The Mighty Fall at Pwn2Own
Owners of Apple products have a tendency to be complacent about security, but the results of this year's Pwn2Own contest suggest a little more wariness may be in order. "It's the fourth year they've run the contest, and every year someone's broken into Safari," noted Charlie Miller, the security analyst who won $10,000 and a MacBook Pro for hacking the browser in this year's event.
Three security experts tore into three Web browsers on Wednesday, the first day of the CanSecWest security conference in Vancouver, exposing flaws on a MacBook, iPhone and Windows PC, and winning cash and hardware in the process.
Network security provider TippingPoint's Zero Day Initiative organized its contest to enable Apple and other companies to plug holes in their popular products and protect the data of their customers.
"As a whole, most people seem to understand basic security, but there are still some gaping holes in today's most popular hardware and software computing platforms," Aaron Portnoy, security research team lead for TippingPoint, told TechNewsWorld. "The goal of this contest is to demonstrate how vulnerable these devices really are."
The results of the contest will be reported to the manufacturers so they can create the appropriate patches, according to Portnoy.
"Until then, we cannot discuss the details of the vulnerabilities [with] the public," he said. "This is to help keep the vulnerabilities from being exploited before they can be patched."
Safari Security Maven
In the first part of the contest, Charlie Miller, principal security analyst at consulting firm Independent Security Evaluators, remotely located a hole in the Safari browser of a MacBook Pro and launched a remote, "full-command" shell.
The shell allowed him to run a set of commands and see all the files on the target's MacBook, Miller told TechNewsWorld. The successful hacking attempt earned him US$10,000 and a new MacBook Pro.
"There's a reason for researchers like me to spend time looking for flaws," said Miller. "We get something for winning, the company gets free research, and the end-user gets a batch to a critical bug. So, in some sense, everybody wins there." Miller expects to see a patch for the bug in a month or so.
With hacks to the Mac becoming a regular event at the CanSecWest conference, Miller sees reason for concern.
"It's the fourth year they've run the contest, and every year someone's broken into Safari," he said. "You begin to wonder if there's some sort of underlying problem in what they're doing, that in four years they haven't made it any harder. One of these years, nobody's going to be able to do it. Since that hasn't happened yet, hopefully they'll get their act together and make a more secure product."
IE Invasion and Firefox Fetch
Meanwhile, Peter Vreugdenhil, an independent security researcher in the Netherlands, hacked Internet Explorer 8 on a Windows PC, passing through security features in the OS and data execution prevention code in Internet Explorer 8 to take over a Windows PC. He won $10,000 and the PC he pwned.
The Firefox security researcher extraordinaire was Nils, the head of research at UK-based MWR InfoSecurity, who broke into Firefox on a 64-bit Windows 7 PC by launching a "quintessential" CALC.EXE launching payload," said TippingPoint's Portnoy.
Ralf Philipp Weinmann of the University of Luxembourg and Vincenzo Iozzo of German company Zynamics were able to grab key data in an iPhone, according to Portnoy. "The researchers used a vulnerability in Safari that pulled the SMS database," he explains. Data included deleted messages, contacts, pictures and iTunes music files. The joint hackers shared a $15,000 prize, and each took ownership of an iPhone.
Despite all the efforts of device manufacturers, there are still holes to patch in MacBooks, PCs and iPhones.
"It just goes to show that [no matter] what you do, a bad guy can take over your computer -- even if you do everything right," Miller said.
Yet there will still be the folks who don't think their computer can be hacked, he noted.
"Hopefully, people who are more open to discussion will come away with [the realization that] 'hey, my MacBook isn't invincible,'" said Miller. "Some people won't be convinced, even though they should be."
As for consumers, should they be worried?
Apple is already actively working on fixes for these vulnerabilities, according to Portnoy.
"As with any device, more time on the market provides more time for hackers to research vulnerabilities," he said. "The iPhone has been out for several years now, and we are now starting to see more vulnerabilities being reported."