Hack An iPhone, Win $10,000

In TippingPoint's DVLabs contest, hackers also have the option of trying to execute a successful exploit against a Web browser.

Thomas Claburn, Editor at Large, Enterprise Mobility

February 26, 2009

2 Min Read
InformationWeek logo in a gray background | InformationWeek

Hackers, start planning your exploits.

TippingPoint's DVLabs on Thursday announced the rules for its third annual Pwn2Own contest, to be held at the CanSecWest Security Conference, which runs from March 16 through 20 in Vancouver, British Columbia. The focus this year is on two technologies: Web browsers and mobile devices.

The first hacker to crack a mobile device -- an Android, BlackBerry, iPhone, Symbian, or Windows Mobile phone -- without accessing it physically will win $10,000 and will get to keep the device, with a paid one-year contract. Subsequent successful mobile device hacks also pay $10,000 but do not include a device or contract.

Hackers also have the option of trying to execute a successful exploit against a Web browser. Potential targets include Chrome, Firefox, and IE8 on a Sony Vaio running Windows 7 or Firefox and Safari installed on a MacBook running Mac OS X. Opera is not included, however, an omission criticized in several blog comments. Browser bugs are worth $5,000 a piece.

Research published by Kaspersky Lab in 2006 suggests that information about a Windows bug sold for $4,000 in Russia.

"Winning entries against the browsers include exploits which require no user interaction outside of a single click on a malicious link," explains Terri Forslof, TippingPoint's manager of security response, in a blog post. "Winning scenarios against the mobile devices include attacks that can be exploited via e-mail, SMS text, Web site browsing, and other general actions a normal user would take while using the device."

Contest participants can try to attack both mobile devices and Web browsers, but cannot win both prizes using only a single exploit.

Last year at CanSecWest, a team of researchers from Independent Security Evaluators hacked a MacBook Air in two minutes using a previously unknown vulnerability in Apple's Safari 3.1 Web browser. They took the MacBook Air home as the prize, along with $10,000 in cash.

TippingPoint's goal is to use the prize money to purchase whatever zero-day exploits are revealed and to disclose them to the affected companies in a responsible manner.


InformationWeek has surveyed more than 300 IT managers to find the best ways to secure a mobile enterprise. Download the report here (registration required).

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights