browsers/phones hacked

The annual Pwn2Own contest at the CanSecWest security show in Canada gives security experts and hackers a chance to show their stuff and try to  breach the security of various devices and software, and man, they didn’t disappoint this year.

Almost all major browsers (save one); Firefox, Safari, Internet Explorer 8 were hacked at the contest. The lone browser not hacked this year: Google Chrome. For the second year in a row, participants decided not to try to hack Chrome as they set their sites onto other easier targets. A non-jailbroken iPhone was also hacked and its SMS database stolen.

According to Stan Schroeder at Mashable.com:

“Vincenzo Iozzo and Ralf Philipp Weinmann sent an iPhone to a web site they’d set up, crashing its browser and then stealing its entire SMS database (including some erased messages). It is possible, however, to set up a similar attack to work without crashing the browser, hackers claim, and set up different attack payloads. Iozzo and Weinmann won a $15,000 prize for successfully demonstrating the attack. Details about the attack will be released once Apple is notified and the security hole is patched.

“Charlie Miller, principal security analyst at Independent Security Evaluators, managed to hack Safari on a MacBook Pro without physical access, which won him $10,000. Nils (no last name given), head of research at UK-based MWR InfoSecurity, won $10,000 for hacking Firefox, and independent security researcher Peter Vreugdenhil won the same amount for hacking IE8. All the browser attacks were done by having the browser visit a malicious web site; although full details aren’t disclosed, Cnet has some more technical info on the attacks.”