Apple loses three-way hacking contest

By Dave Nixon

An Apple Mac was the first casualty in a hacker shoot-out to establish which operating system is the most secure.

A former US National Security Agency employee has won $10,000 for breaking into a MacBook Air at CanSecWest security conference’s PWN 2 OWN hacking contest. The MacBook was up against Linux and Vista PCs which have hitherto remained uncracked.

It took Charles Miller only two minutes to break into the Apple. Show organisers had offered the MacBook, a Sony Vaio and Fujitsu U810 as prizes, saying that they could be won by anybody at the show who could find a method to hack into each of them and read the contents of a file on the system, using a previously unrevealed “0day” attack.

No one was capable to hack into the systems on the first day of the contest when contestants were only permitted to attack the computers over the network, but yesterday the rules were relaxed so that attackers could direct contest organisers using the computers to do things like visit websites or open email messages.

The MacBook was the lone system to be hacked by Thursday.

Miller didn’t need a great deal of time. He rapidly directed the contest’s organisers to visit a website that contained his exploit code, which then permitted him to grab control of the computer, as about 20 onlookers cheered him on. He was the first contestant to attempt an attack on any of the systems.

Miller was swiftly given a nondisclosure agreement to sign and he’s not permitted to talk about details of his bug until the contest’s sponsor, TippingPoint, can notify the vendor.

Contest rules state that Miller could only take advantage of software that was pre-installed on the Mac, so the defect he exploited must have been available, or perhaps inside, Apple’s Safari browser.

By late Thursday, Apple engineers were already working on patching the issue, said Aaron Portnoy, a TippingPoint researcher who is one of the contest’s judges.