It’s time, once again, for the annual crack-a-thon, in which savvy hackers save up their exploits to earn some cold cash. As is usually the case, Macs fell quickly, but so did the iPhone and Windows 7 in day one of the event.
It’s the CanSecWest conference in Vancouver, which hosts the Pwn2Own contest. On Wednesday, the hackers lined up to take their chances at part of a purse of $100,000. The first to fall was the iPhone, which was hacked in “20 seconds.” Naturally, this doesn’t mean that the hackers just started trying to figure out how to hack the device, but spent a couple of weeks doing so in advance of the event. The hackers had discovered a vulnerability, and set up a booby-trapped web page that copied the SMS database from the handset.
Mac hacker Charlie Miller cracked a MacBook, using using Safari and a drive-by download. This was Miller’s third consecutive victory against the Mac, and it was worth $10,000. (There’s a short video of Charlie Miller discussing this on YouTube.)
And at the same time, Windows 7 fell to a Dutch hacker who exploited two Internet Explorer vulnerabilities. He, too, won a prize of $10,000. And a German hacker cut through the defenses in Mozilla Firefox to get at Windows 7.
While this sort of exploit doesn’t suggest that the hackers found vulnerabilities and cracked them on the same day, it does show that experienced hackers can crack pretty much any system given time. None of these vulnerabilities involve the type of social engineering that tricks people into installing Trojan horses. There is no user interaction allowed in this contest, other than directing a user to a web site. (Browser-based vulnerabilities are the easiest to crack, in fact.) All of these vulnerabilities could be exploited in the wild, as these hackers demonstrate.
This was just day one of the Pwn2Own contest. Other platforms and devices are sure to be hacked in the following days, but the prizes for some of them are lower, and fewer hackers are interested in spending the time to work on their vulnerabilities. Full information about the contest, the targets, and the prizes can be found here.