Announcing Pwn2Own 2011 !!
It’s that time of year again and the Zero Day Initiative (ZDI) team here at HP TippingPoint is proud to announce the 5th annual Pwn2Own competition is back. We have some exciting additions this year including the first ever vendor sponsorship, new attack surfaces, and even more prizes for competitors. If you’re unfamiliar with the contest you can take a look at the archived blog posts from 2008, 2009, and 2010.
Last year the contest was a great success, with three of the four browsers successfully compromised as well as the Apple iPhone. As you may all be aware, after Peter Vreugdenhil demonstrated his IE8 hack last year, we relocated him from the Netherlands to join our team. This year Peter will be participating officially as a Pwn2Own judge.
As mentioned previously, we’ve upped the ante this time around and the total cash pool allotted for prizes has risen to a whopping $125,000 USD. While HP TippingPoint is funding $105,000 of that, we’ve partnered with Google who has generously offered up $20,000 to the researcher who can best their Chrome browser. Kudos to the Google security team for taking the initiative to approach us on this; we’re always in favor of rewarding security researchers for the work they too-often do for free.
Similarly to last year the competition will focus on two main technologies: web browsers and mobile devices. Staying true to the original intent of the Pwn2Own contest we intend to empirically demonstrate the current security posture of the most prevalent products in use today.
Following the Contest
The contest will be taking place on the 9th, 10th, and 11th of March, 2011 in Vancouver, BC during the CanSecWest conference. This blog post will be updated as the contest plays out, but for real-time updates you can follow either @thezdi or myself on twitter or search for the hashtag #pwn2own.
Please direct all press inquiries for HP TippingPoint/ZDI to: Jacinda Mein<JacindaAnn.Mein@bm.com> or Arseny Tseytlin<Arseny.Tseytlin@bm.com>
This year we are opening pre-registration effective immediately. If you are interested in competing please send an e-mail to firstname.lastname@example.org with the following information:
- Intended Target
- Any requirements you may need (network connection, static IP addresses, …)
Pre-registration will close in 2 weeks on the 15th of February at which point a random drawing will occur to determine the order in which competitors can make their attempt. We will also allow competitors to sign up on-site, although they will be allotted a time slot after any pre-registered individuals.
Each contestant will have a 30-minute time slot in which to complete their attempt (not counting time to set up possible network or device pre-requisites).
Target: Web Browsers
This year the web browser targets will be the latest release candidate (at the time of the contest) of the following products:
- Microsoft Internet Explorer
- Apple Safari
- Mozilla Firefox
- Google Chrome
Each browser will be installed on a 64-bit system running the latest version of either OS X or Windows 7.
The laptop prizes include:
- Sony Vaio running Windows 7
- Alienware m11x running Windows 7
- Apple MacBook Air 13″ running Mac OS X Snow Leopard
- Google CR-48 running ChromeOS (no attacks against this device, it is merely a prize. The Chrome target will be running on the other laptops)
A successful hack of IE, Safari, or Firefox will net the competitor a $15,000 USD cash prize, the laptop itself, and 20,000 ZDI reward points which immediately qualifies them for Silver standing. Benefits of ZDI Silver standing include a one-time $5,000 USD cash payment, 15% monetary bonus on all ZDI submissions in 2011, 25% reward point bonus on all ZDI submissions in 2011 and paid travel and registration to attend the DEFCON Conference in Las Vegas.
As for Chrome, the contest will be a two-part one. On day 1, Google will offer $20,000 USD and the CR-48 if a contestant can pop the browser and escape the sandbox using vulnerabilities purely present in Google-written code. If competitors are unsuccessful, on day 2 and 3 the ZDI will offer $10,000 USD for a sandbox escape in non-Google code and Google will offer $10,000 USD for the Chrome bug. Either way, plugins other than the built-in PDF support are out of scope.
Target: Mobile Phones
This year we are excited to announce we have increased the attack surface eligible for a successful hack against the mobile phone targets. We will have a base station on-site so that competitors will be able to perform attacks against the cell phone basebands. Due to the sensitive nature of the vulnerabilities we expect and the fact that an attack would require the exploit to be transmitted over RF, we will have this nifty RF enclosure on hand for testing:
This device has a built-in video recording feature and we plan on publishing the feed after the contest has ended.
The following are the target mobile devices for the contest:
- Dell Venue Pro running Windows 7
- iPhone 4 running iOS
- Blackberry Torch 9800 running Blackberry 6 OS
- Nexus S running Android
A successful attack against these devices must require little to no user interaction and must compromise useful data from the phone. Any attack that can incur cost upon the owner of the device (such as silently calling long-distance numbers, eavesdropping on conversations, and so forth) is within scope.
A successful compromise of any of these targets will win the contestant a cash prize of $15,000 USD, the device itself, and 20,000 ZDI reward points which immediately qualifies them for Silver standing. Benefits of ZDI Silver standing include a one-time $5,000 USD cash payment, 15% monetary bonus on all ZDI submissions in 2011, 25% reward point bonus on all ZDI submissions in 2011 and paid travel and registration to attend the DEFCON Conference in Las Vegas.
Once pre-registration is over we will post the time slots allotted for the various competitors here.
Stay tuned to this blog entry as we will be updating this section with winners as they (presumably) succeed.