updated 03:50 pm EST, Thu February 26, 2009
Pwn2Own Targets Phones
TippingPoint has revealed that the 2009 edition of the Pwn2Own hacking contest will shift its focus to smartphones this year in one of the first few cross-platform tests of mobile OS security to include iPhones. The 3Com-owned security group will challenge guests at the March 18th CanSecWest conference to gain full OS-level control of both Apple's device as well as one phone each for Google's Android platform, RIM's BlackBerry OS, Symbian and Windows Mobile. The contest take place in two phases and allow only network-based exploits on the first day; the second will let experts target the pre-installed software.
As in past years, the Pwn2Own organizers plan to have incentives for the contest, including a $10,000 prize for each individual or team that successfully cracks a given smartphone as well the device itself and a one-year contract.
A similar contest is being run to focus on web browsers and will specifically target security in Windows 7; Microsoft's own Internet Explorer 8, Mozilla Firefox and Google Chrome will all face similar exploit attempts with similar rules. A MacBook running Mac OS X Leopard as well as both Firefox and Safari will be subject to the tests. A successful exploit of any browser will earn both a $5,000 prize as well as the computer that was subject to the attack.
If five or more hacking teams successfully compromise a device, the contest holders plan to offer separate $5,000 prizes to recognize the best exploits or the most interesting in each category.
TippingPoint emphasizes the informative nature of the contest and says that the methods behind any successful crack will be relayed to Apple, Microsoft or any other affected developer. The firm plans to release temporary patches of its own where possible but will only make exploits public once an official patch is available.
Pwn2Own is increasingly well-known for revealing important gaps in security for software and has been responsible for significant security fixes. For Apple, the test represents a rare large-scale external check of the iPhone's security. The company has provided security-related firmware patches both on its own and in the wake of attempts to jailbreak the handset but has seldom had opportunities for these tests in more controlled conditions.