Apple’s iPhone 4 and RIM’s BlackBerry Torch 9800 both succumbed to hackers in early rounds at Pwn2Own, but 2 other smartphones jogging Android and Windows Phone 7 were unchallenged, the contest’s sponsor said.
Charlie Miller became the first “four-peat” at the hacking competition Pwn2Own when they teamed with Dion Blazakis to take down the iPhone. Both Miller and Blazakis work for the Baltimore-based consulting firm Independent Security Evaluators (ISE).
Miller has walked off with winnings from Pwn2Own three years jogging — 2008 through 2011 — one time as lots of times as someone else.
“Every other year I have had an exploit prepared to go for months,” said Miller in an interview after the win. “But this was a different experience, working under the time pressure because they were working on [the iPhone] exploit the night before.”
Miller credited his partner for much of the work. “Dion’s an very lovely researcher in his own right,” said Miller.
Miller & Blazakis worked on their iPhone exploit for months, Miller said. “This one was hard. Different bugs take different exploits, & this one was hard to exploit.”
Pwn2Own winners are forbidden from discussing technical details of the vulnerabilities they exploit, or to release the assault code they have used. In lieu, they turn over their findings and code to HP TippingPoint, the contest sponsor. TippingPoint in turn reports the vulnerabilities to vendors, who have four months to patch the bugs before TippingPoint publicly releases any information.
On the BlackBerry, a multi-national team composed of Vincenzo Iozzo, Ralf-Philipp Weinmann & a third researcher from the Netherlands, matched Miller & Blazakis by hacking the Torch. Iozzo & Weinmann were elderly hands at Pwn2Own, having partnered in 2010 to successfully break in to an iPhone 3GS at that year’s contest.
Iozzo is an engineer at Zynamics GmbH, the Italian reverse engineering tool maker headed by noted researcher Thomas Dullien, better known as Halvar Flake. Zynamics was acquired by Google earlier this month for an undisclosed sum.
Weinmann, meanwhile, is a post-doctoral researcher at the Laboratory of Algorithms, Cryptology and Security at the University of Luxembourg.
Both teams were busy tweaking their exploits before today’s round, said Peter Vreugdenhil, a former Pwn2Own winner who now works for TippingPoint, and served as a contest judge this year.
The iPhone and BlackBerry Torch hacks, however, were over in seconds. “They attached their computers to the rings, and that was it,” said Vreugdenhil.
“Both were actually tweaking their exploits at the [CanSecWest] conference,” said Vreugdenhil, referring to the Vancouver, British Columbia security conference where Pwn2Own takes place.
The teams each will get a check for $15,000 from TippingPoint, as well as the smartphones they exploited, in a ceremony Friday at CanSecWest.
However, other Pwn2Own targets, including three smartphones and one browser, came out unharmed because no one stepped up to take them on.
Jon Oberheide, co-founder and CTO of Duo Security, a developer of two-factor authentication program, had said earlier this week that they would not make Pwn2Own because they had told Google about the bug they was going to make use of to hack. Google patched the vulnerability over a week ago.
According to Vreugdenhil, the contestants slated to tackle the Samsung Nexus S (walking Android) and the Dell Venue (walking Windows Phone 7) had cancelled earlier, not shown up or had withdrawn for other reasons.
George Hotz, often known as “geohot,” reportedly withdrew last week to focus on his legal battle with Sony. Hotz, a widely known iPhone hacker, made news last month when they and others were sued by Sony after they showed how to jailbreak a Sony PlayStation 3 game console. They had been given first crack at Windows Phone 7.
Oberheide had drawn the first slot in the Android part of the smartphone hacking competition.
Wednesday, a team of researchers from Spanish security company Vupen hacked Safari 5 on the Mac, while Irish researcher Stephen Fewer used a three-exploit package to roll over Net Explorer 8 (IE8).
Also unchallenged today was Mozilla’s Firefox, said Vreugdenhil. Sam Dash, who had the pole position, withdrew because they could not get his exploit to run reliably.
Pwn2Own has one more day to run, but Vreugdenhil thought it unlikely someone else would step forward to attempt exploits of the still-standing browsers and smartphones. No one, for example, has demonstrated an exploit that breaks a smartphone’s “baseband” processor, the part used to send and get radio signals.
In January, Weinmann — one of the three in the team that hacked the BlackBerry Torch today — showed an exploit of the baseband processor, which let him turn a smartphone in to a remote listening device .
“There’s a small chance that someone will try tomorrow,” Vreugdenhil said today. “But it is uncertain. I would not even give it a 50-50 chance.”
Pwn2Own went to the trouble of building an isolation box that included a fake cellular base station so researchers could demo baseband exploits. But the box has gone unused.
Miller agreed. “The contest is a lovely suggestion, and I wish there were more of them,” said Miller. “They motivate guys like me, who are hard to motivate. And in the finish it is a win-win for everyone.”
Even with some targets surviving unopposed by researchers, Vreugdenhil called Pwn2Own 2011 a success. “It’s been a great three days,” they said.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general know-how breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg’s RSS feed . His e-mail address is firstname.lastname@example.org .
Read more about cybercrime and hacking in Computerworld’s Cybercrime and Hacking Topic Center.