CanSecWest Pwn2Own Hacker Contest Targets Smartphones

The organizers of this year’s CanSecWest Pwn2Own have painted a big bulls-eye on mobile devices, offering up an whopping $60,000 in prizes to entice hackers to exploit vulnerabilities on iPhones, Android, Nokia and BlackBerry smartphones.

The organizers of this year’s CanSecWest Pwn2Own have painted a big bulls-eye on mobile devices, offering up an whopping $60,000 in prizes to entice hackers to exploit vulnerabilities on iPhones, Android, Nokia and BlackBerry smartphones.

At Pwn2Own 2010, which takes place in Vancouver on March 24, 2010, contest sponsors TippingPoint ZDI has set the booty at US$100,000 with two main technology targets — smartphones and Web browsers/OS pairings.

According to ZDI’s Aaron Portnoy, the big focus this year will be on vulnerabilities affecting mobile devices.

The second portion of Pwn2Own 2010 offers bounties for
vulnerabilities affecting mobile phones. The increased presence and
capabilities of smart phones has brought with it the same security
issues and attention traditionally reserved for non hand-held platforms.
Vulnerabilities in parsing media, dynamic web content, e-mail, and
other client-side issues have been published
in the past. Additionally, many of the communication protocols that
mobile phones implement are the focus of a burgeoning field of security
research (ex: Lackey,
Langlois,
Bailey).

Portnoy said that $60,000
of the total $100,000 cash prize pool is set aside for the mobile phone
portion of the contest, with each target worth $15,000.

He said a  successful hack
on these targets must result in code execution with little to no
user-interaction. The targets this year are:

  • Apple iPhone 3GS
  • RIM Blackberry Bold 9700
  • A Nokia device running Symbian S60 (likely the E62)
  • A Motorola phone running Android (likely the Droid)

Mobile phones were in play at last year’s contest but there was little activity from hackers. Instead, the security researchers focused mainly on Web browsers, bringing down the three main browsers — Internet Explorer, Firefox and Safari — on the first day.

The remainding $40,000 will be assigned to
targets this year that include the latest versions of Microsoft
Internet Explorer, Mozilla Firefox, Google Chrome and Apple Safari.

The browsers will be paired with a fully patched operating system. On day one, Portnoy said the following targets will be in play:

  • Microsoft Internet Explorer 8 on Windows 7
  • Mozilla Firefox 3 on Windows 7
  • Google Chrome 4 on Windows 7
  • Apple Safari 4 on MacOS X Snow Leopard

On the second day, older OS versions will be added to the mix:

  • Microsoft
    Internet Explorer 7 on Windows Vista
  • Mozilla Firefox 3 on Windows Vista
  • Google
    Chrome 4 on Windows Vista
  • Apple Safari 4 on MacOS X Snow Leopard

The contest will be expanded on Day 3 to include even older OS/browser pairings:

  • Mozilla Firefox 3 on Windows XP
  • Google
    Chrome 4 on Windows XP
  • Apple Safari 4 on MacOS X Snow Leopard

Suggested articles