Aaron Portnoy, security research team lead with 3Com TippingPoint, the sponsor of Pwn2Own, also predicted that Apple’s iPhone will be the only smartphone hacked during the contest, which starts March 24.
Portnoy, who organized the fourth annual Pwn2Own, changed his predictions from earlier bets he made a month ago because of new information he received from researchers who have registered for the contest.
Previously, Portnoy said that Apple’s browser would crumble before rivals from Google, Microsoft and Mozilla; he had also declined to speculate on which mobile phone, if any, would collapse under attack.
Researchers will compete for $100,000 in cash prizes next week at CanSecWest, the Vancouver, British Columbia, security conference that has been the home of Pwn2Own.
The dual-track contest — one for browsers, the other for mobile operating systems — will pit hackers against the latest versions of Chrome, Firefox, Internet Explorer (IE) and Safari running onWindows 7 or Mac OS X.
The smartphone track will set hackers against Apple’s iPhone 3GS, a Blackberry Bold 9700, a Nokia phone running the Symbian S60 platform and a Motorola, most likely a Droid, powered by Google’s Android.
“I have discovered that one of our very own ZDI researchers is armed and ready to take on [IE8] on the very first day,” said Portnoy in an e-mailed explanation of why he changed his browser prediction. “This will indeed be an impressive exploit from a technical standpoint.
ZDI, for Zero Day Initiative, is TippingPoint’s bug bounty program, which purchases the vulnerabilities and exploits used during Pwn2Own. ZDI reports the vulnerabilities to the appropriate vendors during the contest, but keeps technical details secret until the bugs are patched.
In a post to the TippingPoint blog Tuesday, Portnoy said that attempts to hack IE8 would be especially difficult because of Windows 7 security mechanisms such as DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization).
TippingPoint has also barred researchers from exploiting third-party plug-ins the first day of the three-day contest, making it tougher to carry out a successful attack.
“I have seen the prowess of the researcher in question and I have no doubt they will be able to pull off a DEP- and ASLR-bypassing exploit on Day 1,” said Portnoy about the impending IE8 attack.
Safari will fall the second day, Portnoy said; last month, he had put his money on Safari to drop first, in part because he said Mac OS X 10.6, aka Snow Leopard, wasn’t “on the same level as Windows 7” when it came to security. “I believe that Safari will indeed go down, just not on Day 1,” Portnoy said.
Google’s Chrome will be the only browser to survive all three days of Pwn2Own, he continued, citing Chrome’s “sandbox” security feature that separates application processes from other applications, the operating system and user data.
Other researchers, including past Pwn2Own winner Dino Dai Zov, have tapped Chrome’s sandboxing as the browser security standard to beat.
Portnoy also changed his mind about the smartphone track in the last 30 days. “Now that we have received some early registrations for the contest, I was made aware of a competitor’s interest in attacking the iPhone, likely on the first day of the contest,” he said.
The other three smartphones — the BlackBerry, the Nokia, and the Android-based handset — will come out unscathed.
Whether his bets pay off or not, Portnoy is looking forward to the contest. Calling the hackers who have pre-registered “some of the best and brightest minds in security research,” he said the exploits would be not just “very interesting,” but would also demonstrate the current state of security in browsers and mobile operating systems.
There’s more riding on Pwn2Own than the cash. Reputations are made at the contest; last year, for example, researcher Charlie Miller made headlines when he broke into a Mac in less than five seconds to win $5,000.
The contest is also important to vendors. Apple, which has watched Miller break into a Mac twice in the last two years — Miller will be at Pwn2Own again trying for a “three-peat” — patched 16 vulnerabilities, 12 of them critical, in Safari, possibly as a preemptive measure before the contest.
Late last week, Miller said that Apple had not patched all the vulnerabilities he knew about.
Portnoy promised to provide updates on each day’s results during Pwn2Own on TippingPoint’s DVLabs blog, and instant news nuggets on the company’s Twitter feed. Computerworld will also be covering the contest.
The contest, meanwhile, will award cash prizes of $15,000 to anyone who can break into an iPhone, BlackBerry Bold, Droid or Nokia smartphone.
The prizes are 50 per cent more than the top awards given last year at Pwn2Own.
Altogether, $100,000 could be handed out by 3Com TippingPoint, the contest sponsor.
Now in its fourth year, Pwn2Own has repeatedly made headlines for hacks of Apple’s Mac OS X and Microsoft’s Internet Explorer. In 2009, for example, researcher Charlie Miller broke into a Mac in less than five seconds to win $5,000.
This year, hackers will take on an iPhone 3GS, a Blackberry Bold 9700, an unspecified Nokia smartphone running the Symbian S60 platform and a Motorola, most likely a Droid, powered by Google’s Android. A successful hack must result in code execution with little to no user-interaction, according to Portnoy.
Any exploited phone wins its attacker $10,000 in cash, the phone and enough points in TippingPoint’s Zero Day Initiative (ZDI) bug-bounty program to qualify for another one-time payment of $5,000.
But the $60,000 that TippingPoint plans to put up for the mobile part of Pwn2Own may be safe: All five smartphones in last year’s contest came through unscathed.
As in past challenges, Pwn2Own’s browser track will pit hackers against the latest versions of Chrome, Firefox and IE on Windows, and Safari on Mac OS X.
On the first day of the three-day contest, said Portnoy, a prize-winning hack “must overcome the latest and greatest flagship operating system with all exploit mitigations activated in their default state.”
The three Windows browsers will be installed on Windows 7, Microsoft newest, and theoretically most secure OS. When a browser goes down, its attacker will be awarded $10,000 — double last year’s reward — and the notebook it was running on. Once hacked, a browser is removed from competition.
Untouched browsers continue into day two, when Chrome, Firefox and IE7 — the 2006 predecessor to the newer IE8 — are installed on systems running the older Windows Vista.
Any browser that survives to the third day is installed on Windows XP, by Microsoft’s own accounting, a softer target than Vista or Windows 7. (Safari remains on Mac OS X 10.6, aka Snow Leopard, throughout.)
In 2009, Firefox, Safari and a preview of IE8 were successfully beaten by hackers; only Chrome was not, though Google revealed several weeks later that it had been vulnerable to the same bug a German college student used to bring down Safari.
Last year, TippingPoint paid out $5,000 for each browser bug demonstrated, for a total of $20,000 in prizes.