The CanSecWest security conference is an annual affair in Canada that focuses on applied digital security issues.
One of the popular events at the conference over the years has been Pwn2Own, a contest that challenges security experts to exploit vulnerabilities in mobile phones and operating systems for cash rewards totalling over US $100,000.
As part of the contest, participants will look to target smartphones running on iPhone OS, Blackberry OS, Symbian or Android and make use of vulnerabilities in parsing media, dynamic web content, email and other client side issues to successfully exploit the OS. While the iPhone is known to be quite secure, security researcher and Pwn2Own contest organizer Aaron Portnoy however feels that the iPhone could be the device that could end up as the most vulnerable target among the mobile phone platforms in the contest this year. He says:
"With all the recent research on mobile phone security being presented worldwide, these devices are quickly becoming a ripe target. First to fall: the iPhone."
Mac OS X expert Charlie Miller concurs with Portnoy. He says that while the iPhone OS is pretty tough to exploit, it is pretty similar to the Mac OS X from an exploitation perspective. Miller concedes that a few participants at Pwn2Own are already aware of certain exploits that they could intend to use on the iPhone. However, he concedes that it may not be an easy task. Miller says:
"There isn't as much exposed code on the iPhone. The easy to exploit bugs I know about happen to live in the code that Safari has but Mobile Safari doesn't. In real life the iPhone is harder because you can't just execute a shell. You have to write your return-oriented payload to do all your dirty work, which can be a pain."
Despite the ever increasing popularity of the platform, there have not been any major security breaches with the OS so far. Having said that, it will be interesting to see if any of the participants at Pwn2Own actually become successful in exploiting the iPhone. Do you think iPhone will be the first to fall at the contest?
[via Ars Technica]