By Jennifer Lake, Security Product Marketing, HP Networking
This week HP DVLabs and the Zero Day Initiative (ZDI) kicked off the 5th annual Pwn2Own contest at the CanSecWest Conference in Vancouver BC. As we have discussed in previous posts, this contest pits researchers against the top browsers, operating systems and devices on the market. This year’s contest has received quite a bit of attention. For starters, it is the first time researchers can use exploits to target traffic over radio frequency (RF). This year also marks the first time the contest has been sponsored by an outside vendor. To talk about the contest and explain why it’s grown so much, I interviewed Aaron Portnoy, security research manager for HP DVLabs and lead for the ZDI.
Why do you think this contest attracts so much attention?
Portnoy: It’s not often the average computer user is able to witness a successful hacking attempt with an unknown vulnerability. At Pwn2Own, such attacks are demonstrated every year against the current market leading web browsers and mobile devices.
What is the driver behind a contest like this? Why are you putting this on?
Portnoy: The purpose of Pwn2Own has traditionally been to demonstrate publicly the security posture of market leading browsers and mobile devices. Year after year, Pwn2Own has shown the real-world impact of vulnerabilities at a public venue.
Based on news reports, it looks like no one targeted Chrome? Does this mean it’s the most secure?
Portnoy: It only takes one vulnerability to compromise a piece of software, so qualifying the security of a browser in this way is not a fair judgment. The researchers who compete in Pwn2Own are some of the best in the industry at what they do. Many of them are familiar with certain targets. With regard to Chrome, the barrier of entry is a bit higher as its sandbox architecture is relatively new and has yet to be dissected in a public forum.
How has the contest evolved over the past several years?
Portnoy: In the early years of the contest the targets were limited to web browsers. As the years progressed and technology advanced, we began to take notice of the fact that more and more consumers are utilizing their phones as computing devices. With such use inevitably comes the storage of sensitive information on these devices. So, in the last few years we have expanded the scope of the contest to include mobile devices.
This year we are also adding a new element to the mobile device portion. We will have a base station on-site so that competitors will be able to perform attacks against the cell phone basebands. This gives competitors a greater attack surface to target.
It seems like more researchers participate every year. Do you think this is due to the popularity of the contest or something else?
Portnoy: I believe the contest has received so much attention over the years that the notoriety gained by successfully competing has attracted more competitors. Also, as more public presentations are given on topics such as mobile phone exploitation, the research becomes more approachable to more possible contestants.
How does this contest impact HP and its customers?
Portnoy: Any vulnerability or exploit shared with us will go through the same process as any information shared via the Zero Day Initiative. We will share the vulnerability information with the affected vendor so that they can begin developing a patch. At the same time, information about the vulnerabilities discovered will be shared with the HP DVLabs development team, who will create a filter that will be delivered to the HP TippingPoint IPS.
Get the latest Pwn2Own contest news
For the latest updates and complete list of rules on the contest, including winners and targets, please visit the DVLabs blog. The blog post will be updated as the contest plays out.
We are interested to hear your thoughts on this contest. What do you think?