A MacBook Gets Hacked in Less Than 2 Minutes

The CanSecWest security conference featured the PWN2OWN (pwn - in hackers language means to take control over a computer) hacking contest, which was about finding out which laptop would get hacked first: a MacBook Air, a Windows Vista based Fujitsu U810 or a Linux based Sony VAIO.

The event consisted of three parts, two of which are already over. The first one was about hacking into a system using networks attacks, i.e. without any user activity needed. The second part of the contest was about using users' actions to hack into the system, i.e. through visiting Web sites or opening e-mail messages. The third part of the contest, which is to be held on Friday, is about using popular third parties' software, like Skype, to hack into the system.

The sponsor of the event - TippingPoint - announced a $20,000 prize for the contest winner. And the hacked laptop too. Yet, since each new day of the contest featured an ease of rules, the prizes for the second and the third days were of $10,000 and $5,000 respectively, plus the right to take the hacked laptop home.

The contestants had to use a previously undisclosed "0day" attack to read the contents of a file on the system.

As the specialists expected, there was hardly anyone to try attacking a system on the first day of the contest, i.e. via network attacks, as such attacks are very rarely used these days. However the second day's contest didn't last even 2 minutes, as Charlie Miller, the first one to hack into an iPhone last year, drove the event organizers to a Web site, which had an exploit code. Miller was the first to attempt an attack on the given systems and the system he attacked didn't stand 2 minutes. Once again.

At the last year's conference the PWN2OWN contest featured a single laptop - a MacBook Pro - which was hacked by Dino Dai Zovi - who used a QuickTime flaw to take control of the laptop.

As soon as the system was hacked, Miller had to sign a nondisclosure agreement, so he was not allowed to discuss the details of the bug until TippingPoint notified the vendor.

According to the contest's rules the participants were only allowed to use vulnerabilities on preinstalled software, which must mean, that Miller took advantage of the Safari browser.

How fast a patch will be released depends on what part of Safari contained the vulnerability - the browser itself or its rendering engine Webkit, which is also used on the Konqueror (Linux default web browser). On the other hand, if it was the Webkit, then why Linux didn't yield to attacks? Or maybe it was the researcher's professionalism that played the crucial role here?

Anyways, according to Aaron Portnoy, a researcher at TippingPoint and one of the contest's judges, Apple's engineers were already working on patching the bug by Thursday night.

As for other systems, Shane Macaulay, last year's co-winner of the contest, spend a lot of time trying to hack into the Vista based laptop. Vista withstood all his attacks. Nothing helped, even an additional file that he rushed back to get from his Vancouver area home.

TippingPoint's Manager of Security Response, Terri Forslof, said that finding a software vulnerability and taking advantage of it making the exploit code work were two different things.

The last day's contest is expected to feature some security researchers, who will attempt to hack into the three laptops via third-party software, like Skype. The organizers don't believe they will be still in possession of the two laptops by the end of the contest.

The fact that a MacBook was the first laptop to be hacked into was absolutely disappointing to the Apple fans, however this might be a sign that both software engineers and the end Mac users should be aware that their system are not so invulnerable.