Major smartphone platforms emerge unscathed from Pwn2Own
By Nilay Patel 
posted Mar 25th 2009 11:24AM
posted Mar 25th 2009 11:24AM
Sure seems like your handheld is a lot more secure than your computer, at least in some sense -- although the desktop versions of IE 8, Safari, and Firefox were each almost instantly cracked on the first day of the Pwn2Own contest, no one claimed the $10,000 bounty placed on each of the major smartphone platforms. That's certainly reassuring, but it may not ultimately mean much: according to contest organizers Tipping Point, the bugs in Android, Symbian, Windows Mobile, and the iPhone and BlackBerry OSes are still there, but they're harder to exploit because of device, OS, and carrier variations. That makes any vulnerabilities even more valuable -- one of the contestants apparently had an iPhone exploit ready to go, but wasn't willing to part with it since he wanted more than $10K for it. Tipping Point says it'll try and nail down specs of each platform earlier next year to make it easier on hackers, but let's hope the results are similar.[Via Slashdot]
Looks like iPhone would have gone down quickly if the cracker wasn't such a greedy bastard.
"I have an exploit, but I want more money for it."
Bullshit. Put up or shut up.
Actually, it kind of reaffirms how secure the phone is if people can demand over 10 Gs for a single exploit.
It's supply and demand. Demand is high because it's popular, supply is low because it's secure. All that means Ca-Ching! If you've got an exploit.
"one of the contestents apparently had an iPhone exploit ready to go, but wasn't willing to part with it since he wanted more than $10K for it."
So, I'm no math wiz but it appears that he could have had something and now he has NOTHING. Yeah, that worked in his favor.
it seems kind of like blackmail to me - "unless you pay me more than $10,000, something bad might happen to your iPhones. Not saying it will, and I'm not saying I'll have anything to do with it, but you never know...."
While it may not have worked out in his favor in the end, I'm all for this guy holding Apple for ransom. It's just a matter of "what is your security and reputation worth?" Think of it this way: this guy is basically acting as a security tester for free. I'm sure Apple and others routinely pay loads more than $10k for such high-level security checks.
Apple products even cost more to crack.
1st
nope.
pwnd. How fitting.
dammm
If the iPhone was secure, jailbreaking wouldn't be possible.
Bingo. It's OS X though so you would expect it to be leaky. Mind you, I'm surprised there are none for S60.
Yes, because you could be out one day, and somebody could run up behind you and jailbreak your phone while you're not looking.
Jailbreaking involves creating an unsecured OS image from your computer, and exploiting something in the way iTunes uploads the images to make the iPhone think it's the real OS. I don't know if they exploit something in the system that Apple use or if they actually do exploit a bug. Whatever they do, it doesn't mean jack to anybody walking around with an un-jailbroken iPhone. The exploit doesn't apply.
There's a major difference between hooking your iPhone up to your computer and injecting code into the boot sequence and, say, a buffer overflow in MobileSafari (or even worse; in the SMS app) that allows malicious code to be executed. I'm pretty sure they wouldn't allow the former in the hacking competition.
If I recall correctly, the contestants in the competition aren't really allowed to touch the computer they're hacking; they have to do it all remotely (except for navigating to a malicious site on the computer to-be-hacked).
It's been done before, I'm sure it can be done again
http://www.engadget.com/2007/07/23/safari-exploit-gives-hackers-full-control-of-your-iphone/
Sure, but my argument's still valid.
Mark - if OS X is so leaky, then why does it take somebody physically sitting in front of a Mac, admin password in hand, clicking on a link in an email before a hacker can even GET to Safari?
You do realize nobody has ever been able to hack into an OS X Mac remotely, right? That's what the first day of the contest is for. Nobody could do it. Let's not be stupid about this, please. Social engineering is not "hacking". And I guess since mr. "I want $10k" doesn't feel like proving himself correct, there's no point in assuming anything about his alleged "hack" on the iPhone.
@zak
http://news.cnet.com/2100-1002_3-6046197.html
Do you not know how to read? You just proved my point for me, you idiot. Pay close attention to this sentence:
"Participants were given local client access to the target computer and invited to try their luck."
LOCAL CLIENT ACCESS. Do you know what that means? It means that there was somebody sitting in front of the Mac, admin password in hand, waiting to click on a link in an email. Which is exactly what I said above. It's like this every year they run this contest, and every year, gaggles of morons like to spew bullshit about how the Mac was "hacked".
OS X is 8 years old, and in those 8 years, there hasn't been ONE virus, and nobody has EVER been able to hack a Mac remotely.
PERIOD.
@zac
http://forums.macrumors.com/showthread.php?t=186475
Zak, I don't understand something. Do Macs only have one user account or something? Why would you need an administrative password to open email and click a link?
@patriotsn1
That link that you provided to the "remote hacking" attempt is hardly on the same level as a worm or trojan on a Windows machine. First of all, the guys running his firewall under DMZ (i.e., all of his ports are open to public access). His computer was running with root access, and the person who "hacked" the system was using iTunes and a torrent program to download TV shows? Keep in mind that remotely logging into a system by guessing a password is hardly hacking (especially when the fool left himself wide open for an attack).
I suppose the correct phrasing for Zak is that a Mac has never been remotely compromised through a malicious program (a.k.a. virus/trojan). You're on your own, though, if you run an open VNC and SSH server and make your root password "tits" or "god". Same as with any Unix-based system.
@Zak
Who cares? It's still funny.
"LOCAL CLIENT ACCESS. Do you know what that means? It means that there was somebody sitting in front of the Mac, admin password in hand,"
Local client access doesn't directly imply admin access.
"Yes, because you could be out one day, and somebody could run up behind you and jailbreak your phone while you're not looking.
Jailbreaking involves creating an unsecured OS image from your computer, and exploiting something in the way iTunes uploads the images to make the iPhone think it's the real OS. I don't know if they exploit something in the system that Apple use or if they actually do exploit a bug. Whatever they do, it doesn't mean jack to anybody walking around with an un-jailbroken iPhone. The exploit doesn't apply."
Actually, iphones were jailbroken via a simple webpage in an earlier OS version (1.1.1 maybe?) due to a known safari .tif exploit ;) The guy who figured it out also patched the hole for apple after jailbreaking your phone for you.
http://www.tuaw.com/2007/10/29/confirmed-jailbreak-appsnapp-fixes-tiff-exploit-hole-in-iphone/
>>Who cares? It's still funny.
Actually, it's funnier watching the veins in Zak's head bulge.
@DirtyVegas
A very good point, sir.
Would love to see the PS3 added to the Pwn2Own platforms next year
Dr. Evil voice when asking for one million dollars comes to mind.
Are you serious? Pay up or you ain't telling?
I hope you paid a hefty amount and someone exploits your browser and gets your bank account number and takes it all away.
"Yeah...I totally know how to hack into the iPhone. I'm just...not gonna..."
Engadget says to find your last comment to edit your profile, but they don't tell you that it's pretty much impossible to find your last comment if you don't comment often. So I'm leaving a random comment just so I can edit my profile. If anyone knows of an easier, better way of doing this, please let me know. Thanks.
Welcome to Engadget. It's AOL what did you expect?
see i agree with the hacker guy, most private exploits and hacks go for 1000$, like one guy i know can download paid songs from napster drm free. so a tool that can hack a couple million phones? i'd want more than 10K for that too. hell i'd want your soul
What about Google Chrome ?
Also... Why are you so upset? Jeez, it's a fucking computer, I really hope you have a life outside of your mac.
Funny how Engadget fails to mention that the Mac OS is easier to exploit than Windows.
http://blogs.zdnet.com/security/?p=2941
Hmm I wonder why this was not on the front page?
Interesting, so much for the secure os x! I was reading this on my early 2008 macbook (black) and I became afraid after reading the interviews.
It was on the front page -- five days ago when it was news. It's also linked from this post. You see what you want to see.
Well Nilay, I think what bigcow05 meant was that you did not specifically mention the interview with Charlie Miller (who showed two exploits for safari so far) in which he utters such things as:
"Why Safari?
It’s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.
It’s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn’t have anti-exploit stuff built into it."
And perhaps:
"On a scale of 1-10, how impressive was the Nils’ sweep of exploiting all three main browsers?
I was surprised. For IE 8, I’d give him a 9 out of 10. For Safari, maybe a 2. It’s just too easy to pop Safari. For Firefox on Windows, I give him a 10. That was the most impressive of the three. It’s really hard to exploit Firefox on Windows."
So yeah, that IS news (which wasn't reported here btw).
Cheers!