Katie MarsalAfter being humbled last year at the high-profile CanSecWest security conference, Apple faces further scrutiny as the same event organizers not only plan to test the Mac's defenses but, for the first time, the iPhone's as well.
Garnering publicity by way of Fortune, the two-day contest — which begins along with CanSecWest on March 18th — will give participants the opportunity to breach the safeguards of any one of five mobile platforms, each represented by a single device. Apple's iPhone will have to compete against the other heavyweights of the cellular world, including a BlackBerry as well as representative models for Android, Symbian and Windows Mobile.
The contestants will have to depend solely on remote access and are thus forced to use techniques that are more likely to be seen in the wild, such as dangerous websites visited through the mobile web browser, harmful e-mail contents, or deliberately malformed SMS text messages.
Sweetening the pot, TippingPoint is offering double the reward it is for more typical computer-borne hacks this year. Every hack that successfully executes code on a phone provides the winning team $10,000; those who are quick enough to hack a phone first wins the hardware along with a one-year contract to use it. Should at least five of the guests succeed, individual $5,000 prizes will also be doled out to those with the best exploits found by the end of the contest's second day.
As in the past, though, Pwn2Own is as much about practical help to the computer industry as it is a matter of bragging rights. As part of TippingPoint's Zero Day Initiative to stop threats before they leave the safety of a test lab, any winning attack will also be bought out and kept secret until the target company's software can be mended to prevent an in-the-wild threat.
The contest may be Apple's first real trial by fire for iPhone security. Although security breaches have often been a staple of jailbreak and unlock attempts, few instances have surfaced of malware coders writing software solely to break Apple's safeguards. For its part, Apple touts the However, Apple has so far had a poor track record at CanSecWest. The Cupertino, Calfi.-based firm's Mac OS X was infamously the first to be hacked in the 2008 contest and was broken through a hostile web browser link rather than by more complicated tricks. The exploit required a Safari patch the next month.
And while some of OS X iPhone's susceptibility is still up in the air until next month's gathering, Apple may well face a repeat of last year's loss in desktop operating systems: in addition to the smartphone competition, Pwn2Own will also let participants test the security of Firefox and Safari in Mac OS X Leopard versus Chrome, Firefox and Internet Explorer 8 in Microsoft's brand new and reportedly more secure Windows 7.
William Gallagher
Christine McKee
Andrew Orr
Charles Martin
Marko Zivkovic
Wesley Hilliard
33 Comments
.w00t.
I wonder if the iPhone being hacked will be jailbroken. Jailbroken iPhones will no doubt have reduced security, depending on the software installed...
I don't think these contests are fair or useful at all. No real security expert would hold back a hack so they could use it for a contest, these contests are for jerks and wanna-be's. They just lead to a lot of bad press based on biased crap and bragging rights for the hackers. For instance, the main meme that came out of last years version, repeated here:
However, Apple has so far had a poor track record at CanSecWest. The Cupertino, Calfi.-based firm's Mac OS X was infamously the first to be hacked in the 2008 contest and was broken through a hostile web browser link rather than by more complicated tricks. The exploit required a Safari patch the next month..
Is seriously misleading.
The media (as above) always focusses on "who get's hacked first" when it's essentially meaningless as a measure of which system is the most secure. They also, (as above) conveniently leave out the fact that no one could hack the Mac at all on the first two days, and that the hacker was the very first to attempt to hack *any* of the three machines. So while the story is reported as an embarrassing situation for Apple and played as if the Mac is somehow less secure than the other systems, it's nothing of the sort.
The mac got hacked first because the best hacker at the contest chose to focus on the Mac, primarily because it would give him the most "cred." It has nothing to do with the relative security of the platform over any other platform. The other machines didn't get hacked, because no one tried to.
Almost certainly, the iPhone will also be "the first to be hacked" at this one, and for the same reasons.
All the press, including AppleInsider apparently, will publish stories about how "insecure" the iPhone is, and goofy little boys commenting on Giz, Engadget and TUAW will all crow away as the meme of the iPhone's "insecurity" sweeps around the internet until it becomes a known fact, even though it won't actually be true at all.
What a waste of time.
While I agree with most of what Virgil-TB2 stated, he did leave out one very important fact. The guy who HACKED the MAC on the 3rd day stated on record that he could have used his HACK to gain access to any of the machines but chose the Mac Book Air because he wanted it.
He WANTED it.
Any machine can be hacked, if you do the wrong things, go the wrong places, your machine will get jacked. Just like cars, the thief is one step ahead of the security pro's. Any car can be jacked at any time, any place. Most thief's will go for the easiest target so if you have safe guards in place, you probably won't get hit. This is probably the same with computers, however with botnets and such, any machine can be hit if you are doing the wrong things.
If you play in the dirty streets, your gonna get infected.
LanPhantom
I can't speak for everyone who joins the contest--I can see why people should report something immediately and not wait for a contest, but $10,000 is an incentive to bad behavior in that regard.
But aside from that one issue, the contest itself seems useful to the industry, and done in a responsible way (in that the flaws are not released publicly, but sent to the vendors to be fixed).
I have a problem with those who publicize a flaw immediately out of a desire to "burn the vendor." But that's not what this is. This can lead to actual improvements.