Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

A history of the Pwn2Own Hacking Contest
MacDirectory ^ | December 16, 2010 | Charlie Miller, Principal Analyst at Independent Security Evaluators

Posted on 12/17/2010 12:55:29 PM PST by Swordmaker

Despite what you may have heard, Apple products are not immune to viruses and other computer attacks. In 2007 an annual computer security conference called CanSecWest sought to prove this point by hosting a hacking contest called Pwn2Own. They offered $10,000 plus the MacBook being used to anyone who could successfully break into the brand new, fully patched MacBook running Tiger. (The name Pwn2Own comes from the hacker word "Pwn" which means to take over a computer, so you Pwn the computer to own the computer). Any vulnerabilities used in the contest would have to be given to the organizers who would then give the information to the vendor, in this case Apple. 

Researcher Dino Dai Zovi managed to win this contest by exploiting a flaw in QuickTime that was researchable through the Safari web browser. The victim merely had to surf to the malicious web page and Dai Zovi was able to take control of the victim machine and run any commands he wanted. In real life, this would have allowed him to read the victim's email, watch the victim log into their banking site, send spam, perform attacks against other computers, etc. 

In 2008, the contest returned and while still offering up $10,000 and the victimized laptop to the winner, included three targets: a MacBook Air running Leopard, as well as laptops running Windows Vista and Ubuntu Linux. That year, I won by exploiting a Safari browser vulnerability. Again, by getting the victim to visit a malicious site I was able to take over their computer and do whatever I want. The victim would have no idea that anything had gone wrong. Apple enthusiasts who felt that the 2007 contest was a fluke were starting to see that their Macs were just as vulnerable as Windows computers. For the record, researchers Alex Sotirov and Shane Macaulay took out the Vista laptop while the Linux laptop remained untouched. 

Things were changed again for the 2009 Pwn2Own contest. In 2009, the prize for browser exploits was reduced to $5000, but new targets were provided, smartphones. $10,000 (and the phone) would be given to any researchers who could hack into one of the smartphones which included BlackBerrys, Android, Symbian, Windows Mobile, and of course iPhones. As in 2008, I managed to exploit the computer running Safari, this time an up-to-date Leopard install on a MacBook Pro. A previously unknown researcher named Nils pulled off a trifecta and exploited both Safari and Firefox running on Mac OS X, as well as Internet Explorer 8 running on Windows Vista. No one managed to successfully attack the smartphones, but that would change this year. 

This year the contest was back and featured $10,000 for browser exploits and $15,000 for smartphone exploits. I won another MacBook Pro (yes, I have a pile of computers sitting in the corner of my office) and the prize money for exploiting Safari, this time against a laptop running Snow Leopard. Nils was back and exploited Firefox running on Windows 7. A researcher named Peter Vreugdenhil exploited Internet Explorer 8 running on Windows 7. The only browser that wasn't defeated was Chrome. On the smartphone side of the competition, Vincenzo Iozzo and Ralf Philipp Weinmann succeeded in exploiting the iPhone. This was an iPhone right out of the box, not jailbroken. They used a vulnerability in the MobileSafari web browser in order to steal the SMS text messages stored on the device, although they could have performed a number of different actions. 

The Pwn2Own contest provides a venue for top researchers to showcase their skills as well as provides free research for vendors who can patch critical vulnerabilities in their software. It also provides some insight into the relative security of different browsers and operating systems. While Mac OS X has led a charmed life from a security perspective, it should be clear that it is not because it is fundamentally more secure than its competitors, as proved in it being exploited each of the last four years. Rather, its relative obscurity has protected it from wide scale attack. 

This leads to the main conclusion regarding Mac OS X security, it is safer but not any more secure than Windows. 

Charlie Miller is Principal Analyst at Independent Security Evaluators, a Baltimore based computer security consulting company. http://securityevaluators.com 


TOPICS: Computers/Internet
KEYWORDS: ilovebillgates; iwanthim; iwanthimbad; macvirus; microsoftfanboys
Comment by Swordmaker: direct hacking with an active hacker like Charkie Miller is different than achieving an automated exploit. In each of these Pwn2Own competitions, the targeted computer's users had to navigate to a prepared website and take an action directed by the hacker. None of the Macs gave up ROOT access... Miller only gained user level access and had the user been a standard user, that's all he would have achieved. All of Miller's hacks took weeks of prior preparation, and contrary to the hype they were not breached in minutes or seconds... when Miller's and his staff's prep and research prep time has to be factored in as well. The exploit executed in minutes or seconds, but it took weeks of work. The other systems fell to people who said they started from scratch at the Pwn2Own contest.

The question still needs to be asked of Miller and the others who claim the Security by Obscurity canard: if 55 million OSX Macs and 110 million iOS devices aren't enough to attract malware authors to the platform, when malware writers were attracted to the 12,000 BlackIce protected Windows computers when they wrote the Witty Worm in 2006, just how many will it take??? When WILL the malware writers be attracted to the millions of Macs sitting out there running bare naked without anti-virus of any kind, sitting ducks, just waiting to be fleeced? When???

In addition, Apple has closed the vulnerabilities that Miller used in these contests. It was revealed, however, in the 2010 contest, that Miller's team discovered in their 2009 research a second flaw which they did not reveal to Apple for correction, apparently choosing instead to hold on to it for use in the following year's contest. Some say that was an unethical decision, that professionals have a duty to report such findings.

1 posted on 12/17/2010 12:55:32 PM PST by Swordmaker
[ Post Reply | Private Reply | View Replies]

To: Swordmaker

I think backdoors are left in these apps on purpose. Making a backdoor look like sloppy coding has become an art itself.

MS had to stop bulking up its systems so much because of competition from Apple and Linux. It would be nice if similar competition stopped the backdoors.

The worst backdoor is having USB keys automatically run executables. How can I ever trust a company that does these things?


2 posted on 12/17/2010 1:01:57 PM PST by Christian Engineer Mass (Leftys who zone in on Palin miss the point. America's not about single figures. That's for NK/Cuba.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ~Kim4VRWC's~; 1234; 50mm; Abundy; Action-America; acoulterfan; AFreeBird; Airwinger; Aliska; ...
Charlie Miller talks about Apple product Security... But he doesn't tell the whole truth—PING!

I wont call FUD on this article because it's mostly accurate. Good read.

Please, No Flame Wars!
Discuss technical issues, software, and hardware.
Don't attack people!

Don't respond to the Anti-Apple Thread Trolls!
 PLEASE IGNORE THEM!!!

 


Apple Security claims denied Ping!

If you want on or off the Mac Ping List, Freepmail me.

3 posted on 12/17/2010 1:03:01 PM PST by Swordmaker (This tag line is a Microsoft product "insult" free zone.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Having just suffered a fatal virus crash on my PC, I am loathe to wish ill on anybody.

But it sure would be schadenfreude to see a “Wipe the smug grin off your face” virus shake up the Mac community.

Just sayin’.


4 posted on 12/17/2010 1:19:57 PM PST by Maceman (Obama -- he's as American as nasi goreng)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Christian Engineer Mass
The worst backdoor is having USB keys automatically run executables. How can I ever trust a company that does these things?

That's the way the Iranian nuclear bomb program was derailed: a virus was spread on USB Flash drives that only infected specific nuclear engineering software for Windows computers with specific Arabic tags! So, in this instance I'm kind of glad that capability WAS there... It set back their nuclear program by at least two years I understand!

Incidentally, my understanding is that does not happen on Macs. Shhhh. Don't tell any one.

5 posted on 12/17/2010 1:36:16 PM PST by Swordmaker (This tag line is a Microsoft product "insult" free zone.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Swordmaker
Any vulnerabilities used in the contest would have to be given to the organizers who would then give the information to the vendor, in this case Apple.

In addition, Apple has closed the vulnerabilities that Miller used in these contests. It was revealed, however, in the 2010 contest, that Miller's team discovered in their 2009 research a second flaw which they did not reveal to Apple for correction, apparently choosing instead to hold on to it for use in the following year's contest. Some say that was an unethical decision, that professionals have a duty to report such findings.

They would be wrong based on the conditions of the challenge.

6 posted on 12/17/2010 1:58:35 PM PST by frogjerk (I believe in unicorns, fairies and pro-life Democrats.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Yeah - I appreciate that, and so did everyone else. It was totally cool, but it’s a one-use trick on the international level, because everyone is wise to it now.

In the meantime, all the poor saps have been getting infected with every possible virus and will continue to do so, creating massive botnets that spam and commit financial fraud for their owners, so I have to do cartwheels just to get my bank balance


7 posted on 12/17/2010 2:09:21 PM PST by Christian Engineer Mass (Leftys who zone in on Palin miss the point. America's not about single figures. That's for NK/Cuba.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Maceman
But it sure would be schadenfreude to see a “Wipe the smug grin off your face” virus shake up the Mac community.

We are still waiting for the first viable OSX virus to be seen in the wild. Counting OSX Server, which was released in Early 1999, we are going on 12 years and counting without one single self-replicating, self-installing, self-transmitting, self-starting malware in the wild for OSX!

There have been some candidates seen in the labs but they all failed. In those twelve years we've picked up a total of 17 known Trojan horse programs in four distinct families, all of which OSX itself will warn you about on attempted download, attempted install, or at attempted first run. It takes a particularly clueless user to ignore all those warnings to proceed with the installation of a malicious Trojan. About the ONLY time a Mac user would be at risk would be a careless user downloading from an untrusted site on the day a zero day NEW FAMILY TROJAN came out that would not yet be in OSX's database... But then, being a zero-day, it most likely would NOT be in any other anti-virus vendor's database either.

8 posted on 12/17/2010 2:16:09 PM PST by Swordmaker (This tag line is a Microsoft product "insult" free zone.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: Swordmaker
Hi Swordmaker,

I'm just gonna lurk on this one, having only very little time tonight. But know that I'm with you on this.

It's unfortunate that anti-Apple people think that somehow the existence of a human-engineered trojan, or a local-access scripted exploit, somehow invalidates the Mac's claim to being a safer and more secure computing environment.

Of course nothing is perfect. Of course all software has flaws. Of course Mac OS-X has vulnerabilities. Big freakin' DUH. Point is, are they successfully exploited in the wild, with real users?

I'm waiting for the flood of Mac-specific viruses, now that Charlie Miller has talked about how it's no more secure than Windows.

[...crickets...]

Have a good time with this one, once the Apple-haters join up... :)

9 posted on 12/17/2010 3:19:49 PM PST by dayglored (Listen, strange women lying in ponds distributing swords is no basis for a system of government!)
[ Post Reply | Private Reply | To 8 | View Replies]

To: Maceman
But it sure would be schadenfreude to see a “Wipe the smug grin off your face” virus shake up the Mac community.

I'd rather see MSFT put out a really great program and end its dream of creating an eternal monopoly.

10 posted on 12/17/2010 3:35:44 PM PST by Tribune7 (The Democrat Party is not a political organization but a religious cult.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: Swordmaker
The Pwn2Own competitions are fine, but they are not enough. Charlie Miller, the author of this article, was behind the "No Free Bugs" campaign, that proposed a legitimate commercial market for exploits. I thought it sounded like a great idea, provided that the software companies paid hackers adequately for their highly skilled, labor-intensive work.

The market now exists, but compensation has been terrible.

http://www.computerworld.com/s/article/9179538/Google_calls_raises_Mozilla_s_bug_bounty_for_Chrome_flaws

From the linked article, printed last July:

"Google has paid out $14,846 for 21 reported vulnerabilities since January."

Calling that "chump change" is an insult to chumps. While Google and Mozilla have increased their payout to about $3000 per exploit, that is still very low.

I bet the black market in exploits is flourishing.

11 posted on 12/17/2010 7:07:48 PM PST by TChad
[ Post Reply | Private Reply | To 1 | View Replies]

To: Maceman
But it sure would be schadenfreude to see a “Wipe the smug grin off your face” virus shake up the Mac community.

And we're supposed to believe that there aren't L33T HaX0Rz who feel the same way? That alone makes "security through obscurity" implausible.

12 posted on 12/17/2010 10:59:37 PM PST by ReignOfError
[ Post Reply | Private Reply | To 4 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson