March 10, 2011, 9:20 PM — Apple's iPhone 4 and RIM's BlackBerry Torch 9800 both succumbed to hackers today at Pwn2Own, but two other smartphones running Android and Windows Phone 7 were unchallenged, the contest's sponsor said.
Charlie Miller became the first "four-peat" at Pwn2Own when he teamed with Dion Blazakis to take down the iPhone. Both Miller and Blazakis work for the Baltimore-based consulting firm Independent Security Evaluators (ISE).
Miller has walked off with winnings from Pwn2Own four years running -- 2008 through 2011 -- twice as many times as anyone else.
"Every other year I've had an exploit ready to go for months," said Miller in an interview after the win. "But this was a different experience, working under the time pressure because we were working on [the iPhone] exploit the night before."
Miller credited his partner for much of the work. "Dion's a really good researcher in his own right," said Miller.
Miller and Blazakis worked on their iPhone exploit for months, Miller said. "This one was pretty hard. Different bugs take different exploits, and this one was hard to exploit."
Pwn2Own winners are forbidden from discussing technical details of the vulnerabilities they exploit, or to release the attack code they've used. Instead, they turn over their findings and code to HP TippingPoint, the contest sponsor. TippingPoint in turn reports the vulnerabilities to vendors, who have six months to patch the bugs before TippingPoint publicly releases any information.
On the BlackBerry, a multi-national team composed of Vincenzo Iozzo, Ralf-Philipp Weinmann and a third researcher from the Netherlands, matched Miller and Blazakis by hacking the Torch. Iozzo and Weinmann were old hands at Pwn2Own, having partnered in 2010 to successfully break into an iPhone 3GS at that year's contest.
Iozzo is an engineer at Zynamics GmbH, the German reverse engineering tool maker headed by noted researcher Thomas Dullien, better known as Halvar Flake. Zynamics was acquired by Google earlier this month for an undisclosed sum.
Weinmann, meanwhile, is a post-doctoral researcher at the Laboratory of Algorithms, Cryptology and Security at the University of Luxembourg.
Both teams were busy tweaking their exploits before today's round, said Peter Vreugdenhil, a former Pwn2Own winner who now works for TippingPoint, and served as a contest judge this year.
"Both were actually tweaking their exploits at the [CanSecWest] conference," said Vreugdenhil, referring to the Vancouver, British Columbia security conference where Pwn2Own takes place.
The iPhone and BlackBerry Torch hacks, however, were over in seconds. "They hooked up their computers to the phones, and that was it," said Vreugdenhil.
The teams each will receive a check for $15,000 from TippingPoint, as well as the smartphones they exploited, in a ceremony Friday at CanSecWest.