The Pwn2Own hacking competition has earned a legendary reputation in recent years as the place where the best security professionals in the business prove their skills. the most recent Pwn2own challenges have focused primarily on the Web browser, but that’s about to change.
On Sept.19, HP is hosting its first mobile Pwn2Own hacking competition at the EUSecWest event in Amsterdam. The event will challenge security professionals to find and exploit flaws in mobile technology for cash and prize awards.
The contest will take aim at mobile Web browsers, near field communication (NFC) and Short Message Service (SMS), as well as cellular baseband technologies. HP will award a top prize of $100,000 for the first research to produce a cellular baseband exploit. Both SMS and NFC flaws will yield $40,000 each, while a mobile Web browser exploit will earn $20,000.
“Our goal is to help the industry identify and find vulnerabilities, and with this event we’re putting a specific emphasis on the mobile technologies that are prevalent today,” Scott Lambert, director at HP DVLabs told eSecurity Planet.
Apple iOS, Blackberry and Android smartphones will be among the devices under attack. As to why Pwn2own is now focusing on mobile, it all has to do with the expanding use of mobile technologies.
One technology that could be an easy attack vector for researchers is WebKit, the underlying open source technology that sits behind Apple, Google and Blackberry mobile Web browsers. More often than not, WebKit flaws are rapidly fixed for desktop-facing browsers well ahead of their mobile peers. Apple recently fixed 163 security vulnerabilities in the iTunes 10.7 update for Windows, all related to WebKit.
Lambert noted that while it might be straightforward for a researcher to identify that a given mobile device is running an older version of WebKit, there are still challenges to identify vulnerabilities.
“There are a number of other areas an attacker would have to contend with beyond WebKit in order to have a successful code execution,” he said.
At the primary Pwn2own event held at CanSecWest 2012 earlier this year, HP introduced a points-based system to determine the winners. For mobile Pwn2own, the winner will simply be the first person to exploit a given device or technology.
Lambert explained that with the point system HP was trying to foster competition between different research groups. In this case, HP is trying to identify specific vulnerabilities in specific mobile stacks and wants to highlight individual researcher efforts.
HP will award the largest prize in the mobile Pwn2own contest to the researcher that can demonstrate a cellular baseband vulnerability.
“The biggest risk for an attack in cellular baseband is that it’s a non-trivial issue to address as it requires a number of different stakeholders to address,” Lambert said. “So it’s not the same as a vulnerability in WebKit that affects just a small component of an operating system that needs to be updated.”
Whatever vulnerabilities are found, HP’s ZDI (Zero Day Initiative) keeps the issue private and responsibly discloses them first to affected vendors. “We’re just trying to show a wide of research that is going on in the mobile space,” Lambert said.