Google
 

Friday, March 28, 2008

Mac Gets Hacked In 2 Minutes

At the PWN 2 OWN hacking contest, the Macbook Air running Mac OSX 10.5.2 was the first computer to be hacked.

It may be the quickest US$10,000 Charlie Miller ever earned.

He took the first of three laptop computers -- and a $10,000 cash prize -- Thursday after breaking into a MacBook Air at the CanSecWest security conference's PWN 2 OWN hacking contest.

Show organizers offered a Sony Vaio, Fujitsu U810 and the MacBook as prizes, saying that they could be won by anybody at the show who could find a way to hack into each of them and read the contents of a file on the system, using a previously undisclosed "0day" attack.

Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.

The MacBook was the only system to be hacked by Thursday, however, the word on the show floor is that the Linux and Vista systems will meet with some serious challenges on Friday.

Miller, best known as one of the researchers who first hacked Apple's iPhone last year, didn't take much time. Within 2 minutes, he directed the contest's organizers to visit a Web site that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on.

Last year he hacked the Apple iPhone and the winner exploited a vulnerability in the Apple QuickTime software

This especially rewarding since it's a black eye to all those Apple weirdos who become much more emotionally attached to an electronic device than a normal person. It's like a religion to some of those people.

Other computers/operating systems that haven't been hacked yet:

  • Sony VAIO running Linux Ubuntu 7.10
  • Fujitsu running Microsoft Vista Ultimate SP1

For anyone that cares, here are the rules:

  • Limit one laptop per contestant.
  • You can't use the same vulnerability to claim more than one box, if it is a cross-platform issue.
  • Thirty minute attack slots given to contestants at each box.
  • Attack slots will be scheduled at the contest start by the methods selected by the judges.
  • Attacks are done via crossover cable. (attacker controls default route)
  • RF attacks are done offsite by special arrangement...
  • No physical access to the machines.
  • Major web browsers (IE, Safari, Konqueror, Firefox), widely used and deployed plugin frameworks (AIR, Silverlight), IM clients (MSN, Adium, Skype, Pigdin, AOL, Yahoo), Mail readers (Outlook, Mail.app, Thunderbird, kmail) are all in scope.

Posted by Tim at 3/28/2008 02:47:00 AM

Subscribe to: