Months and years go into developing something new and innovative. But a mere two minutes can crack it all!
On Thursday, a man called Charlie Miller cracked Apple’s MacBook Air in just about two minutes time, at the CanSecWest security conference in Vancouver. This achievement thus makes Miller the proud winner of the ‘PWN 2 OWN’ hacking contest as he walks home with the very first of the three laptops offered as prize along with a whopping $10,000 in cash. If the name “Charlie Miller” rings a bell, then you aren’t wrong as he was the man who also first hacked Apple’s iPhone in 2007 and detected an Apple QuickTime flaw in Second Life that enabled hackers to steal Linden Dollars.
A Sony Vaio VGN-TZ37CN running Ubuntu 7.10, a Fujitsu U810 running Vista Ultimate SP1 and MacBook Air running OSX 10.5.2 are the laptops that were on offer. As the name suggests, the ‘PWN 2 OWN’ hacking contest invites hackers to come over and find a way to hack each of the above mentioned systems and read the contents of a file on them, with the help of a not-yet-revealed ‘0day’ attack.
On the very first day of the contest, all the participants tried hacking the laptops over the network, however all their efforts went in vain. On day two, hackers directed show organizers into using the laptops to visit websites and open emails. That’s when Miller proved his edge over the rest and in around two minutes directed the organizers to visit a website that contained an exploit code, which was subsequently used to gain control of one of the three laptops, which turned out to be Apple’s MacBook Air.
Jubilations, celebrations and then Miller headed on his way to sign a non-disclosure agreement, which ensures that he does not discuss specifics of his exploit code until such time that show sponsor TippingPoint notifies the vendor, which is Apple in this case.
A TippingPoint DVLabs blog noted that the newly discovered ‘0day’ vulnerability in Safari was used to exploit the MacBook Air. Apparently, Miller could only take advantage of software pre-installed on the Mac, thus the flaw that he exploited must have been accessible, or perhaps inside Apple’s Safari browser.
The ninth annual CanSecWest conference took place at the Mariott Renaissance Harbourside hotel in downtown Vancouver, British Columbia.