Leadership

Safari browser and iPhone hacked in Pwn2Own contest at CanSecWest

The price of success in the marketplace is a bigger target on your back for hackers and cybercriminals, as the Pwn2Own contest proves.

Vancouver has been a happening city this year -- first the Winter Olympics and now the hacking olympics, otherwise known at the Pwn2Own contest taking place at the CanSecWest Applied Security Conference in lovely British Columbia.

Apparently, the cash prizes offered by contest sponsor TippingPoint DVLabs are being claimed. The first section of the contest challenged security hackers to target browsers including the latest versions of Internet Explorer, Firefox, Google Chrome, and Apple Safari. The second section offers bounties on vulnerabilities exploiting mobile phones.

Both the Safari browser and the iPhone became early victims in the Pwn2Own competition (along with Firefox and IE). ZDNet's Ryan Naraine reports that contestant Charlie Miller managed to hack into a MacBook by exploiting a critical Safari browser vulnerability. Meanwhile, another research team managed to hack the iPhone and hijack the SMS database.

The increasing popularity of Apple's products make them an inviting target -- giving them the kind of attention that Microsoft has long "enjoyed" in the world of security crackers. A recent story in the Washington Post reports that cybercriminals are eager to exploit the Apple iPad phenomenon as well. Consumers are being warned to be on the lookout for phishing emails that promise a low-priced iPad if you enter a credit card number and address. The article notes that Apple gives credit card scammers two ways to make money -- first with the initial stolen credit card numbers via phishing and other online scams, and second by taking advantage of the price discrepancy for Apple products abroad vs. the United States:

Electronics are popular with international crooks in part because they're an easy way to get money overseas. Crooks who want to avoid the scrutiny that comes from schlepping briefcases of cash across borders can essentially treat electronics as currency, using a stolen credit card to buy Apple products or other hot electronic goods and have them shipped to another country where they'll be resold, employing U.S.-based mules who get a small kickback for their participation.

Pretty slick. Do you think that Apple will use the information gleaned from contests like Pwn2Own to strengthen its security countermeasures against cybercriminals or will its success in the marketplace come at the price of absorbing the same kind of blame and criticism that Microsoft has over the years?

About

Selena has been at TechRepublic since 2002. She is currently a Senior Editor with a background in technical writing, editing, and research. She edits Data Center, Linux and Open Source, Apple in the Enterprise, The Enterprise Cloud, Web Designer, and...

10 comments
Slatts59
Slatts59

Just realized that this was from last years contest. woops. This though, is from the latest comp http://www.dailytech.com/Apples+OS+X+is+First+OS+to+be+Hacked+at+This+Years+Pwn2Own/article21097.htm

Vulpinemac
Vulpinemac

Ignore the fact that, despite all it's vaunted security, IE8 on Win7 fell in 2 minutes flat. Ignore the fact that, despite all it's vaunted security, Win7 still fell even under Firefox. Simply put, no platform is totally safe, but no matter how you look at it, Apple still has far, far fewer exploits in the wild than any Microsoft product.

Neon Samurai
Neon Samurai

The contest is not structured to be a lab test of potential security. Using this as a basis to claim that one platform is less secure than the other doesn't really work. One simple example; the rules state taht an exploit may only be used once so your not seeing if other browser/OS combination are susceptible to the same exploit. It mostly boils down to which hardware the researcher wants to take home. If the competition involved running the same exploits against each of the target machines then we'd be looking at something that compares the OS rather than compares the researchers. That's not how this competition works though. I don't see this as a Apple vs Microsoft vs Canonical competition so much as a security researcher competition. I just hope the relevant companies do take the time to try the exploits across browser/OS combinations and make design changes as a result.

CharlieSpencer
CharlieSpencer

"The increasing popularity of Apple?s products make them an inviting target ? giving them the kind of attention that Microsoft has long ?enjoyed? in the world of security crackers." Hence the article's emphasis on Apple.

Vulpinemac
Vulpinemac

Of course, the anti-Apple zealots don't look at it that way. They fully insist that no matter what real life is like, the Pwn-to-Own contest is strictly to show how bad Apple's security is.

Jellimonsta
Jellimonsta

Apple has long had such a small market share, the target was much smaller. That target will only get bigger with increasing popularity, and it is not much (if any) more secure than MS platforms. The iPhone was hacked to pieces. :p

Slatts59
Slatts59

I'm not sure if quotes work here but I'll give it a shot [quote=CNet.com]While the attack was used to grab just the SMS data, which would include deleted messages, it could be designed to access contacts, photos, and other data on the iPhone, and without the user having any idea an attack was underway, the researchers said. [/quote] comes from here: http://news.cnet.com/8301-27080_3-20001126-245.html 2nd time I've tried to post this so if I double post,sorry.

Vulpinemac
Vulpinemac

... but that doesn't mean we can't get an update before then.

Neon Samurai
Neon Samurai

If there is any other possible data source this exploit can reach; it will. If there are any similar exploits, they will be found. Also, how many users are going to rush to there phone now and clear the sms database? While everyone gets a cheap shot at apple, the real question is how long users wait for a firmware update. Since Apple designs the system to rely entirely on them patching the software, itunes distributing it and uses taking the time to install it. let's hope it's not treated like the network stack issues earlier on in osX that "didn't exist" for six months until a patch quietly turned up. A benefit is the motivation from publicity in the pwn2own contest.

Vulpinemac
Vulpinemac

Yes, the iPhone was hacked... after two tries. Now, what if you don't keep anything in the SMS database on your iPhone?

Editor's Picks