Wednesday, March 25

SmartPhone Pwn2Own Results Reflect Security of the Device?

Since the CanSecWest conference last week a few people on the net have been reporting (Gizmodo, Slashdot, Engadget) that because none of the smartphone platforms were compromised (I think there was only a single attempt if I heard right) and that these devices must be inherently secure or a lot harder to hack than Safari and the rest of the browser crew.

After hanging out with a few of the researchers at the conference, and witnessing first-hand some of the technical prowess they possess, it seems a little strange to me that the security of these handsets pose a challenge to these people.

Adding to my skeptisim is the fact that many of the researchers at the conference were supporting the stance of "no more free bugs". Which I support - as there is a very real thriving underground economy for bugs and exploits - and researchers deserve to get compensated for the knowledge and expertice, not to mention that the pwn2own contest rules sign-over ownership of the bug to TippingPoint (ZDI) for basically the cost of the hardware plus 10K.

My theory on why the smartphones survived the pwn2own ordeal is not that they are uber-secure, but that the researchers know that the bugs they have for them (and based on what these guys can do on platforms that have been secured for years they DO have them) felt that the compensation that they were being offered does not even come close to the value the bugs have to other potential buyers and future uses.

I would argue that bugs on these platforms are much more valuable than say a browser exploit, or Vista hack, as taking control of a smartphone with its advanced functionality, personal connection to the owner and lack of security awareness for the platform.

Anyway, my little theory on smartphone security.
Post a Comment