Pwn2Own
Pwn2Own is a computer hack competition that has been held annually at the CanSecWest security conference since 2007 . Participants are challenged to find unknown vulnerabilities in widely used software or mobile devices and to exploit them. The winners will receive the device they hacked, a cash prize and a "Masters" jacket with the year of their victory. The name Pwn2Own is network jargon and is derived from the fact that the participant has to hack the device ("pwn") in order to win it (2 = two = "to") and thus own it ("own"). "Pwn" is Leetspeak and it is ownderived, the pronunciation is about [ pɔːn ] or [ poʊn ] (among other variants). The Pwn2Own competition serves to demonstrate the vulnerability of devices and software that are widely used.
origin
The first competition was invented by Dragos Ruiu in response to his frustration with Apple's lack of response to the "Month of Apple Bugs" and "Month of Kernel Bugs," as well as Apple's television commercials that trivialized security in the competing Windows operating system . At the time, there was a widespread belief that despite the disclosure of these vulnerabilities in Apple products, Mac OS X was far more secure than its competitors.
On March 20, 2007, about 3 weeks before CanSecWest, Ruiu announced the Pwn2Own security research competition on the DailyDave mailing list . The competition included two MacBook Pros that would be at the conference and connected to their own wireless access point . All conference participants could connect to this wireless access point and try to exploit a weak point in one of the devices. Whoever succeeded in doing this was allowed to take the laptop with them. There was no financial reward. Ruiu outlined that the restrictions on which hacks are acceptable would be gradually relaxed over the three days of the conference.
On the first day of the conference, Ruiu asked Terri Forslof from the Zero Day Initiative (ZDI) if he would take part in the competition. ZDI is well known in the security industry for its program to purchase Zeroday vulnerabilities in order to then report them to the affected manufacturers and to create appropriate signatures for their network intruder detection systems in order to increase their effectiveness. The vulnerabilities that are sold to ZDI are only published after the affected manufacturer has published a patch to fix the problem. After speaking with Ruiu, Forslof agreed that ZDI would buy any vulnerability found in the competition for a fixed price of $ 10,000.
List of successful exploits
Surname | membership | year | target |
---|---|---|---|
Dino Dai Zovi | independent | 2007 | Quicktime (Safari) |
Shane Macauley | independent | 2007 | Quicktime (Safari) |
Charlie Miller | ISE | 2008 | Safari (PCRE) |
Jake Honoroff | ISE | 2008 | Safari (PCRE) |
Mark Daniel | ISE | 2008 | Safari (PCRE) |
Shane Macauley | independent | 2008 | Flash (Internet Explorer) |
Alexander Sotirov | independent | 2008 | Flash (Internet Explorer) |
Derek Callaway | independent | 2008 | Flash (Internet Explorer) |
Charlie Miller | ISE | 2009 | safari |
Nils | independent | 2009 | Internet Explorer |
Nils | independent | 2009 | safari |
Nils | independent | 2009 | Firefox |
Charlie Miller | ISE | 2010 | safari |
Peter Vreugdenhil | independent | 2010 | Internet Explorer |
Nils | independent | 2010 | Firefox |
Ralf-Philipp Weinmann | independent | 2010 | iOS |
Vincenzo Iozzo | independent | 2010 | iOS |
VUPEN | VUPEN | 2011 | safari |
Stephen Fewer | Harmony Security | 2011 | Internet Explorer |
Charlie Miller | ISE | 2011 | iOS |
Dion Blazakis | ISE | 2011 | iOS |
Willem Pinckaers | independent | 2011 | BlackberryOS |
Vincenzo Iozzo | independent | 2011 | BlackberryOS |
Ralf-Philipp Weinmann | independent | 2011 | BlackberryOS |
VUPEN | VUPEN | 2012 | Unknown |
Willem Pinckaers | independent | 2012 | Unknown |
Vincenzo Iozzo | independent | 2012 | Unknown |
VUPEN | VUPEN | 2013 | Windows 8 IE 10 |
VUPEN | VUPEN | 2013 | Windows 8 Flash |
VUPEN | VUPEN | 2013 | Windows 8 Java |
Nils | MWR Labs | 2013 | Windows 8 Chrome |
Jon | MWR Labs | 2013 | Windows 8 Chrome |
George Hotz | independent | 2013 | Windows 8 Adobe Reader |
Joshua Drake | independent | 2013 | Windows 8 Java |
James Forshaw | independent | 2013 | Windows 8 Java |
Ben Murphy | independent | 2013 | Windows 8 Java |
Pinkie Pie | independent | 2013 | Chrome (Mobile) |
VUPEN | VUPEN | 2014 | Windows 8.1 IE 11 |
VUPEN | VUPEN | 2014 | Windows 8.1 Adobe Reader XI |
VUPEN | VUPEN | 2014 | Windows 8.1 Chrome |
VUPEN | VUPEN | 2014 | Windows 8.1 Adobe Flash |
VUPEN | VUPEN | 2014 | Windows 8.1 Mozilla Firefox |
Liang Chen, Zeguang Zhao | Keen team, team509 | 2014 | Windows 8.1 Adobe Flash |
Sebastian Apelt, Andreas Schmidt | Independent | 2014 | Windows 8.1 IE 11 |
Yuri Aedla | independent | 2014 | Windows 8.1 Mozilla Firefox |
Mariusz Mlynski | independent | 2014 | Windows 8.1 Mozilla Firefox |
George Hotz | independent | 2014 | Windows 8.1 Mozilla Firefox |
Liang Chen, Zeguang Zhao | Keen team, team509 | 2014 | Safari (OS X Mavericks) |
JungHoon Lee | independent | 2015 | IE 11, Google Chrome, Apple Safari |
Peter, Jihui Lu, wushi, Zeguang Zhao | Keen team, team509 | 2015 | Adobe Flash |
Competition 2016
program | Vulnerabilities |
---|---|
Microsoft Windows | 6th |
Apple OS X | 5 |
Adobe Flash | 4th |
Apple Safari | 3 |
Microsoft Edge | 2 |
Google Chrome | 1 |
Individual evidence
- ↑ a b Dragos Ruiu: PWN to OWN (was Re: How Apple orchestrated web attack on researchers). In: SecLists.Org Security Mailing List Archive. March 20, 2007, accessed September 2, 2014 .
- ↑ pwn in the English Wiktionary
- ^ Ryan Naraine: Mac Developer mulling OS X equivalent of ZERT. In: ZDNet. CBS Interactive, February 1, 2007, accessed October 23, 2014 .
- ↑ Marc Orchant: Cancel or Allow? Good poke at Vista UAC. In: ZDNet. CBS Interactive, February 6, 2007, accessed October 23, 2014 .
- ↑ Ryan Naraine: How long can a Mac survive the hacker jungle? In: ZDNet. CBS Interactive, March 26, 2007, accessed October 31, 2014 .
- ^ About the Zero Day Initiative. Retrieved November 5, 2014 .
- ↑ Terri Forslof: Apple issues patch for QuickTime flaw. May 3, 2007, accessed November 5, 2014 .
- ↑ Steven J. Vaughan-Nichols: Pwn2Own 2015: The year every web browser went down. In: ZDNet . March 23, 2015, accessed January 16, 2017 .
- ↑ Pwn2Own 2015: Day One results
- ↑ Pwn2Own 2016: Chrome, Edge, and Safari hacked, $ 460,000 awarded in total. In: VentureBeat. March 18, 2016, accessed January 16, 2017 .