TippingPoint sponsor Pwn20wn hacking contest

An annual hacker competition in the US planned for next month has set its sights on Apple’s iPhone and four other smart phones in a contest that will pay cash prizes of $10,000 to anyone who can break into the mobile devices.

The contest, held in Vancouver, British Columbia, US, will present contestants with phones running the Android, Symbian, and Windows Mobile operating systems as well a BlackBerry and an iPhone. To qualify for the $10,000 prize, hackers must submit exploits that work against email, SMS test, website browsing, and “other general actions a normal user would take while using the device,” according to rules published by TippingPoint, the competition’s sponsor. All devices will be fully patched.

A second-track of the competition will challenge hackers to take their best shots at web browsers. Internet Explorer 8, Firefox, and Google Chrome will be running on a Sony Vaio running Windows 7, and Safari and Firefox will be installed on a MacBook running OS X. Successful exploits in this track will net $5,000 per bug.

This is the third year of the Pwn2Own contest, scheduled for March 18 to 20 at the CanSecWest security conference. Last year, a brand new MacBook air was the first to fall during day two of the competition, which pitted the Mac against high end laptops running Linux and Microsoft’s vista.
Rules: This year’s contest will target two sets of technologies: Web browsers and mobile devices. The browser targets will be IE8, Firefox, and Chrome installed on a Sony Vaio running Windows 7 as well as Safari and Firefox installed on a Macbook running Mac OS X. All browsers will be fully patched and in their default configuration as of the first day of the contest.

The mobile device targets will include fully patched BlackBerry, Android, iPhone, Symbian and Windows Mobile phones in their default configurations. A full list of available interfaces will be made available on the CanSecWest website under the Pwn2Own rules.

To participate in the contest, you can choose either or both technologies and must generally prove successful code execution. All winners will be asked to sign and agree to the general ZDI Non Disclosure Agreement, and the bugs will be turned over directly to the affected vendors.