Gone in 2 Minutes: Mac gets hacked first in contest

Sections: Computers, Security, Software / Applications

submit to reddit

Charlie Miller

How long does it take you to earn $10,000? For Charlie Miller, of Independent Security Evaluators and former NSA employee, it takes him about two minutes. Last Thursday, Miller won the PWN 2 OWN competition at the 2008 CanSecWest security conference in Vancouver, by successfully hacking a MacBook Air. In fact, Miller isn’t a newcomer. He is well-known as the first to successfully hack the iPhone back a year ago.

The PWN 2 OWN contest involved a Sony Vaio, Fujitsu U810, and a MacBook Air that were up for grabs to the first person able to hack into one of the machines and read the contents of a file. On the first day of the contest, no one was able hack any of the computers when they were strictly limited to an over-the-network “0day” attack, which is a method of exploiting an unknown or undocumented software vulnerability. However, on the second day, the organizers relaxed the rules a bit and allowed the contestants to trick the “judges” into visiting a malicious website or open an email attachment. In about the time it takes you to microwave a Hot Pocket, Miller was able to successfully execute his code and seize control of the MacBook when the “target” visited his booby trapped website. With 20 onlookers cheering him on, he took home the prized $10,000 and the first of three laptop computers.

Unfortunately, a condition of the contest rules was that all winners be under an nondisclosure agreement until the contest sponsor, TippingPoint, has notified the vendors. So, Mr. Miller isn’t talking about how he did it, yet. However, TippingPoint has revealed the 0day attack used to control the MacBook Air was a Safari exploit; Apple has already began work on a patch.

Read [New York Times]

Print Friendly
  • Andrew Beery

    Gee I wonder if we're going to see a "Hello I'm a Mac and I'm a PC" video clip on this?

  • Bob Down

    Gone in two minutes? You're not really that naive, surely? This was a vulnerability that Miller has being playing with for days/weeks/months maybe. He's decided not to expose it to Apple until this contest in order to make $10,000.

    Fair play, but let's not pretend he didn't bring existing knowledge of the exploit to the table – this isn't a crappy John Travolta movie, and Halle Berry wasn't given him a blow job as he did it…