The Nexus S is the Android phone target in the 2011 Pwn2Own competition.
From the results of the Pwn2Own hacking competition, it looks like Android and Windows Phone 7 are tough nuts to crack.
It took only two days for hackers to crack into the Apple and Blackberry operating systems during the three-day Pwn2Own tournament last week, while Android and Windows Phone 7 models were abandoned and left unhacked by the end of the contest.
Is this because their operating systems are more secure? Yes and no.
“The survival of a target at Pwn2Own does not automatically declare it safer than a target that went down,” last year’s Internet Explorer Pwn2Own winner Peter Vreugdenhil cautions. The contestants who were lined up to beat the Android and WP7 devices in the competition withdrew for a variety of reasons.
Pwn2Own, now in its fifth year, is a hacking competition divided into two areas: web browsers and mobile phones.
This year, Microsoft Internet Explorer 8, Apple Safari 5.0.3, Mozilla Firefox, and Google Chrome were the web-browser targets. In the mobile phone category, the Dell Venue Pro (Windows Phone 7), Apple iPhone 4 (iOS), BlackBerry Torch 9800 (Blackberry 6) and Nexus S (Android) were targeted. The OS and browser versions were frozen last week (so for example, Apple’s Safari 5.0.4 update was not used), ensuring that all contestants are working on the same version of each OS.
Pwning and owning occurs if the hacker defeats the frozen version. If the exploit they used still exists in the current firmware, they are also eligible to receive a monetary prize. The 2011 Pwn2Own competition ran March 9 to 11.
Vreugdenhil says many different factors determine how hard a target is to hack. There’s the safety of the software itself, the exploit mitigations that are already in place for that software, and then the amount of research that has already been conducted (which can speed up the process of writing an actual exploit).
Firefox and Chrome web browsers were also left undefeated because contestants withdrew from Pwn2Own.
“Chrome has the advantages of having multiple exploit-mitigation techniques that certainly make it more difficult to hack. As for Android, we see no particular reason why Android would be harder to hack than one of the other targets.”
Safari, Chrome, iPhone, Android and Blackberry all use WebKit in their browsers, which means that they are all susceptible to exploitation through the browser — and that’s exactly how the iPhone and Blackberry were attacked.
Charlie Miller, a Pwn2Own veteran, worked with Dion Blazakis to hack the iPhone 4 in this year’s competition using a flaw in its Mobile Safari Web browser and a “specially-crafted webpage.” A team of 3 (Vincenzo Iozzo, Willem Pinckaers, and Ralf Philipp Weinmenn) defeated the BlackBerry Torch using a similar technique.
So what did the contest’s organizers think of the outcome of 2011’s Pwn2Own?
Vreugdenhil and other organizers were not surprised that the iPhone went down quickly. It has been a major target and a lot of research has already been done on that platform.
Android’s survival was a bit of a surprise, since it is also a big target and had four contestants lined up.
Although no device is unhackable, some factors contribute to a safer product. For those that are out to find the safest phone on the market, Vreugdenhil says you’ll want to compare features such as DEP (Data Execution Prevention), ASLR (address space layout randomization), Sandboxing, code signing and the ease with which software can be updated on the device.
Pwn2Own Day 2 [Ars Technica]
Guardian | Email this | Comments
