Hacking Contest to Pay $10,000 in Cash for Smartphone Bugs
A hacking contest slated for next month will award cash prizes of $10,000 to anyone who can break into the most popular smartphones, including Apple Inc.'s iPhone and Research in Motion Ltd.'s BlackBerry.
The PWN2OWN contest, which will kick off March 18 at the CanSecWest security conference in Vancouver, British Columbia, will offer a dual-track hacking challenge for the first time, said Terri Forslof, security response manager at 3Com Inc.'s TippingPoint, the contest sponsor.
PWN2OWN has made headlines in its two previous years for hacks of Apple's Mac OS X and Microsoft Corp.'s Windows . But this year, the content will focus on mobile devices and Web browsers, said Forslof.
"Mobile is a new frontier of sorts," said Forslof. "We've seen mobile exploits in the past, but we still don't see a lot of focus in that area. More and more, people are taking computing on the go and rely on these devices for e-mail and accessing the Web. So it seemed prudent to have a look at them, and the contest is a good forum for that."
The contest will pit hackers against five smartphone operating systems, including Windows Mobile, Google Inc.'s Android, Symbian, and the OSes used by the iPhone and BlackBerry. The first to break into any of the five smartphones gets to keep that device with a one-year service contract, but each successful exploit pays out $10,000. TippingPoint, which operates the Zero Day Initiative (ZDI) bug-bounty program, and purchases the rights to the vulnerabilities and exploit code used during the contest, has not capped the number of bugs it will buy.
"We're not going to limit it this year," Forslof said. "In the first year, we had a one bug-one winner kind of contest. Last year it was sort of similar, although we offered three prizes."
PWN2OWN's second track will feature a battle between hackers and browsers on Windows and Mac OS X. Attacks against Internet Explorer 8 (IE8), which recently reached "release candidate" status , Firefox and Chrome will play out on a Sony Vaio laptop running Windows 7, while a MacBook will host Safari and Firefox on Apple's operating system.
TippingPoint will award cash prizes of $5,000 for each browser bug successfully exploited, and give the targeted laptop to the first hacker who breaks into any of the browsers.
If there are more than five entries in the two contest categories, TippingPoint will also award additional $5,000 prizes for Most Interesting Browser Flaw, Most Interesting Mobile Flaw, and Best in Show, Forslof said.
As during previous PWN2OWN contests, TippingPoint will reduce the difficulty of the challenge each day that a winner is not declared. "The first day the smartphones will be the raw metal," said Forslof, "so we'll be looking for network exploits, Wi-Fi, and so on. From that point, we'll open up the devices to the standard applications that come with the phone, but we won't install third-party applications or allow downloads."
A similar tack will be used for the browser competition; the first day will feature full-patched editions with default configurations. On the second day, TippingPoint will add a select group of third-party plug-ins, such as Flash Player.
TippingPoint will not publicly release details of the PWN2OWN bugs, but will instead report them to the vendor and use the information in its own security technology to preemptively block attacks.
The contest will start March 18 and run through March 20.