The fifth season of Pwn2Own—the now annual device and software hacking contest—has come and gone. As expected, we have some quickly exploited platforms and some unexpected winners. Among the winners, both Android and Windows Phone 7 have proven themselves impregnable by the hacking teams; but as much as this is a win for Android and WP7, it’s important to know that it’s not conclusive proof that they’re actually safer than their competitors.
According to a Wired article via CNN, in this year’s five-day hackathon pitted a number of handsets against each other and the results are good,
"The survival of a target at Pwn2Own does not automatically declare it safer than a target that went down," last year’s Internet Explorer Pwn2Own winner Peter Vreugdenhil cautions. The contestants who were lined up to beat the Android and WP7 devices in the competition withdrew for a variety of reasons.
Pwn2Own, now in its fifth year, is a hacking competition divided into two areas: web browsers and mobile phones.
This year, Microsoft Internet Explorer 8, Apple Safari 5.0.3, Mozilla Firefox, and Google Chrome were the web-browser targets. In the mobile phone category, the Dell Venue Pro (Windows Phone 7), Apple iPhone 4 (iOS), BlackBerry Torch 9800 (Blackberry 6) and Nexus S (Android) were targeted.
From what we’ve already seen the Google Chrome and Firefox also came out uncompromised with Apple’s Safari going down. In the mobile contest, the Blackberry was hacked in only two days by a team of three—Vincenzo Iozzo, Willem Pinckaers, and Ralf Philipp Weinmenn—who used a similar technique to that which took down Apple’s iPhone 4.
As the browser is at the core of the iPhone 4 and Blackberry is Webkit (used by Safari) and that went down in a matter of hours in the browser contest it looks like both are susceptible to very similar exploits. However, Chrome and Android also both use Webkit, so they must be hardened against the species of attacks that managed to get through RIM’s and Apple’s devices’ defenses.
Aftermath has given us some time to interview the organizers and get some idea of why they thing the undefeated remain undefeated.
"Chrome has the advantages of having multiple exploit-mitigation techniques that certainly make it more difficult to hack. As for Android, we see no particular reason why Android would be harder to hack than one of the other targets," explained Peter Vreugdenhil, also quoted above.
Speculation currently is that Apple and RIM devices, such as iPhone 4 and Blackberry, are massive targets of opportunity due to their popularity in the market. A lot of research has been done by both security firms and malware hackers in order to take them down—although, that doesn’t readily explain the unexpected hardiness of Android, which is also extremely popular.
In fact, Android has been a happy hunting ground for ever evolving malware developments so this might be keeping Google on their toes. Popularity and variety factors involved have certainly kept security vendors on their toes when it comes to Google’s mobile platform with the ever-present panacea of security apps. Their glittering win at Pwn2Own will probably be used by the Android developer as a talking point in how their users can expect better security from their handsets. Much of this reporting has been guessed to be mostly marketing hype by the self-same security vendors and the Pwn2Own turnout only appears to vindicate that.
As for Windows Phone 7: Nokia is probably quite happy to hear they did well. We think especially after the high faulting deal between Microsoft and Nokia recently to start deploying WP7 on their handsets.