Hackers, start planning your exploits.
TippingPoint's DVLabs on Thursday announced the rules for its third annual Pwn2Own contest, to be held at the CanSecWest Security Conference, which runs from March 16 through 20 in Vancouver, British Columbia. The focus this year is on two technologies: Web browsers and mobile devices.
The first hacker to crack a mobile device -- an Android, BlackBerry, iPhone, Symbian, or Windows Mobile phone -- without accessing it physically will win $10,000 and will get to keep the device, with a paid one-year contract. Subsequent successful mobile device hacks also pay $10,000 but do not include a device or contract.
Hackers also have the option of trying to execute a successful exploit against a Web browser. Potential targets include Chrome, Firefox, and IE8 on a Sony Vaio running Windows 7 or Firefox and Safari installed on a MacBook running Mac OS X. Opera is not included, however, an omission criticized in several blog comments. Browser bugs are worth $5,000 a piece.
Research published by Kaspersky Lab in 2006 suggests that information about a Windows bug sold for $4,000 in Russia.
"Winning entries against the browsers include exploits which require no user interaction outside of a single click on a malicious link," explains Terri Forslof, TippingPoint's manager of security response, in a blog post. "Winning scenarios against the mobile devices include attacks that can be exploited via e-mail, SMS text, Web site browsing, and other general actions a normal user would take while using the device."
Contest participants can try to attack both mobile devices and Web browsers, but cannot win both prizes using only a single exploit.
Last year at CanSecWest, a team of researchers from Independent Security Evaluators hacked a MacBook Air in two minutes using a previously unknown vulnerability in Apple's Safari 3.1 Web browser. They took the MacBook Air home as the prize, along with $10,000 in cash.
TippingPoint's goal is to use the prize money to purchase whatever zero-day exploits are revealed and to disclose them to the affected companies in a responsible manner.