MacDirectory magazine is the premiere creative lifestyle magazine for Apple enthusiasts featuring interviews, in-depth tech reviews, Apple news, insights, latest Apple patents, apps, market analysis, entertainment and more.
Issue link: https://digital.macdirectory.com/i/18064
COLUMN A HISTORY OF THE PWN2OWN COMPUTER HACKING CONTEST WORDS BY CHARLIE MILLER Despite what you may have heard, Apple products are not immune to viruses and other computer attacks. In 2007 an annual computer security conference called CanSecWest sought to prove this point by hosting a hacking contest called Pwn2Own. They offered $10,000 plus the MacBook being used to anyone who could successfully break into the brand new, fully patched MacBook running Tiger. (The name Pwn2Own comes from the hacker word “Pwn” which means to take over a computer, so you Pwn the computer to own the computer). Any vulnerabilities used in the contest would have to be given to the organizers who would then give the information to the vendor, in this case Apple. Researcher Dino Dai Zovi managed to win this contest by exploiting a flaw in QuickTime that was researchable through the Safari web browser. The victim merely had to surf to the malicious web page and Dai Zovi was able to take control of the victim machine and run any commands he wanted. In real life, this would have allowed him to read the victim’s e-mail, watch the victim log into their banking site, send spam, perform attacks against other computers, etc. In 2008, the contest returned and while still offering up $10,000 and the victimized laptop to the winner, included three targets: a MacBook Air running Leopard, as well as laptops running Windows Vista and Ubuntu Linux. That year, I won by exploiting a Safari browser vulnerability. Again, by getting the victim to visit a malicious site I was able to take over their computer and do whatever I want. The victim would have no idea that anything had gone wrong. Apple enthusiasts who felt that the 2007 contest was a fluke were starting to see that their Macs were just as vulnerable as Windows computers. For the record, researchers Alex Sotirov and Shane Macaulay took out the Vista laptop while the Linux laptop remained untouched. Things were changed again for the 2009 Pwn2Own contest. In 2009, the prize for browser exploits was reduced to $5,000, but new targets were provided, smartphones. $10,000 (and the phone) would be given to any researchers who could hack into one of the smartphones, which included BlackBerry, Android, Symbian, Windows Mobile, and of course iPhone. As in 2008, I managed to exploit the computer running Safari, this time an up-to-date Leopard install on a MacBook Pro. A previously unknown researcher named Nils pulled off a trifecta and exploited both Safari and Firefox running on Mac OS X, as well as Internet Explorer 8 running on Windows Vista. No one managed to successfully attack the smartphones, but that would change this year. This year the contest was back and featured $10,000 for browser exploits and $15,000 for smartphone exploits. I won another MacBook Pro (yes, I have a pile of computers sitting in the corner of my office) and the prize money for exploiting Safari, this time against a laptop running Snow Leopard. Nils was back and exploited Firefox running on Windows 7. A researcher named Peter Vreugdenhil exploited Internet Explorer 8 running on Windows 7. The only browser that wasn’t defeated was Chrome. On the smartphone side of the competition, Vincenzo Iozzo and Ralf Philipp Weinmann succeeded in exploiting the iPhone. This was an iPhone right out of the box, not jailbroken. They used a vulnerability in the MobileSafari web browser in order to steal the SMS text messages stored on the device, although they could have performed a number of different actions. The Pwn2Own contest provides a venue for top researchers to showcase their skills as well as provides free research for vendors who can patch critical vulnerabilities in their software. It also provides some insight into the relative security of different browsers and operating systems. While Mac OS X has led a charmed life from a security perspective, it should be clear that it is not because it is fundamentally more secure than its competitors, as proved in it being exploited each of the last four years. Rather, its relative obscurity has protected it from wide scale attack. This leads to the main conclusion regarding Mac OS X security, it is safer but not any more secure than Windows. Charlie Miller is Principal Analyst at Independent Security Evaluators, a Baltimore-based computer security consulting company. http://securityevaluators.com 30 MacDirectory