CanSecWest is running their annual Pwn2Own contest this year with a new addition. Along with their desktop hacking completion they are running a smartphone hacking competition. The new smartphone contest lets competitors see if they can break through the security on the Android, BlackBerry, iPhone, Symbian, or Windows Mobile platforms. Those companies will give out $10,000 for the rights to the code that manages to break through. I am interested to see how this plays out! Day 1 began yesterday so this should get out soon!
Phones (and associated test platform)
- Android(Dev G1)
- iPhone(locked 2.0)
- Windows Mobile (HTC Touch)
Day 1 (Raw functionality out of the box, users configured for service) post phone, post email
- Email (arrival only)
- Wi-Fi on if default
- Bluetooth on if default
- Radio stack
- All of Day 1
- Email/SMS/MMS (reading only – no secondary actions)
- Wi-Fi on
- Bluetooth on (not accept pairing by default. Paired with a headset. pairing process not visible)
- All of Day 1 and 2
- one level of user interaction with default applications
- Bluetooth on (not accept pairing by default. Paired with a headset/other devices upon request. pairing process visible)
What is owned? Must demonstrate…
- loss of information (user data)
- incur financial cost
- 30 minute slots
- Names submitted and then randomly drawn
- 1st pop eligible box and cash
- Follow on pops eligible $
- All must disclose and have exploit validated.
- Lottery will be done for time-slot location.
- Register on ZDI if you want the $
- Sign ZDI NDA
- Infrastructure attack will get you escorted out of the building.
- ZDI/Dragos have final say.