Hacking contest to test iPhone's securityAfter being humbled last year at the high-profile CanSecWest security conference, Apple faces further scrutiny as the same event organizers not only plan to test the Mac's defenses but, for the first time, the iPhone's as well.
3Com's security branch, TippingPoint, says that the 2009 edition of the Pwn2Own challenge will ask security experts and others attending the Vancouver, Canada event to hack smartphones, not just computers, in an attempt to find exploits that would allow arbitrary code.
Garnering publicity by way of Fortune, the two-day contest —which begins along with CanSecWest on March 18th —will give participants the opportunity to breach the safeguards of any one of five mobile platforms, each represented by a single device. Apple's iPhone will have to compete against the other heavyweights of the cellular world, including a BlackBerry as well as representative models for Android, Symbian and Windows Mobile.
The contestants will have to depend solely on remote access and are thus forced to use techniques that are more likely to be seen in the wild, such as dangerous websites visited through the mobile web browser, harmful e-mail contents, or deliberately malformed SMS text messages.
Sweetening the pot, TippingPoint is offering double the reward it is for more typical computer-borne hacks this year. Every hack that successfully executes code on a phone provides the winning team $10,000; those who are quick enough to hack a phone first wins the hardware along with a one-year contract to use it. Should at least five of the guests succeed, individual $5,000 prizes will also be doled out to those with the best exploits found by the end of the contest's second day.
As in the past, though, Pwn2Own is as much about practical help to the computer industry as it is a matter of bragging rights. As part of TippingPoint's Zero Day Initiative to stop threats before they leave the safety of a test lab, any winning attack will also be bought out and kept secret until the target company's software can be mended to prevent an in-the-wild threat.
The contest may be Apple's first real trial by fire for iPhone security. Although security breaches have often been a staple of jailbreak and unlock attempts, few instances have surfaced of malware coders writing software solely to break Apple's safeguards. For its part, Apple touts the first to be hacked in the 2008 contest and was broken through a hostile web browser link rather than by more complicated tricks. The exploit required a Safari patch the next month.
And while some of OS X iPhone's susceptibility is still up in the air until next month's gathering, Apple may well face a repeat of last year's loss in desktop operating systems: in addition to the smartphone competition, Pwn2Own will also let participants test the security of Firefox and Safari in Mac OS X Leopard versus Chrome, Firefox and Internet Explorer 8 in Microsoft's brand new and reportedly more secure Windows 7.