VANCOUVER–For the fourth consecutive year, researcher Charlie Miller won one of the prizes at the annual Pwn2Own contest here. The difference this time is that Miller successfully exploited an iPhone 4 to win, rather than Safari, which he’s gone after the last three years. The BlackBerry Torch 9800 also was taken down, by a multinational team of researchers who were able to exploit the device’s browser by chaining three exploits together.
The team that went after the BlackBerry faced a series of major hurdles during the research process, the largest of which was the fact that there is no debugger available for the BlackBerry’s current browser. The browser, which is based on WebKit, has little documentation either, so the team of Willem Pinckaers, Vincenzo Iozzo and Ralf-Philipp essentially were working in the dark, with no crash dump data and just tiny pieces of the memory map emerging as they went through the research process.
The researchers combined two information leak bugs and an integer overflow bug to exploit the BlackBerry browser and run their code on the phone. Iozzo and Pinckaers executed the attack at the contest; Weinmann was not present, but helped with the research. Iozzo, an independent security researcher, and Pinckaers, of Matasano Security, said that the process of finding the bugs and developing a working exploit for the BlackBerry was arduous.
“It was all trial and error. We didn’t have a debugger, so it crashes or it doesn’t crash or it takes a long time to respond. Those are the three options,” Pinckaers said. “We had to figure out the memory map from small little pieces.”
Miller, a researcher at Independent Security Evaluators, used a new exploit he’d developed with his colleague Dion Blazakis that enabled him to run arbitrary code on the iPhone after visiting a specific Web page on the device. After the exploit fired, he was able to perform whatever action he chose on the iPhone.
In each of the last three years Miller has won Pwn2Own at the CanSecWest conference by exploiting a new bug in Safari on Mac OS X. However, this year he never got the chance to try his luck against Apple’s browser because Chaouki Bekrar of French security company VUPEN went first and won the $15,000 prize and MacBook Pro.
In past years, the organizers of Pwn2Own have allowed more than one contestant to attack each target, even if someone has already successfully exploited it. Every successful attack after the first winner earned a smaller cash prize. However, this year’s rules are different and once a contestant takes down a given target, that one is off the table for everyone else.
Miller was the first contestant to go after the iPhone on Thursday. Other mobile devices also are on the slate for today, including the Nexus S handset running Android and a Windows Mobile handset. On the first day of the Pwn2Own contest, after Bekrar defeated Safari on OS X, Irish researcher Stephen Fewer was able to bypass both ASLR and DEP and exploit Internet Explorer 8 on a Windows 7 machine.
None of the contestants on Wednesday tried his luck against Google Chrome, which is generally regarded as more difficult to attack, thanks to its native sandbox. Mozilla Firefox was on the schedule for Thursday as well, but the team that had signed up to attack it withdrew this morning.
Iozzo said that in relation to the iPhone, which he and Weinmann exploited at Pwn2Own last year to win, the BlackBerry is lagging behind in security.
“The BlackBerr is way behind the iPhone at the moment, from a security perspective,” Iozzo said.