White-Hat Hacker Competition Targets iPhone

Those white-hat-wearing, security-exploit-finding folks over at TippingPoint Digital Vaccine Laboratories are at it again. At the CanSecWest 2009, digital security conference to be held in Vancouver, British Columbia, next month, TippingPoint's Zero Day Initiative (ZDI) team will be sponsoring their third annual Pwn2Own contest. This time around, contestants will be attempting to demonstrate vulnerabilities of smartphones and browsers.

At last year's Pwn2Own challenge, a team of three security researchers successfully exploited a vulnerability in the Mac OS version of the Safari browser, and they walked away with a $10,000 and the very MacBook Air they hacked. Also, security researcher, Shan Macaulay, won $5,000 and a Fujitsu laptop for successfully exploiting a vulnerability in Adobe Flash on the Fujitsu running Windows Vista. As is TippingPoint's policy, it disclosed the information of these vulnerabilities and exploits to Apple and Adobe, respectively, and did not publicly disclose the details until after the companies issued patches.

Recent "publicly disclosed vulnerabilities discovered by TippingPoint
Zero Day Initiative researchers."

This year, $10,000 will be up for grabs for each exploit that contestants can "prove successful code execution" of one or more smartphones made up of "fully patched BlackBerry, Android, iPhone, Symbian and Windows Mobile phones in their default configurations." Would-be hackers will not be given physical access to the devices, but "winning scenarios against the mobile devices include attacks that can be exploited via email, SMS text, website browsing and other general actions a normal user would take while using the device." The first person who successfully cracks a particular smartphone will also win that unit as well a one-year service contract.

While that contest is taking place, others will be trying to exploit vulnerabilities in the Internet Explorer 8 (IE8), Firefox, and Chrome browsers, on a Sony Vaio laptop that is running Windows 7. Also, an Apple MacBook running OS X, will have the Mac versions of Safari and Firefox as potential targets. "All browsers will be fully patched and in their default configuration as of the first day of the contest." Winners will receive $5,000 for each successful exploit, and first person to crack a browser bug will also win the laptop that was hacked.

"As usual, the ZDI will purchase all winning vulnerabilities that are submitted against these targets, hand them over to the affected vendors, and coordinate public disclosure."

The ZDI team chose Windows 7 as the underlying operating system for the Windows-based browser exploitations, because it is "slated for release this year." It chose IE8 (versus Internet Explorer 7 (IE7)) for the same reason, as well as because, the ZDI team claims that they "know from experience that chances are a bug affecting IE8 will also affect IE7."
Tags:  security, Hacking