CanSecWest security competition falsely portrayed, again
March 27th, 2010
Daniel Eran Dilger
Another year, another grossly ignorant misrepresentation of the CanSecWest security competition. Nothing new here, just the the widely reported idea that CanSecWest hosted a shootout among operating system platforms and Apple’s were among the first to fall.
But the security contest, which pits black hat hackers against a variety of desktop and mobile systems, has nothing to do with the relative merits of each platform and everything to do with said hackers’ previous year of research into finding exploitable problems.
This year, two young European researchers discovered an exploit that enabled them to hack the iPhone and access its SMS database of texts via a browser-based exploit that crashed Mobile Safari. The exploit took weeks of effort to develop, but the tech media insisted that the job was a “20 second” affair.
Media reports of CanSecWest so prominently assail Apple’s products by name that it causes one to think that, just possibly, the event’s major sponsors such as Microsoft, BlackBerry, and Google are really getting their money’s worth.
Who benefits from CanSecWest?
A primary benefactor of the event, however, is Apple and its customers, who are shielded from any malicious application of the exploits hackers find. That’s because the people who discover exploits are rewarded by the event itself, while the vendor, in this case Apple, is given information needed to harden its software.
Without such a high profile contest handing out prizes and notoriety to security experts, there would be little incentive to invest in the efforts needed to discover flaws that need to be patched, leaving Apple to do all that work itself.
As it is, there is currently little to no black market value for Mac or iPhone exploits, but if that ever changes it’ll be good to know that CanSecWest has been helping to harden Apple’s software on a regular basis, making it all that much more impossibly difficult to find vulnerabilities to maliciously exploit.
Neanderthal or Shill?
By selectively exaggerating the risk and emotionally charging the rather boring but technically sophisticated work of security experts, writers like ZDNet’s Ryan Naraine, who works as a “security evangelist” for antivirus developer Kaspersky Lab, helped muddy the waters and create security panic where none was warranted.
The security experts themselves behaved rather differently, delivering their security kills with some class and professionalism. Halvar Flake, who assisted Vincenzo Iozzo and Ralf Philipp Weinmann in attacking the iPhone, explained that the discovered vulnerability only affects one app sandbox at a time, noting that the “exploit doesn’t get out of the iPhone sandbox.”
However, since a variety of Apple’s own bundled apps use the same low privileged user (and play in the same sandbox), its possible for a specific exploit like the one they discovered to provide some access to not only the phone’s texts, but also contacts, emails, photos, and iTunes music.
The iPhone exploit, along with Charlie Miller’s third successful attack on Safari, were the most notable exploits for Apple’s platforms this year, but both were bought up by TippingPoint Zero Day Initiative so that users will be spared any real risk until Apple can patch the flaws.