Apple is loser in three-way hacking contest
MacBook first to be cracked.
By Robert McMillan, IDG News Service | Published: 06:01, 28 March 2008
An Apple Mac was the first victim in a hacker shoot-out to determine which operating system is the most secure.
A former US National Security Agency employee has trousered $10,000 for breaking into a MacBook Air at CanSecWest security conference's PWN 2 OWN hacking contest. The MacBook was lined up against Linux and Vista PCs - which have so far remained uncracked.
It took Charles Miller just two minutes to break into the Apple. Show organisers had offered the MacBook, a Sony Vaio and Fujitsu U810 as prizes, saying that they could be won by anybody at the show who could find a way to hack into each of them and read the contents of a file on the system, using a previously undisclosed "0day" attack.
Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but yesterday the rules were relaxed so that attackers could direct contest organisers using the computers to do things like visit websites or open email messages.
The MacBook was the only system to be hacked by Thursday, however, the word on the show floor is that the Linux and Vista systems will meet with some serious challenges on Friday.
Miller didn't need much time. He quickly directed the contest's organisers to visit a website that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on. He was the first contestant to attempt an attack on any of the systems.
Miller was quickly given a nondisclosure agreement to sign and he's not allowed to discuss particulars of his bug until the contest's sponsor, TippingPoint, can notify the vendor.
Contest rules state that Miller could only take advantage of software that was pre-installed on the Mac, so the flaw he exploited must have been accessible, or possibly inside, Apple's Safari browser.
By late Thursday, Apple engineers were already working on patching the issue, said Aaron Portnoy, a TippingPoint researcher who is one of the contest's judges.
Last year's contest winner, Dino Dai Zovi, exploited a vulnerability in QuickTime to take home the prize.
Dai Zovi, who congratulated Miller after his hack, didn't participate in this year's contest, saying it was time for someone else to win.
Shane Macaulay, who was Dai Zovi's co-winner last year, spent much of Thursday trying to hack into the Fujitsu Vista laptop, at one point rushing back to his Vancouver area home to retrieve a file that he thought might help him hack into the system.
But it was all in vain.
"It's one thing to find a vulnerability, it's another thing to make working exploit code," said Terri Forslof, TippingPoint's Manager of Security Response.
Forslof said that a number of "high quality" researchers have said that they will attempt to hack the machines on Friday, the last day of the conference.
She expects both systems to be hacked on Friday, when contest rules will be further eased, and hackers will be able to attack popular third-party software that can be installed on the systems. "I don't think we'll have to take any home," she said.