All Five Smartphones Survive Pwn2Own Contest

← Back to Stories (view on slashdot.org)

All Five Smartphones Survive Pwn2Own Contest

Posted by Soulskill on Wednesday March 25, 2009 @01:41AM from the can't-hit-a-mobile-target dept.

CWmike writes "Although three of the four browsers that were targets in the PWN2OWN hacking contest quickly fell to a pair of researchers, none of the smartphones were successfully exploited. TippingPoint had offered $10,000 for each exploit on any of the phones, which included the iPhone and the BlackBerry, as well as phones running the Windows Mobile, Symbian and Android operating systems. 'With the mobile devices so limited on memory and processing power, a lot of [researchers'] main exploit techniques are not able to work,' said TippingPoint's Terri Forslof. 'Take, for example, [Charlie] Miller's Safari exploit,' referring to Miller's 10-second hack of a MacBook via an unpatched Safari vulnerability that he'd known about for more than a year. 'People wondered why wouldn't it work on the iPhone, why didn't he go for the $10,000?' she said. 'The vulnerability is absolutely there, but it's a lot tougher to exploit on the iPhone.'" Chrome was the only browser at the contest that was not successfully exploited. We previously discussed day one of the contest, and a summary of day two is available as well.

28 of 144 comments (clear)

All 5, eh? by jav1231 · 2009-03-25 01:50 · Score: 2, Insightful

They name the iPhone and Blackberry and 3 OS's. Poorly worded much?
1. Re:All 5, eh? by vux984 · 2009-03-25 04:47 · Score: 2, Informative
  
  Exactly what I was thinking. I went to the article to see what the 5 were and didn't really glean much more information out of it than what was in the summary.
  I had no trouble identifying the five that were tested:
  iphone, blackberry, windows, symbian, android.
Not any tougher on iPhone according TFA by Shatrat · 2009-03-25 01:53 · Score: 4, Informative

Apparently the safari exploit

"should work on the iPhone but the bug couldn't (be) used twice in the competition."
So the iPhone should be quite vulnerable, but wasn't compromised because it wouldn't have been eligible for the award since it was the same exploit used against OS X in the first day.

--
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
1. Re:Not any tougher on iPhone according TFA by Jedi_Master_SS · 2009-03-25 02:59 · Score: 5, Informative
  
  The iPhone uses a modified version of WebKit (see webkit.org) which is the same engine behind Safari and quite a few other things not just from Apple but other sources as well.
2. Re:Not any tougher on iPhone according TFA by Anonymous Coward · 2009-03-25 04:57 · Score: 2, Funny
  
  Chrome is built using WebKit.
  Which raises the question, why is Safari less secure than Chrome?
  Safari was developed by Apple therefore security was overlooked for style and usability.
A Symbian with a browser? by Anonymous Coward · 2009-03-25 02:00 · Score: 5, Funny

I saw one of them Symbian's on the internet once. But I didn't know it could have a browser. I thought it was used more for content production.
Chrome only browser ... by Thornburg · 2009-03-25 02:05 · Score: 4, Interesting

Chrome was the only browser in the contest that was not successfully exploited... why didn't they include Opera, or any of the non-webkit open source browsers other than Firefox? (Ok, they may be fairly obscure, but surely Opera is well known enough, right?)
1. Re:Chrome only browser ... by Anonymous Coward · 2009-03-25 02:08 · Score: 5, Funny
  
  They didn't want to give Opera any more ammunition against the other browsers.
2. Re:Chrome only browser ... by pxlmusic · 2009-03-25 02:14 · Score: 5, Insightful
  
  as someone who recently gave Opera another go, i can see why.
  i would appear that i've been missing out
  
  --
  "If for any reason you're not satisfied with our service, I hate you."
3. Re:Chrome only browser ... by n1ckml007 · 2009-03-25 02:29 · Score: 2, Funny
  
  yeah I tend to sing Opera's praises.
4. Re:Chrome only browser ... by worip · 2009-03-25 02:36 · Score: 3, Insightful
  
  Chrome is also one of the newest browsers in the market. The longer a browser is out there, the longer the time someone can develop a hack for it. I bet for the next contest, presuming that Chrome will still be around, there will be a few Chrome hacks to go around.
  
  --
  A picture is worth exactly 1024 words.
5. Re:Chrome only browser ... by Actually,+I+do+RTFA · 2009-03-25 03:48 · Score: 3, Insightful
  
  Chrome was the only browser in the contest that was not successfully exploited... why didn't they include Opera
  For the same reason high school sports teams don't play NFL teams; it just would be disheartening to the players.
  My guess is that Opera never really got the attention because it never had a big company pushing it (MS, Apple, Google, and Firefox had the whole Mozilla/FOSS thing).
  
  --
  Your ad here. Ask me how!
6. Re:Chrome only browser ... by Kamokazi · 2009-03-25 04:44 · Score: 2, Insightful
  
  I switched to Opera when FF was in version 2, because Opera was considerably faster in most cases. Now that FF is up to speed with Opera, I'm still with it because I'm more familiar with it...and it feels more 'complete' out of the box to me...no need for extensions. For someone who uses it regularly on four different machines (and irregularly on several more), that's important.
  Sure, it's not open source, but I'm concerned about free beer more than free speech (not to say that it's unimportant, I just have my priorities...as far as my browser is concerned, open vs closed is not nearly as important as it is with OS or production stoftware).
  But Firefox has changed the browser 'market' more than any other I think, and in a very good way. They were striving to make a good free browser when no one else seemed to care about the web browser as much, as long as it worked. Opera was the only one really trying, and to compete they dropped the ads and became completely free. MS actually tried with IE7 (still failed), and...I know I will catch crap for this...have actually did a pretty damn good job with IE8. Chrome came out, obviously, and Apple has shown more interest in improving Safari.
  So while Opera is my browser of choice, I know I owe a lot to FF for setting the bar higher.
  
  --
  As our way of thanking you for your positive contributions to Slashdot, you are eligible to disable Slashdot 2.0.
Re:Apple security by Rayban · 2009-03-25 02:11 · Score: 3, Funny

[citation needed]

--
æeee!
Hmm by LizardKing · 2009-03-25 02:42 · Score: 4, Funny

Miller's 10-second hack of a MacBook via an unpatched Safari vulnerability that he'd known about for more than a year.
Definitely a black hat then, as I'm assuming if he'd reported the vulnerability when he'd found it even Apple would have patched it by now.
1. Re:Hmm by Yamamato · 2009-03-25 03:08 · Score: 5, Interesting
  
  No, it's because he's not going to do free work for Apple.
  
  Did you consider reporting the vulnerability to Apple?
  
  I never give up free bugs. I have a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away. Apple pays people to do the same job so we know there's value to this work. No more free bugs.
2. Re:Hmm by Chaos+Incarnate · 2009-03-25 03:11 · Score: 2, Informative
  
  That's a bad assumption. Apple tends to sweep security problems under the rug as much as possible.
  
  --
  Benford's Corollary to Clarke's Law: "Any technology distinguishable from magic is insufficiently advanced."
3. Re:Hmm by Yamamato · 2009-03-25 03:17 · Score: 3, Informative
  
  Plus he added a few more funny things about OSX.
  
  Why Safari? Why didn't you go after IE or Safari?
  
  It's really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don't do. Hacking into Macs is so much easier. You don't have to jump through hoops and deal with all the anti-exploit mitigations you'd find in Windows.
  
  It's more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn't have anti-exploit stuff built into it.
  
  With my Safari exploit, I put the code into a process and I know exactly where it's going to be. There's no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don't know where it is. Even if I get to the code, it's not executable. Those are two hurdles that Macs don't have.
  
  It's clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But that's only half the equation. The other half is exploiting it. There's almost no hurdle to jump through on Mac OS X.
  Looks like all that supposed security you hear about in Mac OS X is really just a huge joke.
4. Re:Hmm by LizardKing · 2009-03-25 03:22 · Score: 5, Interesting
  
  No, it's because he's not going to do free work for Apple.
  That's precisely the attitude of a black hat. A responsible hacker notifies the vendor or author of the issue, giving them a reasonable amount of time to release a fix. If the fix is forthcoming in a timely manner, the hacker should be thanked in the release notes and is then free to post a description of the issue along with a proof of concept exploit if they like. If a fix is not forthcoming in a timely manner, and no reasonable explanation given by the vendor or author, then the hacker releases the description in the knowledge that they've adhered to the widely acknowledged good practice. This is responsible full disclosure.
  A black hat doesn't notify the vendor in order to gain some kind of material benefit - be it selling the exploit or using it directly for personal gain. Funnily enough personal gain is what this guy did it for, making him a scumbag black hat hacker.
5. Re:Hmm by Yamamato · 2009-03-25 03:30 · Score: 3, Insightful
  
  No, he's just not an idiot. BTW Apple pays people to report verifiable bugs to them. Does that make all those people black hats too? You never actually mentioned why he should do free work for Apple when they pay others to do the same thing.
  
  You talked earlier about the value of vulnerabilities. Was it a surprise that he (Nils) basically gave up three "high-value" bugs for $5,000 each?
  
  It's clear he's incredibly talented. I was shocked when I saw someone sign up to go after IE 8. You can get paid a lot more than $5,000 for one of those bugs. I've talked to a lot of smart, knowledgeable people and no one knows exactly how he did it. He could easily get $50,000 for that vulnerability. I'd say $50,000 is a low-end price point.
  
  For the amount of time he spent to do what he did on IE and Firefox, he could have found and exploited five or 10 Safari bugs. With the way they're paying $5,000 for every verifiable bug, he could have spent that same time and resources and make $25,000 or $30,000 easily just by going after Safari on Mac.
6. Re:Hmm by Yamamato · 2009-03-25 03:46 · Score: 2, Interesting
  
  Emphasis mine.
  There is no emphasis...
  
  The very quote you mentioned clearly states he uses exploits for profit.
  
  No it doesn't. He said he's not going to go through the trouble of finding and bugs and writing an exploit and then giving it away to Apple for free when they pay others money to do the exact same thing.
  
  The GP is completely right- this guy is a black hat.
  Sorry, the GP is wrong unless you have some information of him actually using any exploits for malicious use which I doubt you have.
7. Re:Hmm by Phroggy · 2009-03-25 06:44 · Score: 3, Funny
  
  Looks like all that supposed security you hear about in Mac OS X is really just a huge joke.
  A lot of it is, yes. And, some of that supposed security in Windows Vista... really is improved security, not a joke.
  From the average user's perspective, Macs are more secure right now, because they're not targeted. I don't run any antivirus software on my Mac, because I'm confident that I won't encounter a Mac virus. In general, the people writing viruses don't know how to write for Macs, and the people writing for Macs don't want to write viruses. There used to be a handful of Mac viruses back in the 90s, but those have all gone away. Every once in awhile we hear about a new proof of concept, but nothing ever really comes of it.
  But there's nothing inherent about the way Mac OS X works that guarantees this situation to remain true. As Macs gain marketshare, they'll gain mindshare among malware authors. As buying a Mac becomes a more attractive option to regular people, it will become a more attractive option to malware authors, and once they have a Mac to play with, they'll start writing malware for it.
  Meanwhile, everybody says Vista is a joke; they'll upgrade when you pry XP from their cold dead fingers. People who have never even tried Vista bitch about "Cancel / Allow" dialogs. They say Microsoft completely dropped the ball by breaking compatibility with older software. While I'll be the first to agree that UAC's UI leaves much to be desired, I do leave it turned on*, and I generally know when to expect a prompt. For the thing in the system tray that needs Administrator privileges, I went to the trouble of working around UAC by adding it as a scheduled task that runs on login - this is far too complicated for normal users, and obviously either the software that needs this needs to be updated, or UAC needs an "always allow" option.
  Microsoft broke compatibility because they had to in order to improve security. Every once in awhile an argument breaks out on Slashdot that goes something like this:
  1) Windows sucks, because normal user accounts have Administrator privileges, which is just like running as root on Linux, which nobody ever does.
  2) That's because if you don't have Administrator privileges, half your applications won't run.
  3) Windows sucks, because Linux apps run just fine without needing root privileges.
  4) It's not Microsoft's fault, it's the application developers' fault for designing their app with the expectation that it will always have Administrator privileges.
  5) It is Microsoft's fault, because those app devs designed their app to work on Win98, which had no concept of per-user security, so apps could reliably expect to have unfettered write access to C:\Program Files. Microsoft shouldn't have allowed this.
  6) Macs are awesome!
  7) It's the year of Linux on the desktop!
  8) Shut up, both of you.
  Microsoft knew the status quo was broken, and that brokenness isn't sustainable. Their only long-term choice was to break compatibility by forcing applications to conform to new security standards. They've done that, and everyone bitched, but the apps have been fixed. Nobody realizes the apps have been fixed, because everybody switched back to (or stayed with) XP, but Windows 7 will be hugely popular (Microsoft is also fixing some of the real problems with Vista).
  
  --
  $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
  $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Grammar Nazi alert by Linker3000 · 2009-03-25 02:44 · Score: 2, Funny

"none....was..." puhleeze!

--
AT&ROFLMAO
Phones by Anonymous Coward · 2009-03-25 02:48 · Score: 2, Informative

A quick Google Pulled up the Phones as:
Phones (and associated test platform)
* Blackberry(TBA)
* Android(Dev G1)
* iPhone(locked 2.0)
* Nokia/Symbian(N95-1)
* Windows Mobile (HTC Touch)
1. Re:Phones by Thornburg · 2009-03-25 02:53 · Score: 3, Informative
  
  A quick Google Pulled up the Phones as:
  Phones (and associated test platform)
  * Blackberry(TBA)
  * Android(Dev G1)
  * iPhone(locked 2.0)
  * Nokia/Symbian(N95-1)
  * Windows Mobile (HTC Touch)
  The Blackberry was apparently a "Bold", at least, that's what one of the related blog posts refers to.
Final Score (From DVLabs blog) by Deathlizard · 2009-03-25 03:00 · Score: 4, Informative

Browsers
Chrome: 0***
IE8: 1**
Firefox: 1(1)*
Safari: 2(1)*
Mobile Browsers
Android: 0
iPhone: 0
Nokia/Symbian: 0
Windows Mobile: 0
Blackberry: 0****
*Numbers in parenthesis indicate Successful exploits that fell outside the contest criteria and therefore could not be rewarded.
**Exploit Confirmed by MS
***Chrome was impacted by one of the flaws, although exploit was not possible using any current known techniques.
****The Blackberry was attempted and resulted in "Something Interesting", but not an exploit.

--
In Soviet Russia, Trojan exploits YOU!
Re:DIE HACKER DIE by petehead · 2009-03-25 03:58 · Score: 3, Funny

DIE HACKER DIE
Your German is unintelligible to me.
You are under obligation to inform the vendor by snowwrestler · 2009-03-25 07:49 · Score: 2, Insightful

The static point is that if you find an exploit, you are under no obligation to inform the vendor. You are not evil if you do not inform the vendor.
I couldn't disagree more. If I walk by a house and see that the door is standing wide open, and then I see the owner on the street a couple minutes later, the ethics are clear. I should tell the guy he left his door open. I'm under no legal obligation but I should because it is the right thing to do. If he gets robbed later I should feel bad because I could have helped prevent it.
Well maybe you say, no, they're a business. Doesn't matter. If I'm in a jewelry store and see that a clerk forgot to put away a diamond ring, which is the more ethical choice of action: ignore it and walk away, or remind the clerk to put it away?
It is NOT ethical to go through life just ignoring what you perceive. Copping out is a choice too. Didn't you see Spiderman??
It's particularly bad if you go around LOOKING for open doors or unlocked jewelry cabinets. You want to try to convince me that it's ok to spend a lot of time and effort looking for flaws, then just walk away when one is found? That seems like a ridiculous argument to me. Who goes through a bunch of effort and trouble to find a weakness, and then just blithely does nothing?
Sorry, but I think you are a scumbag if you find an exploit in a popular OS or piece of software and do not report it to the vendor. Because if you found it, someone else will too and eventually it will get exploited. That will have a real impact on real people and you could have prevented it.
If that doesn't seem fair, here's the way out--don't go looking for exploits unless you're contracted to do it. It's a very fair bargain--you don't waste your time and society doesn't hold you responsible for that choice. But please don't ask me to believe that it's ok to go hunting for exploits, but then it's somehow someone else's fault you don't get paid for the ones you find. That is what consulting contracts are for.

--
Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.