anyone attending the conference to break.

It took a team from penetration testing vendor, Core Security Technologies Inc., to demonstrate the security prowess of mobile devices. During a presentation, Core security researchers Alfredo Ortega and Nico Economou demonstrated how to crack into the iPhone, Google Android and Windows Mobile devices using a simulated stack overflow vulnerability.

In an interview with SearchSecurity.com, Ortega said the Apple iPhone had the most security features, making it the most difficult to crack. Windows Mobile was the easiest to pwn, he said. Ortega said Google's Android phone needs further exploring. The team did not test all the security characteristics of Android, he said. Also missing from testing was the long anticipated release of Windows Mobile 7.

"We could make an exploit that works on the three devices so we may be able to say that it's a draw," Ortega said. "But from the research that we could do, in fact the iPhone has better security measures than Android or Windows Mobile."

The iPhone's stack memory is non-executable making it extremely difficult for hackers to crack, Ortega said. The memory security model is absent in Android, he said.

Smartphone operating systems have some of the same built-in security technologies as some desktop systems, said Ivan Arce, Core's chief technology officer. As they mature, mobile device security should improve, he said.

"Operating systems running on smart phones compared to desktop operating systems are somewhat lagging in terms of security mechanisms and protections," Arce said. "Eventually they will catch up and I think they will catch up faster."

SearchSecurity radio:

Security experts say mobile devices are riddled with flaws. Multiple vulnerabilities have been discovered on all three devices. But the fragmented mobile device market has made it difficult for attackers to make money exploiting mobile device flaws, keeping them relatively safe for now. Arce said the rapid pace of adoption of some smartphones could put them at greater risk.

The market for third-party applications could also put smart phones, such as the iPhone and Android, at greater risk for attack. Both Android and iPhone have opened up the phones to third-party developers. But so far third party applications have not yet become a lucrative target for hackers because they don't have enough critical mass. The payoff would be too low.

"Only a couple of applications, such as mapping applications, are similar on smart phones and people tend to use different configurations," Core's Ortega said. "If you put the numbers together, there are very few third party applications that have enough penetration to make them interesting to attackers. It's mostly games and it's not worth it to exploit games."

Tags: Handheld and Mobile Device Security Best Practices,  Hacker Tools and Techniques: Underground Sites and Hacking Groups,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Handheld and Mobile Device Security Best Practices Protecting enterprise networks from new mobile application downloads Screencast: Find rogue wireless access points with Vistumbler Secure your remote users in 2010 Researchers find thousands of flawed embedded devices Best Mobile Data Security Products Should Windows Mobile updates come from Microsoft? MMS messaging spoof hack could have global ramifications How to prevent mobile phone spying Unified communications: Securing a converged infrastructure RIM patches serious BlackBerry Attachment Service flaws Handheld and Mobile Device Security Best Practices Research Hacker Tools and Techniques: Underground Sites and Hacking Groups Chinese hacker says most are not skilled coders Security researchers continue hunt for Conficker authors Verizon report goes deep inside data breach investigations Russian cybercriminals target H1N1 Swine Flu fears Metasploit Project acquisition ups ante for penetration testing market Successful rogue antivirus hinges on social engineering DEFCON survey suggests hacker community on vacation DoD urges less network anonymity, more PKI use New hacker skills optimize revenue Maturing cybercriminal economy buoyed by business savvy hackers

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary black hat  (SearchSecurity.com) cracker  (SearchSecurity.com) cyberextortion  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) Echelon  (SearchSecurity.com) hacker  (SearchSecurity.com) man in the middle attack  (SearchSecurity.com) van Eck phreaking  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary