Pwn2Own 2009 ends: Smartphones & Chrome unbroken
The third annual Pwn2Own security competition at the CanSecWest conference in Vancouver, Canada ended on Friday (20th March), with Google's Chrome web browser and all of the smartphones left unbroken. The competition, sponsored by TippingPoint Technologies, awards a prize for each vulnerability found on various mobile phone platforms and internet browsers.
On the first day of the competition, the first contestant, Charlie Miller, executed a swift exploit of Apple's Safari web browser, winning him $5,000 and a Macbook. A 25 year old computer science student, going by the name of 'Nils', later demonstrated exploits for Safari, Internet Explorer 8 and Firefox, winning him a total of $15,000 and a Sony Vaio P series notebook.
On the second day, the rules are relaxed to make the attacks easier. Contestants attempted an attacks on BlackBerry, Android, iPhone, Symbian and Windows Mobile smartphones, as well as Google's Chrome browser. Further attempted attacks were also allowed on Safari, Internet Explorer 8 and Firefox, provided previously used exploits were not used again.
According to a Tipping Point blog post by Terri Forslof, "the (second) day was uneventful, with no attempts made to break the mobile phones – until the very moment (when) we were wrapping up to call it a day!" Contestant Sergio Alvarez made an attempt on the BlackBerry Bold, but was unsuccessful. The exploit he tried to use seemed to have been tested on a different model of phone and did not function as intended. An attempt was also made on the Symbian phone by an un-named contestant. According to a Twitter post from Tipping Point, one of the Safari exploits used at the contest "should work on the iPhone but the bug couldn't (be) used twice in the competition." Successful attacks on the mobile devices were worth $10,000 each.
Participants are prevented from revealing the details of the exploits used as they are required to signed a general Non Disclosure Agreement so that the affected vendors can be advised of the bugs and patches can be issued. CanSecWest and ZDI have confirmed that next years competition will again definitely include a mobile phone competition. Due to feedback received by Tipping Point, from the contestants, next year the exact hardware specifications and operating system version numbers will be provided "well in advance."