Pwn2Own Hacking Event to Offer $10k for 0-Day iPhone Exploit

TippingPoint, a network-based intrusion prevention system company, has announced its plans for the Pwn2Own 2009 event - for the third year running. The event will be held at the CanSecWest Security Conference March 16th - 20th in Vancouver, BC.

This years contest will target two sets of technologies: web browsers and mobile devices. As usual, the ZDI will purchase all winning vulnerabilities that are submitted against these targets, hand them over to the affected vendors, and coordinate public disclosure.

Rules
The browser targets will be IE8, Firefox, and Chrome installed on a Sony Vaio running Windows 7 as well as Safari and Firefox installed on a Macbook running Mac OS X. All browsers will be fully patched and in their default configuration as of the first day of the contest. The mobile device targets will include fully patched BlackBerry, Android, iPhone, Symbian and Windows Mobile phones in their default configurations. A full list of available interfaces will be made available on the CanSecWest website under the Pwn2Own rules.

To participate in the contest, you can choose either or both technologies and must generally prove successful code execution. A contestant may only win one prize per flaw (e.g. if he is able to pwn a browser and a mobile device using the same flaw, he has to choose one to go after). Winning entries against the browsers include exploits which require no user interaction outside of a single click on a malicious link. Winning scenarios against the mobile devices include attacks that can be exploited via email, SMS text, website browsing and other general actions a normal user would take while using the device. Physical access will not be granted to the mobile devices, and proving successful exploitation of one of the mobile devices will be verified by their team of hardware hacker judges on the ground at the event.

Prizes
The Zero Day Initiative will put up $5,000 per browser bug, and $10,000 per mobile bug. The first person to crack any of the mobile devices will also get to keep that device along with a one year phone contract. The first person to crack any of the browsers will get to keep the laptop it was running on. All winners will be asked to sign and agree to the general ZDI Non Disclosure Agreement, and the bugs will be turned over directly to the affected vendors.

If more than 5 people win prizes, they will offer additional Bonus prizes of an extra $5,000 that will be awarded this year for Most Interesting Browser flaw, Most Interesting Mobile Device Flaw, and Best in Show.

More Information: TippingPoint.com