Both hacking contests offer big prizes for finding exploits, but ethical questions loom large with Pwn2Own.
Cyber security conference CanSecWest kicks off this week in Vancouver, and with it HP and Google’s hacking competitions: Pwn2Own and Pwnium. Both competitions offer entrants the opportunity to make big bucks finding exploits in browsers and plugins.
HP’s Pwn2Own contest will be focused on finding exploits for browsers and plugins, while Google’s Pwnium is focused on finding holes in its Chrome OS. For Pwn2Own, all of the target machines will be running the latest fully-patched versions of either Windows 8.1 or OS X Mavericks and the web browsers as well as plugins will be up-to-date.
Below is a breakdown of the prizes available from HP’s Pwn2Own:
Google Chrome on Windows 8.1: $100,000 USD
Microsoft Internet Explorer 11 on Windows 8.1: $100,000 USD
Mozilla Firefox on Windows 8.1: $50,000 USD
Apple Safari on OS X Mavericks: $65,000 USD
Adobe Reader running in Internet Explorer 11 on Windows 8.1: $75,000 USD
Adobe Flash running in Internet Explorer 11 on Windows 8.1: $75,000 USD
Oracle Java running in Internet Explorer 11 on Windows 8.1 (click-through bypass): $30,000 USD
Here’s what Google is offering at its Pwnium contest, which runs after Pwn2Own has wrapped up:
$110,000 USD: browser or system-level compromise in guest mode or as a logged-in user.
$150,000 USD: compromise with device persistence: guest to guest with interim reboot.
Last year at Pwn2Own, Internet Explorer 10, Chrome, and Firefox all fell, but Google’s Chrome OS survived the Pwnium competition unscathed.
For Pwnium, both exploits have to be delivered via a web page. The target devices are a Acer 720 Haswell-powered Chromebook or an ARM-powered Chromebook 11 from HP. Google is offering a total of $2.71 million in prize money for exploits demonstrated at the conference.
In addition to the prizes listed above for Pwn2Own, this year HP is offering a “grand prize” of sorts that its calling an “Exploit Unicorn”. To win, a hacker will have to demonstrate a system level attack that bypasses both Internet Explorer 11’s sandbox, as well as the sandbox in Microsoft’s Enhanced Mitigation Experience Toolkit security suite. The individual or team that demonstrates a successful exploit will win $150,000.
With Google’s Pwnium, successful exploits must be demonstrated in front of a technical representative from Google and the code (which becomes property of Google) submitted to the company. With Pwn2Own, exploits are submitted to HP’s exploit brokerage called the Zero Day Initiative — which is where the ethical problems begin.
Peddling in cyber arms
One of the more prominent figures at CanSecWest, Chaouki Bekrar, the CEO of security contractor VUPEN, states with a matter pride that the exploits his company develops don’t go back to the vendor in question.
“We wouldn’t share this with Google for even $1 million,” Bekrar said in an interview last year with Forbes. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”
Bekrar won’t share who’s on his customer list because of a “firewall” around it, but he says he only deals with NATO-aligned countries.
The key player at Pwn2Own is HP’s Zero Day Initiative. Once in possession of the exploit, ZDI will try to make contact with the vendor to advise them of the bug. At the same time, the brokerage will be disclosing to its own customers how to mitigate the impact of the vulnerability. Should the vendor not play along with ZDI a security advisory about the exploit — but not the exploit itself — is published.
Ethically speaking, it’s questionable as to if this is the best model. Contests like Pwn2Own and Pwnium spur innovation in attempts to make the software we use more secure, but is it fair to sell these exploits back to the vendors after a select client list has been advised? It’s possible that these clients, after all, are those that would have an interest in weaponizing these exploits.
In the end there’s only a fine line that separates ZDI’s business model from extortion.