Pwn2Own 2010: iPhone hacked - as well as IE 8, Firefox and Safari
At this years Pwn2Own contest the most popular browsers bit the dust on day one: Firefox and Internet Explorer 8 on Windows 7, and Safari on Mac OS X, were hacked via previously unknown security holes. The stars of the event were Vincenzo Iozzo and Ralf-Philipp Weinmann, the first Pwn2Own contestants to hack an iPhone.
Apart from fame and honour, the Pwn2Own hacking extravaganza at the CanSecWest security conference offers hackers lucrative prizes for successful exploits which must involve the remote injection and execution of code: In addition to a total of 100,000 euros in prize money, hackers are also allowed to keep the hacked device. In return, the rights to the details of the presented security holes are transferred to the event organisers, ZDI, who then pass the details on to the respective vendors.
Iozzo and Weinmann navigated the iPhone's Safari browser to a specially crafted web page which, in turn, exploited a security hole to steal the iPhone's SMS database. According to a press release, the greatest difficulty was to smuggle malicious code past Apple's code-signing mechanism. The hackers bypassed this obstacle by craftily accessing already existing code (see: Exploit's new technology trick dodges memory protection).
Newcomer Peter Vreugdenhil managed to hack Internet Explorer 8 on Windows 7 despite ASLR and DEP, while last year's star hacker Nils managed to do the same with Firefox. Pwn2Own veteran Charlie Miller claimed another MacBook Pro after sacrificing one of his collected zero day holes in Apple's Safari browser. None of the hackers targeted Google's Chrome web browser.
However, one should be careful with drawing conclusions about the security of the individual products. Pwn2Own is mainly a hacking extravaganza. Nobody knows who spent how much time on finding security holes and developing the appropriate exploits. Charlie Miller, for instance, told the The H's associates at heise Security that he focused on Safari from the start. He added that it's open to speculation whether it would have taken him the same amount of time to find an exploit in Chrome. In Miller's opinion, Pwn2Own isn't a suitable basis for conclusions about which product is the most secure. The show, and the Pwn2One contest, whose rules have been relaxed, continues until the 26th.
- Pwn2Own 2010: $100,000 for browser & mobile phone exploits, a report from The H.