pwn2own
Latest
Teslas and big cash prizes on offer to car hackers in annual Pwn2Own contest
Highly-connected cars like Teslas bring all sorts of advantages, like over-the-air updates that deliver new features. But they may also be open to digital attacks. In the past, reports have emerged of hackers remotely controlling cars, stealing vehicles by copying entry fobs and performing digital hot wires. To improve the security of it cars and show how hard it's already worked to secure them, Tesla is partnering with Trend Micro's Zero Day Initiative to offer big cash prizes to hackers who can breach the systems on a Model 3 at the annual Pwn2Own event.
Amazon Echo Show falls victim to an old flaw at hacking contest
The latest iteration of the Pwn2Own hacking contest just underscored an all-too-common flaw with smart home devices. The security research team Fluoroacetate hacked into an Amazon Echo Show 5 by taking advantage of its "patch gap" -- that is, its use of older software that had been patched on other platforms. Brian Gorenc, the director of contest host Zero Day Initiative, explained to TechCrunch that the smart screen uses a not-so-current version of Google's Chromium browser engine that leaves it vulnerable to attacks. Fluoroacetate exploited this out-of-date code by using an integer overflow JavaScript bug to hijack the device while it was connected to a malicious WiFi network.
Tesla offers Model 3 as a reward to security researchers
The annual Pwn2Own contest at the CanSecWest conference in Vancouver, Canada usually ends with security researchers taking home the laptops they've exploited. This year they could take home a Tesla.
iPhone X bug lets hackers snag deleted photos
Whether it's because they're unflattering, inappropriate or just plain terrible, we've all deleted photos for one reason or another. But the drunken 3AM selfies that you thought you scrubbed from your phone might not be totally gone, and two researchers have found a vulnerability in iPhone X that could let hackers access supposedly-deleted photos and files.
When China hoards its hackers everyone loses
They say you don't notice something good until it's gone. With China's decision to restrict its information security researchers from participating in global hacking competitions, we're about to see what that looks like on the global "zero day" stage.
Chrome OS fends off all hacks at Pwnium 3, others fall at Pwn2Own
Google's Pwnium challenge followed a familiar pattern in its first two years, with white hat hackers invariably finding a Chrome vulnerability and prompting a round of patches that ultimately made the software stronger. For the Chrome OS-focused Pwnium 3, there's been a slight hiccup: there were no hacks to patch. Despite Google offering a total of $3.14159 million in bounties, entrants couldn't demonstrate a working exploit on the Series 5 550 target machine. That may be a testament to Google's steady security improvements, but it doesn't help discover what holes are left. We'd add that few were left unscathed at the Pwn2Own competition running in tandem -- the regular Chrome browser, Firefox and Internet Explorer all came tumbling down, and Safari may have escaped only because contestants didn't register in advance. Even so, the Chrome OS results may have Chromebook Pixel owners feeling better about their purchases.
Safari exploit used to gain control of iPhone at Pwn2Own
A team of Dutch researchers used a WebKit vulnerability in Mobile Safari to gain access to a fully patched iPhone 4S during a recent mobile Pwn2Own challenge. The attack circumvented Apple's code-signing requirements and grabbed the entire address book, photo and video database and web browsing history. It could not download SMS or emails from the device because those databases were not accessible and also encrypted. Though it was executed against an iPhone 4S with iOS 5, the vulnerability is also present in iOS 6. The Dutch team, led by Joost Pol of Certified Secure and colleague Daan Keuper, tested the exploit in the gold master version of iOS 6. They also confirmed it worked on all previous versions of the iPhone, iPad and iPod touch. Unless an update to iOS 6 happens before launch day, it will also be possible on an iPhone 5. From detection to completed code, the exploit took about three weeks to develop and refine. You can read more about the exploit and Dutch research team on ZDnet's website.
Google teases hackers with $2 million in prizes, announces Pwnium 2 exploit competition
The folks in Mountain View are starting to make a habit of getting hacked -- intentionally, that is. Earlier this year, Google hosted an event at the CanSecWest security conference called Pwnium, a competition that challenged aspiring hackers to poke holes in its Chrome browser. El Goog apparently learned so much from the event that it's doing it again -- hosting Pwnium 2 at the Hack in the Box 10th anniversary conference in Malaysia and offering up to $2 million in rewards. Bugging out the browser by exploiting its own code wins the largest award, a cool $60,000. Enlisting the help of a WebKit or Windows kernel bug makes you eligible for a $50,000 reward, and non-Chrome exploits that rely on a bug in Flash or a driver are worth $40,000. Not confident you can break Chrome? Don't let that stop you -- Google plans to reward incomplete exploits as well, noting that it has plenty to learn from unreliable or incomplete attacks. Check out the Chromium Blog at the source link below for the full details.
Security firm claims to have hacked Chrome's sandbox
It didn't manage to do it during the most recent Pwn2Own challenge, but VUPEN Security is now claiming that it has finally managed to hack Google's Chrome browser and crack its so-called "sandbox." According to the firm, the exploit relies on some newly discovered zero day vulnerabilities, works on all Windows operating systems (and only Windows, apparently), and could give malicious websites the ability to download code from a remote source and execute it on a user's computer -- the video after the break shows an example, in which the Windows Calculator application is downloaded and run automatically. For its part, Google says it has been unable to confirm the hack since VUPEN hasn't shared any details with it -- something the firm apparently doesn't plan to do, as it says it only shares its vulnerability research with its "government customers for defensive and offensive security."
RIM issues PSA following Pwn2Own exploit: turn off JavaScript on your BlackBerry
It's not just desktop web browsers getting hacked at this year's Pwn2Own challenge -- mobile browsers have also been targeted for vulnerabilities, and a fairly big one has now been found in RIM's browser for BlackBerry OS 6. Apparently, there's a JavaScript-related bug that could let a "maliciously designed" website gain access to data stored on both the phone's media card and built-in storage, but not data stored in the storage portion for applications (such as email or contact information). For its part, RIM says that it hasn't actually seen any evidence of anyone exploiting the vulnerability, but it's nonetheless urging folks to disable JavaScript on affected devices, and it's now busy providing IT departments everywhere with guidelines on how to do so. If that proves to be complicated, it's suggesting that you simply disable the BlackBerry Browser altogether until it can be patched.
Safari used to hijack MacBook Pro at Pwn2Own 2011
A flaw in WebKit, the engine that underlies Safari, Mobile Safari, and several other browsers, was found to be vulnerable in this year's "Pwn2Own" competition, as reported by ZDNet and many others. This is noteworthy for several reasons: first, because the exploit did not use Flash. You will remember that last year's Pwn2Own winner stated "the main thing is not to install Flash" for browser security. Secondly, it is important because WebKit is used not only by Safari but several other browsers, notably several mobile browsers, although it is not immediately apparent whether this same bug could be exploited on a mobile platform. It's also possible that the exploit could make Windows and even Linux computers vulnerable if they are running a WebKit-based browser, but details are not fully known. Computerworld noted that Google's $20,000 reward for anyone who could break into Chrome on opening day went unclaimed, as the contestant who had signed up did not appear at the Pwn2Own contest. It is unknown whether Google paid to have him assassinated (that's a joke folks, lighten up). Computerworld went on to note that according to the current schedule no one is even going to try to attack Chrome this year, meaning that it could survive a record three consecutive Pwn2Own contests. That is particularly surprising to me since Google Chrome includes its own version of Adobe Flash, but if you're looking to use the most secure browser out there, Google Chrome looks to be your browser of choice. [via Slashdot]
Safari and IE8 get shamed at Pwn2Own, Chrome still safe... for now
Ahead of the most recent Pwn2Own, Google made a rather proud challenge: it'd pay $20,000 to any team or individual who could successfully hack Chrome. Two takers signed up for that challenge -- and then both backed down. One individual didn't show up and a second entry, known as Team Anon, decided to focus their efforts elsewhere. There's still time left for someone to come out of the woodwork and scrape off that polish, but as of now no brave souls have registered intent. Meanwhile, IE8 was taken down by Stephen Fewer, who used three separate vulnerabilities to get out of Protected Mode and crack that browser's best locks. Safari running on a MacBook Air got shamed again, cracked in just five seconds. Not exactly an improvement compared to how it fared in 2008.
Google's paying $20,000 to hack Chrome -- any takers?
So far, Chrome is the only browser of the big four -- Safari, Firefox, and Internet Explorer being the other three -- to escape the Pwn2Own hacking competition unscathed the past two years. (Sorry Opera aficionados, looks like there's not enough of you to merit a place in the contest... yet.) Evidently, its past success has Google confident enough to pony up a cool $20,000 and a CR-48 laptop to anyone able to find a bug in its code and execute a clean sandbox escape on day one of Pwn2Own 2011. Should that prove too daunting a task, contest organizer TippingPoint will match El Goog's $10,000 prize (still $20,000 total) for anyone who can exploit Chrome and exit the sandbox through non-Google code on days two and three of the event. For those interested in competing, Pwn2Own takes place March 9th through 11th in Vancouver at the CanSecWest conference. The gauntlet has been thrown -- your move, hackers.
iPhone SMS database hacked in 20 seconds, news at 11
It's a story tailor-made for the fear-mongering subset of news media. This week, a pair of gentlemen lured an unsuspecting virgin iPhone to a malicious website and -- with no other input from the user -- stole the phone's entire database of sent, received and even deleted text messages in under 20 seconds, boasting that they could easily lift personal contacts, emails and your naughty, naughty photos as well. Thankfully for us level-headed souls, those gentlemen were Vincenzo Iozzo and Ralf-Philipp Weinmann, security researchers performing for the 2010 Pwn2Own hacking contest, and their $15,000 first prize ensures that the winning formula will go to Apple (and only Apple) for further study. Last year, smartphones emerged from Pwn2Own unscathed even as their desktop counterparts took a beating, but this makes the third year in a row that Safari's gotten its host machines pwned. That said, there's no need for fear -- just a healthy reminder that the Apple logo doesn't give you free license to click links in those oh-so-tempting "beta-test the new iPad!" emails.
iPhone hacked at Pwn2Own contest
An iPhone got hacked in just 20 seconds at this week's Pwn2Own hacking contest at CanSecWest 2010, reports Ryan Naraine for ZDnet. Hackers Vincenzo Iozzo and Ralf Philipp Weinmann demoed an exploit that allowed them to send a target iPhone to a web site that they'd set up online, and then copied off the entire SMS database on the iPhone (including deleted text messages) to their own server. The browser crashed during the hijack, but the hackers say that with a little tweaking, it would even be possible to nab the information without the user ever knowing that an attack had occurred. Halvar Flake also assisted with the hack, and he said that while Apple does have some protection in place for running malicious code on the iPhone, but it's not enough: "The way they implement code-signing is too lenient." You can see more technical information about the hack over on his blog. The hackers aren't sharing exactly how they did the exploit -- as specified by the contest rules, knowledge of the hack is becoming property of the contest's sponsor, the Tipping Point Zero Day Initiative, who will pass on a report to Apple and only release details once the hole has been fixed. Safari and Internet Explorer 8 both got owned at the same conference, though details about those hacks are both forthcoming -- Tipping Point was offering up US$100,000 in prizes for exploits on these various programs, and it looks like the prize money has been well-earned.
Browser security: "The main thing is not to install Flash!"
You may have noticed that I'm not a huge fan of Flash. My feelings pre-date the iPhone/iPad debate about whether or not Flash should be included on those devices. Even back when I was using Windows and Opera, one of the features I used most often was "Disable Plugins" -- which was really another way of saying "Disable Flash," and I do that these days in Safari using ClickToFlash. Flash lovers usually talk about how many games are only available using Flash. Flash haters usually talk about performance issues, especially on the Mac. Adobe tries to make the argument that not including Flash is bad for users' freedom of choice. When it comes to browser security, Charlie Miller says that it's all about Flash. More specifically, avoiding Flash. Miller, who has won the Pwn2Own contest two years running, was interviewed by Italian site OneITSecurity. They asked him what browser and OS he thought was the safest. The first part of his reply probably won't make Mac users happy: he suggests Windows 7 with either Chrome or IE8 saying "there probably isn't enough difference between the browsers to get worked up about." But the highlight for me was the next quote: "The main thing is not to install Flash!" The guy who seems to be the best in the world at breaking into your web browser tells you that you shouldn't install Flash. Perhaps you should consider installing ClickToFlash; it's completely free, and tells Flash to load only when you tell it to load. That should make your browsing significantly safer on any platform. Hat tip to Jay Hathaway at DownloadSquad for bringing this to our attention.
Major smartphone platforms emerge unscathed from Pwn2Own
Sure seems like your handheld is a lot more secure than your computer, at least in some sense -- although the desktop versions of IE 8, Safari, and Firefox were each almost instantly cracked on the first day of the Pwn2Own contest, no one claimed the $10,000 bounty placed on each of the major smartphone platforms. That's certainly reassuring, but it may not ultimately mean much: according to contest organizers Tipping Point, the bugs in Android, Symbian, Windows Mobile, and the iPhone and BlackBerry OSes are still there, but they're harder to exploit because of device, OS, and carrier variations. That makes any vulnerabilities even more valuable -- one of the contestants apparently had an iPhone exploit ready to go, but wasn't willing to part with it since he wanted more than $10K for it. Tipping Point says it'll try and nail down specs of each platform earlier next year to make it easier on hackers, but let's hope the results are similar.[Via Slashdot]
The Pwn2Own trifecta: Safari, IE 8, and Firefox exploited on day 1
That didn't take long. One day into the Pwn2Own hacking competition at CanSecWest and already Apple, Microsoft, and Mozilla have been sent packing to their respective labs to work on security issues in their browsers. In a repeat performance, Charlie Miller pocketed a $5,000 cash prize and a fully-patched MacBook by splitting it wide, and gaining full control of the device after a user clicked on his malicious link. Another white-hatter by the name Nils (pictured) toppled Internet Explorer 8 running on a Windows 7 laptop -- again, the five grand and compromised VAIO P laptop are now his to keep as compensation for turning over the malicious code. So much for "protection that no other browser can match," eh Mr. Ballmer? Nils then demonstrated a second Safari exploit before hacking Firefox later in the afternoon netting him a cool $15k by the close of day one. Only Google's Chrome was left unscathed -- Opera isn't part of the contest. This year's contest will also offer a $10,000 prize for every vulnerability successfully exploited in Windows Mobile, Android, Symbian, and the iPhone and BlackBerry OSes. In other words: this contest that runs through Friday isn't over by any stretch. [Via ZDNET]
Linux becomes only OS to escape PWN 2 OWN unscathed
After a week full of Red Bulls, Fruit by the Foot and dreams of In-N-Out, the mighty Sony VAIO loaded with Linux stood as the only machine unhacked by the end of the PWN 2 OWN hacking contest at CanSecWest. As you're well aware by now, the MacBook Air on display was seized in two minutes by the presumably well prepared Charlie Miller, and after two full days of work, Shane Macaulay and a few of his 1337 associates managed to crack the Vista rig on Friday. Reportedly, Shane and his pals weren't expecting to do battle with the extra protected SP1 version of Vista, and while the exact loophole won't be divulged, we are told that it was a cross-platform bug that "took advantage of Java to circumvent Vista's security." In the end, it was reported that some folks on hand had discovered bugs in the Linux OS, but many of them "didn't want to put the work into developing the exploit code that would be required to win the contest."[Image courtesy of TippingPoint]
MacBook Air knocked out quickly in CanSecWest contest
Once the second-day rules went into effect for the PWN2OWN competition, allowing browser or email exploits to be used, it didn't take more than a few minutes for Charlie Miller, Jake Honoroff and Mark Daniel from ISE to get their 0day vulnerability to work on the target MacBook Air; they walk away with the laptop and the $10,000 prize.Since the rules of the contest ensure that the vulnerabilities are immediately turned over to the Zero Day Initiative and the vendors are notified, this hole (presumably in Safari, although possibly in QuickTime or Java as last year's was) should be patched in due course, and users are no more or less secure today than they were yesterday. It is a little troubling, however, that the other two laptops (Vista and Ubuntu) are still standing.[via Engadget]
