…brush your teeth, grab a cup of coffee, email a friend, or hack a MacBook Air. Just like last year the CanSecWest conference is currently going on, and tons of hackers cram in to see who can be the first to hack one of the laptops that are provided. The first nerd person to forcefully gain control of one out of the three laptops not only takes home that laptop, but also receives a worthwhile $10,000 cash prize.
The three laptops that were being attacked were a VAIO VGN-TZ37CN running Ubuntu 7.10, Fujitsu U810 running Vista Ultimate SP1, and a MacBook Air running OSX 10.5.2. On the first day of the contest the rules were kind of strict, and the hackers could only go after the computers over the network. There was a strong stench of failure in the air that day.
Then yesterday they decided to let go a bit and let the hackers direct the contest organizers to a website that they created to run malicious code. Charlie Miller, the first one to hack the iPhone last year, was all over it and almost immediately gained access to the MacBook Air. It took him a whopping 2 minutes to get into the system, but no one knows exactly how he did it because he was forced to sign a nondisclosure agreement. Many expect that the vulnerability lies in Apple’s Safari browser.
In case you’re wondering, contestants like Charlie had to follow these guidelines for their attack:
- You can’t use the same vulnerability to claim more than one box, if it is a cross-platform issue.
- Thirty minute attack slots given to contestants at each box.
- Attacks are done via crossover cable. (attacker controls default route)
- No physical access to the machines.
- Major web browsers (IE, Safari, Konqueror, Firefox), widely used and deployed plugin frameworks (AIR, Silverlight), IM clients (MSN, Adium, Skype, Pigdin, AOL, Yahoo), Mail readers (Outlook, Mail.app, Thunderbird, kmail) are all in scope.
So congrats to Charlie. Apple… get to work! 
CanSecWest [via PC World]
Thanks to CoryC for the tip!
Part of the image via bid burglar!
Enjoyed the post? Subscribe to our feed to get a daily dose of CyberNet!
Tags: Software, Apple, Hacks, Mac, Safari
Related Posts:
- Skype Reaches 100 Billion Minute Milestone
- Firefox 2.0 Alpha 1 Put On Hold For 2 Weeks
- Monitor Sites for Changes with Mr. Uptime
- iPhone 3G: Launch Time, No-Contract Pricing and more…
- CyberNotes: Tell Time with an $85,000 Liquid Vacuum Clock!
So probably OS X 10.6 will be delayed now. They’ll have to learn to write secure code.
Ouch… I think you got pleasure driving that dagger in.
I’m curious if it actually only took two minutes to hack it or if competitors are allowed to write code prior to their turn at each computer to help them on their quest. I’d also like to know how many of them are aware of vulnerabilities when they show up at the competition and it’s just a matter of who can type the fastest.
I was wondering the same thing, but I don’t think they would be able to stop any extra work from happening outside of the competition. It’s just a matter of how much time is it worth trying to find vulnerabilities just to win $10,000. I guess it may not take that long for some of those people.
Everything is hackable, people.
Actually during the segment when he cracked the Air, the only thing in scope was the default installation.
It’s quite a realistic hack too, nothing more than browsing to a website and he was able to take control of the machine.
The next day (today) was when they were adding the other applications like Firefox, so we haven’t heard the results of that hacking session yet, or whether they’ll be able to take control of Vista or Linux.
Some sources are actually reporting the browsers and mail clients were added on the second day. Then the third day was plugin frameworks and instant messengers.