Mobile: The holy grail at security conference
Security experts launch successful exploits against browsers at the CanSecWest conference, but fail--or fail to even try--exploiting smartphones despite a $10,000 prize.
VANCOUVER, B.C.--That innocent-looking mobile phone you use to call your mother and check e-mail represents the next frontier for malicious hackers, though it eluded researchers who stood to earn $10,000 for exploiting a smartphone at the CanSecWest security conference this week.
TippingPoint Technologies, which sponsors a Pwn2Own hacking contest each year at the event, was offering the prize money for each successful exploit of an iPhone, BlackBerry, and phones running Google's Android, Windows Mobile, and Symbian operating systems.
On Friday, a researcher in Italy wanted to participate in the contest remotely and was told he had to find someone at the show to serve as his proxy and physically use the mobile device to surf to the site where the malicious code is located. He found a proxy, but the exploit attempted on a Nokia phone running Symbian failed. Another researcher had tried to exploit the Symbian and BlackBerry systems on Thursday but failed.
Much of the first day of the three-day event on Wednesday was devoted to mobile security. Dragos Ruiu, who first organized CanSecWest 10 years ago, said he wanted to focus on mobile this year because of the ubiquity of the devices and the increasing risk they pose to information security.
"I carry two phones at any one time," he said, pointing to one in his pants pocket and another in his jacket pocket. "And now, they are more capable computers."
Ruiu wasn't sure why the mobile devices hadn't been hacked, while a similar browser-hacking contest had seen the major browsers exploited on the first day of the conference. "Maybe they are too bleeding-edge; maybe they are just difficult to develop exploits for," he said of the mobile platforms. "It's good news."
In an informal survey, attendees said they suspected that researchers were just being lazy in not turning their attention to mobile attacks at the show.
"Mobile-phone research is an emerging field," said Aaron Portnoy, a security researcher at TippingPoint. "Not many people have the prerequisite knowledge to exploit them, nor do they have an exploit prepared."
Things will undoubtedly be different by next year's CanSecWest, he said, adding that already, there are mobile exploits in the wild.
"There's a lot we don't know yet about them," said Charlie Miller, who exploited the Safari browser in about 10 seconds on Wednesday, winning $5,000 and the MacBook Pro used to perform the feat. (The other major browsers were exploited shortly thereafter.)
"They are all different platforms, different hardware," he said, adding that "there's a learning curve associated with it."
In his presentation on security in Google's Android mobile platform, University of Michigan graduate student Jon Oberheide said the code in mobile software is newer than that found on the desktop and less robust against attacks. Attackers aren't really targeting it yet because mobile phones aren't seen as being much use for sending spam and launching denial-of-service attacks, however, they are good for attacks targeted at individuals, he said.
Oberheide said smartphones are at risk of a man-in-the-middle type of attack in which a malicious attacker could interfere with data communications between the device and a trusted Web server. For instance, an attacker could send a spoof message saying an update for a Facebook app is available and instead send malicious code, he said.
In a presentation titled "The Smart-Phones Nightmare," researcher Sergio Alvarez pointed out all the different attack vectors for mobile devices, including e-mail, attachments, Web pages, SMS, MMS, Facebook, Wi-Fi, and Bluetooth.
Updated at 8 p.m. PST to include that the other major browsers were exploited in the contest as well.