iPhone will be first mobile device to fall at Pwn2Own 2010
The fourth annual Pwn2Own contest—which takes place at the CanSecWest security conference every year—kicks off next week. Like last year, 2010's contest will offer security experts and hackers the chance to "pwn" a number of mobile platforms in addition to various browser/OS combinations. Though no mobile devices were successfully hacked last year, expectations are high that the iPhone will go down in this year's contest.
"With all the recent research on mobile phone security being presented worldwide, these devices are quickly becoming a ripe target," wrote Aaron Portnoy, security researcher at TippingPoint and Pwn2Own contest organizer. "First to fall: the iPhone."
Mac OS X security expert Charlie Miller, known for his past exploits of Safari and discovery of a possible arbitrary code execution exploit for the iPhone, is also confident that the iPhone will go down this year. "Someone I know quite well says they have an exploit for it and plan on using it," he said recently during a chat with Kapersky Labs' ThreatPost. "From an exploitation perspective, iPhone is no harder than [Mac] OS X now that Snow Leopard has data execution protection," Miller explained.
However, Miller plans to stick to Safari, which he successfully attacked the last two years, netting him thousands in cash and two MacBooks. "There isn't as much exposed code on the iPhone," he said. "The easy to exploit bugs I know about happen to live in the code that Safari has but Mobile Safari doesn't," mostly due to Mobile Safari's lack of support for Java, Flash, and other third-party plugins.
Also, Miller said, "in real life the iPhone is harder because you can't just execute a shell. You have to write your return-oriented payload to do all your dirty work, which can be a pain."
Miller said that attacking Safari this year will be harder than last year, since Snow Leopard has DEP and Safari sandboxes plug-ins in separate processes. However, he noted that Snow Leopard's incomplete support for address space layout randomization still leaves the Safari and Mac OS X combination open to vulnerabilities.
This year, contestants will have a chance to nab a laptop and a $10,000 cash prize for demonstrating exploits for IE8, Firefox 3, and Google Chrome 4 running under Windows 7, or Safari 4 running on Mac OS X 10.6. Contestants that successfully hack an iPhone 3GS, BlackBerry Bold 9700, a Nokia E62, or a Motorola Droid will get to keep the device as well as $15,000 in cash.
0 comments