A hacking contest that makes sport out of serious security bugs paid $117,500 this week for exploits that compromised handheld devices powered by both Apple's iOS and Google's Android mobile operating systems.
The biggest of the three cash prizes was $50,000, paid to "Pinkie Pie," a pseudonymous hacker not yet past his 21st birthday, who already has collected at least two major bug bounties in the past 19 months. His previous hacks exploited vulnerabilities in Google's Chrome browser that gave him complete control of the underlying computer when it did nothing more than visit a booby-trapped website. At the Mobile Pwn2Own 2013 contest that wrapped up this week in Tokyo, he used similar drive-by attacks against Chrome to commandeer both a Nexus 4 and a Samsung Galaxy S4, which both run Android.
Like most modern browsers, Chrome is endowed with security mitigations designed to minimize the damage that can be done when hackers identify buffer overflows and other types of software bugs that are inevitable in just about all complex pieces of software. The security measures—which include "sandboxes" that contain Web content inside a carefully controlled perimeter—significantly increase the amount of work that attackers must put into developing working exploits. Also including address space layout randomization and data execution prevention, the mitigations require hackers to stitch together two or more attacks that exploit multiple vulnerabilities in the targeted device.