Hacker Conference Focused on Web Browsers and Mobile Devices. Who Was Hacked and Who Withstood, and does it Matter?

March 21, 2011

In a wake-up call to security-complacent Apple users, the first browser to get hacked in the Pwn2Own hacker competition was Apple’s Safari, and it took just a matter of seconds. Pwn2Own is a part of the CanSecWest conference in Vancouver every year, and the term is geek speak for pwn (=hack) and to own (the device). Participants are given the challenge of exploiting common software, this year the focus was on two hot areas – browsers and mobile devices.

Other browers in the completion included Microsoft Internet Explorer Mozilla Firefox and Google chrome. The Opera browser has such a low adoption rate that it was not included.

Microsoft’s IE 8 fell to hackers later that same day. Firefox and Chrome were not hacked, and this was particularly impressive for Google’s Chrome as they had sweetened the reward for anyone who did hack their service.

Day two pitted the mobile devices against hackers and both the iPhone 4 and Blackberry Torch fell to attackers while Android and Windows 7 remained standing.

What makes the Pwn2Own hacker contest different from real world risk is that it does not reflect the percentages game.

Criminals want the biggest bang for their malware buck which means the dominant operating systems, browsers, platforms etc. are always going to be the better targets.

Windows, though it has slipped a little, is still so far ahead in user penetration rates[i] that writing malware for any other OS is still a marginal proposition.

As with operating systems, the ongoing browser market shares have changed little in the past year. IE still takes the lion’s share[ii] with the only real contender being Firefox at this point. That said, much of the browser malware is written to hit multiple services.

In the mobile world, smartphone platform penetration rates have dramatically shifted. [iii][iv] Entering into 2010, RIM, was the clear giant, but it slipped by 11% points to land in second place in January 2011. Google skyrocketed from barely registering to taking first place in penetration rates.

Given the amount of buzz around IPhone’s you’re probably surprised to hear their market share actually declined. Microsoft was the biggest loser, dropping from 18% to 8% year over year, and Palm continued its steep demise losing about 50% and now down to only 3.2% of the market share.

From the criminal point of view, Google’s Android platform is beginning to look very interesting – particularly as Google does less than the other mobile platforms to test products offered through their market place. See More Mobile Apps Caught Inappropriately Collecting User Info and Installing Malware for more information.

For Apple lovers, the Mac OS and Apple device’s underdog status against PC’s and the Windows OS long served as a hardy defense against criminal exploits. But with predictions that the Mac OS will make stronger inroads, Apple is facing new threats. (See Part 3: McAfee Threat Predictions for 2011 – Mobile: Usage is rising in the workplace, and so will attacks).  So it now appears that assuming you’re safe from malware on Apple devices is no longer a safe bet.

Though still an underdog, here’s insight into why criminals are taking an interest in Apple. Consider the company’s 2010 Sales data (Fiscal year ended Sept 25th 2010) results, and it is easy to see why criminal interest is perking up. In just the past three years, Apple has sold 33.7 million computers, 72.5 million iPhones, and iPad sales are soaring.  Add to that the over 300 thousand applications in the Apple App store and the potential for exploitation becomes even more interesting. (To learn more about threats to the iPhone see Researcher warns of risks from rogue iPhone apps).

Now, Apple has taken another step to address some of their security gaps. The company has changed their practices with regard to unreleased software[v]. They are now sharing advanced copies of their next OS (called Lion) with security researchers, not just with developers.  Time will tell whether their efforts pay off.

More on mobile risks:

Linda



Follow

Get every new post delivered to your Inbox.

Join 1,767 other followers