None of the five smartphones slated for attack at last week’s PWN2OWN hacking contest was compromised, a sign that security researchers have yet to adapt to the limitations of mobile, said the company that put up the prize money.
“With the mobile devices so limited on memory and processing power, a lot of [researchers’] main exploit techniques are not able to work,” said Terri Forslof, manager of security response at 3Com Inc.’s TippingPoint unit, which sponsored the contest.
Although three of the four browsers that were targets at PWN2OWN quickly fell to a pair of researchers — netting one of contestants $5,000 and the other $15,000 — none of the smartphones was successfully exploited.
TippingPoint had offered $10,000 for each exploit of any of the phones, which included Apple Inc.’s iPhone and the Research in Motion Ltd.’s BlackBerry, as well as phones running the Windows Mobile, Symbian and Android operating systems.
“Take, for example, [Charlie] Miller’s Safari exploit,” said Forslof, referring to Miller’s 10-second hack of a MacBook via an unpatched Safari vulnerability that he’d known about for more than a year. “People wondered why wouldn’t it work on the iPhone, why didn’t he go for the $10,000?” she said. “The vulnerability is absolutely there, but it’s a lot tougher to exploit on the iPhone.”
Even though there were no winners last week, Forslof said TippingPoint is planning to include a mobile component in next year’s PWN2OWN contest, which is held at the CanSecWest security conference in Vancouver, British Columbia, each March. “Where there is an opportunity, our [security] community finds a way,” she said. “I am expecting, absolutely, that the research community will find ways around the limitations of mobile.
“I’m feeling pretty confident that those barriers to exploit mobile will be overcome in the next year,” Forslof added.
Another issue TippingPoint identified in its inaugural mobile hacking contest was the fact that the various combinations of handsets, operating systems and carriers add unexpected complications to the exploit equation. “We didn’t realize how complicated it was” until it was too late, she said.
As a result, in some cases TippingPoint wasn’t able to pin down the exact phone or operating system version early enough to give researchers the lead time they needed to work up an exploit of a vulnerability they might have already uncovered.
“Mobile isn’t the same as ‘Here’s a laptop and an OS on it’,” said Forslof. “Each carrier has its own unique stuff going on with these phones.”
For example, Forslof said that one researcher had prepared an exploit for a vulnerability on a BlackBerry Touch emulator, but the BlackBerry model used in the contest was the Bold. “There was enough difference [between the two] that his exploit wasn’t working,” said Forslof.
TippingPoint plans to nail down the details at an earlier date next year so it can publish the rules and specifications of the smartphones in plenty of time for researchers to prepare.
Even though none of the phones was hacked, one could have fallen if a researcher had wanted to part with the vulnerability, Forslof maintained. “There was an exploit at the show that could have broken the iPhone,” said. “But the researcher said that the $10,000 wasn’t enough to part with that level of vulnerability.”
It was one of the few times she heard contestants complain about the prize money, a song she’d heard from several people in 2008, when TippingPoint offered a $20,000 prize for a bug that could be exploited remotely, without user interaction.
“No one minded taking $5,000 for a browser bug,” she said. “But this researcher [with the iPhone vulnerability] wanted to keep that zero-day in his back pocket. That’s not unusual for these guys. They want to keep their own special little vulnerability that they worked hardest on, or that’s simply just so cool. They’re very much into pride of ownership.”
There’s also a pragmatic reason why some security researchers hold on to the bugs they’ve uncovered, even when offered $10,000 in cash, Forslof continued.
“If your business is penetration testing, you want to walk in [to a client’s office] and show them that you can find these things,” she said. “You want a couple of zero-days in your pocket.”