Mobile: The holy grail at security conference

VANCOUVER, B.C.--That innocent-looking mobile phone you use to call your mother and check e-mail represents the next frontier for malicious hackers, though it eluded researchers who stood to earn $10,000 for exploiting a smartphone at the CanSecWest security conference this week.

TippingPoint Technologies, which sponsors a Pwn2Own hacking contest each year at the event, was offering the prize money for each successful exploit of an iPhone, BlackBerry, and phones running Google's Android, Windows Mobile, and Symbian operating systems.

Researcher Dino Dai Zovi, on the left, discovered a vulnerability in QuickTime and won the Pwn2Own contest at CanSecWest two years ago remotely by having a friend act on his behalf. At this year's show, he served as a proxy for a researcher in Italy who was participating in the contest remotely, trying to exploit a Symbian-based smartphone. The exploit attempt failed, and no one won the $10,000 smartphone exploit prize. Next to him is TippingPoint security researcher Aaron Portnoy.

(Credit: Elinor Mills/CNET News)

On Friday, a researcher in Italy wanted to participate in the contest remotely and was told he had to find someone at the show to serve as his proxy and physically use the mobile device to surf to the site where the malicious code is located. He found a proxy, but the exploit attempted on a Nokia phone running Symbian failed. Another researcher had tried to exploit the Symbian and BlackBerry systems on Thursday but failed.

Much of the first day of the three-day event on Wednesday was devoted to mobile security. Dragos Ruiu, who first organized CanSecWest 10 years ago, said he wanted to focus on mobile this year because of the ubiquity of the devices and the increasing risk they pose to information security.

"I carry two phones at any one time," he said, pointing to one in his pants pocket and another in his jacket pocket. "And now, they are more capable computers."

Ruiu wasn't sure why the mobile devices hadn't been hacked, while a similar browser-hacking contest had seen the major browsers exploited on the first day of the conference. "Maybe they are too bleeding-edge; maybe they are just difficult to develop exploits for," he said of the mobile platforms. "It's good news."

In an informal survey, attendees said they suspected that researchers were just being lazy in not turning their attention to mobile attacks at the show.

"Mobile-phone research is an emerging field," said Aaron Portnoy, a security researcher at TippingPoint. "Not many people have the prerequisite knowledge to exploit them, nor do they have an exploit prepared."

Things will undoubtedly be different by next year's CanSecWest, he said, adding that already, there are mobile exploits in the wild.

"There's a lot we don't know yet about them," said Charlie Miller, who exploited the Safari browser in about 10 seconds on Wednesday, winning $5,000 and the MacBook Pro used to perform the feat. (The other major browsers were exploited shortly thereafter.)

"They are all different platforms, different hardware," he said, adding that "there's a learning curve associated with it."

In his presentation on security in Google's Android mobile platform, University of Michigan graduate student Jon Oberheide said the code in mobile software is newer than that found on the desktop and less robust against attacks. Attackers aren't really targeting it yet because mobile phones aren't seen as being much use for sending spam and launching denial-of-service attacks, however, they are good for attacks targeted at individuals, he said.

Oberheide said smartphones are at risk of a man-in-the-middle type of attack in which a malicious attacker could interfere with data communications between the device and a trusted Web server. For instance, an attacker could send a spoof message saying an update for a Facebook app is available and instead send malicious code, he said.

In a presentation titled "The Smart-Phones Nightmare," researcher Sergio Alvarez pointed out all the different attack vectors for mobile devices, including e-mail, attachments, Web pages, SMS, MMS, Facebook, Wi-Fi, and Bluetooth.

Updated at 8 p.m. PST to include that the other major browsers were exploited in the contest as well.

[elllroy]

why not mentioning that besides safari all the other browsers were hacked a few seconds later? oh, wait because it is cnet.

[seven7dust]

how else would Win fanboys be able to get their sense of superiority ?
it's funny how in real world use these types of atttacks don't ever happen !

[MyMobiSafe]

As the Founder of MyMobiSafe.com, I?m not sure (especially given the recent emergence of JavaMite mobile malware) that attracting hackers to exploit mobile vulnerabilities with prize money is the right approach. As a software engineer and founder of MyMobiSafe, I can affirm prerequisite knowledge is the underlying reason that these mobile platforms were not breached at the event. As most of these platforms are pregnable and have vulnerabilities which allow a sophisticated developer access to the application sandbox, their widely accessible Open Source Mobile SDKs are not making them any more secure. As noted in my blog entries relevant to JavaMites, the evolution of mobile malware is taking place today. In its most basic form, a JavaMite is any executable software or script written in (or with) the aide of a Java Software Development Kit or Component to specifically alter or otherwise tamper with the operational components of a mobile handset or device. ? Eric Everson, MyMobiSafe