We are all wrapped up from this years CanSecWest and pwn2own contest, and again it was a great conference, and a successful competition. The contest uncovered 4 new and unique critical vulnerabilities affecting the latest and greatest versions of IE, Safari and FireFox. The Chrome browser gets a small nod for being impacted by one of the flaws, although exploit is not possible using any current known techniques. I’m sure they’ll get it fixed up just the same.
What I always enjoy the most about CanSec in general is the smaller scale single track nature of the conference. It’s a more intimate setting, which always feels a lot like a group of old pals getting together for a reunion, with a few fresh faces to spice it up!
We ended the final day of competition with all the Mobile devices unscathed. I think the number one question that was asked is “Why?” Are mobile devices inherently more secure? It was a tough question to answer. I think there are a lot of barriers left to overcome in order to have a successful contest on these platforms, and too many reasons to list.
Much of the research is still new- there were several talks just this week that addressed the mobile platforms and vulnerabilities. The usual process that ensues once cutting edge research is presented in our security research community is that the information is taken in by the masses, studied, tested, refined and shared. Some of the brightest minds from around the world begin looking at these things, and we always see very elegant and amazing new information emerge.
The mobile platform is limited by both memory and processing power. What that generally amounts to is that the vulnerabilities do exist, but actually exploiting them is complicated and unpredictable. There are additional variables which can be show stoppers just between the hardware manufacturers’s themselves, or the carrier network the phone is associated with. These are just a few examples, and lack of known debuggers for many of the platforms adds limitations.
There was once a day many years ago when I believed that we (the security industry/vendors) could actually develop new product versions that, after a period of time, would eventually plug all of the holes. The one thing I can say that I have learned for certain is that anytime you technically shut down a class of vulnerabilities, new classes that we’ve not yet conceived of will be discovered. Anytime you manage to mitigate an exploit technique to render undiscovered vulnerabilities in a known class useless- new and amazing exploit techniques will emerge from our research community that redefine and reset how we look at protection, patching, and mitigations.
When you fully digest this fact, I believe it’s the very moment which you come to realize that the once thought of unsophisticated “mod squad" don’t fit that profile much at all. They are scientists in their own right- with or without PhD’s (or high school diploma’s in some cases!)- The work they do is akin to astronomers discovering new bodies in our solar system. Many form theories and hypothesis through raw intuition and curiosity, and prove to us over and over again that the work they do and the research they contribute is highly valuable, makes products better and more secure for consumers, and they are not to be underestimated.
It’s in this very spirit that CanSecWest and ZDI have agreed that next years Pwn2Own will most definitely include a mobile phone competition again! If history can tell us anything here, it's that by this time next year, the community will have turned what we now believe upside down, and more than likely wow us with a new generation of techniques that I will affectionately dub “Micro Exploits” that are able to function predictably on the mobile platform.
After much appreciated feedback from the contestants, we’ll be sure that such details as version numbers of the OS and exact hardware specs are made available well in advance.
Congratulations once again to all of our winners, and thanks to all who helped make pwn2own 09 another fantastic event!