The Mac Observer

Skip navigational links

DealsOnTheWeb Daily Deal: 8GB iPod Touch: $229 Delivered

MacBook Air Hacked in PWN 2 OWN Contest

by , 8:15 AM EDT, March 28th, 2008

Charlie Miller, also known for his iPhone hack, managed to walk away from CanSecWest's PWN 2 OWN contest with US$10,000 and a MacBook Air after successfully hacking into the portable computer. Mr. Miller was able to successfully hack the laptop after the rules of the contest were relaxed to allow for more than remote attacks, according to InfoWorld.

On the first day of the event, contestants unsuccessfully attempted to remotely hack into the Mac, a Windows PC, and a Linux PC. On the second day, however, Mr. Miller was able to gain control over the MacBook Air in only two minutes by directing a contest organizer to visit a specially crafted Web site with the laptop.

The Web site contained code that Mr. Miller developed specifically to hack into the Mac.

Exactly what the code did to the MacBook Air is a secret, and will remain that way until after the contest organizers can notify Apple of the exploit thanks to the nondisclosure agreement Mr. Miller was required to sign.

Since the relaxed contest rules on the second day prohibited attackers from using applications that weren't part of the standard OS installation, Mr. Miller likely took advantage of an undisclosed flaw in the Safari Web browser. Once Apple has been notified of the potential security flaw the company will likely issue an update that patches the threat.

Observer Comments

Show: Subjects Only | Full Comments
Close Name:geoduck Posts: 1667 Joined: 30 Dec 2003
Subject:

So, were the Windows and Linux systems hacked in a similer way?

View Name:Guest
Subject: Good job charlie
View Name:Guest
Subject: lol
View Name:Guest
Subject: geoduck's post
View Name:Guest
Subject: Other Computers not hacked, just Apple
View Name:Guest
Subject:
View Name:Guest
Subject: more info needed
View Name:Guest
Subject: DarK Chaos aka Matt
View Name:Guest
Subject:
View Name:Guest
Subject: ....Aaaaaand
View Name:Guest
Subject: HaHaHaHa
View Name:Guest
Subject: PCGuy
View Name:Guest
Subject:
View Name:Guest
Subject: GERM37
View Name:Guest
Subject:
View Name:Guest
Subject: Apple sucks
View Name:Guest
Subject: NO
View Name:Guest
Subject: Clearly shows apple's inferiority
View Name:Guest
Subject: hack one mac and it is the end of the world
View Name:Guest
Subject: Riiiiight....
View Name:Guest
Subject: No reason to Hack the PC and Linux
View Name:Guest
Subject:
View Name:Guest
Subject: Vista and Linux Not Yet
View Name:Guest
Subject: Clicking Links...
Close Name:DaiMac Posts: 952 Joined: 29 Jun 2001
Subject: Only one sentence matters...

" Mr. Miller was able to successfully hack the laptop after the rules of the contest were relaxed to allow for more than remote attacks"

The minute he can hack a Mac remotely I'll be interested, as it is he did nothing that a moderately advanced user couldn't prevent with a few simple steps and a little common sense.

As one of the guests noted, why expend that effort to get a PC or a Linux machine either, I would have targeted the MBA first as well...

Close Name:Intruder -   TMO Mac Specialist Posts: 2837 Joined: 07 Jul 2004
Subject:

As there is definitely a chip on hackers shoulders regarding OS X, and a desire to prove Apple wrong regarding security, it is not surprising that the Air was targeted. it would be really interesting to see the statistics regarding the attempts on the Air vs the attempts on Windows and Ubuntu. Without that information, reporting that the Air was hacked first is meaningless. If nobody was trying to hack the other machines, the Air was first by default.

View Name:Guest
Subject:
View Name:Guest
Subject:
Close Name:Sir Harry Flashman Posts: 581 Joined: 08 Feb 2007
Subject: Only a few people know how it was done

Quote
Guest wrote:
All it took was to send a user to a URL to compromise the MacOSX system. Vista didn't even crumble under this despite running IE7.


We do not yet know the details of how the MacBook Air was hacked

Close Name:gslusher Posts: 2001 Joined: 13 Nov 2002
Subject:

Quote
Guest wrote:
"As one of the guests noted, why expend that effort to get a PC or a Linux machine either, I would have targeted the MBA first as well..."

Because all the machines were supposed to be less secure than MacOSX according to Apple?

The sad thing is that IE7 and Vista remained UNCRACKED through to the end of Day 2.

After 2 days, the MacBook Air MacOSX/Safari combo was the *ONLY* compromised system.

And the payout is the same, whether you cracked a more secure or less secure system.

Guess we know which ones are actually less secure now.

All it took was to send a user to a URL to compromise the MacOSX system. Vista didn't even crumble under this despite running IE7.


That is completely illogical. Charlie used a vulnerability he discovered to hack the MacBook Air. He didn't TRY to hack the others. Given his talent, he probably could have done so just as easily. You don't know.

Also, ONE vulnerability proves nothing. How long (months?) did it take him to find that and develop an exploit?

View Name:Guest
Subject: Sometimes Mac fans are so defensive!
Close Name:daemon Posts: 305 Joined: 17 May 2007
Subject:

According to various accounts Charlie Miller used to work for the NSA, so even though the MacBook Air is still the only laptop of the three to fall (it was the first one tested yesterday with the relaxed rules) so far, I'm going to declare BS. Not because it isn't a valid crack, but because we have no idea what kind of privledged information Miller had access to while at the NSA that would have allowed him to develop the crack that took control of the MacBook Air.

View Name:Guest
Subject: good point
Close Name:slappy Posts: 1 Joined: 28 Mar 2008
Subject:

I don't think its BS. He developed the hack based on a known flaw. Just like the Windows hackers were basing their attack on known Windows flaw. The results were that the Mac was easily hacked. While Vista could not be hacked the same day. So far its still not hacked yet.

View Name:Guest
Subject: hack one mac and it is the end of the world re-responding:
Close Name:Intruder -   TMO Mac Specialist Posts: 2837 Joined: 07 Jul 2004
Subject:

Actually, all three systems did fairly well. None were hacked on the first day when it was really a "hack the OS" day. The second day was attacking installed software (not the OS), and a flaw in Safari was found - a good thing, as it will lead to a fix. On the third day, third party apps were attacked and a flaw in Flash was found - a good thing, as it will lead to a fix.

From what I have read, the folks that cracked the Vista machine also had a proposed exploit for the Ubuntu machine but didn't find it worth the remaining time to run the exploit.

While the Windows and Linux fans will tout their "success" over the Mac, NONE of the OS's succumbed to the OS-only attack. Not the Mac. Not Vista. Not Ubuntu.

This is a good thing.

Close Name:Sir Harry Flashman Posts: 581 Joined: 08 Feb 2007
Subject: "Guests" need to read this article

The "Guests", and our regular registered posters, should read this article at Roughly Drafted.

View Name:Guest
Subject:
Close Name:Intruder -   TMO Mac Specialist Posts: 2837 Joined: 07 Jul 2004
Subject:

Actually the rules were relaxed (per the rules in the contest) to allow attacks through standard installed software. IE for Windows and FF for Ubuntu would then be valid attack vectors. He was not sitting there with direct hardware access.

View Name:Guest
Subject: 99.9% of mac users
View Name:Guest
Subject: Isn't this due to default setting in Safari?
Close Name:jwarren2001 Posts: 23 Joined: 29 Jan 2008
Subject: Guess again...

Quote
Guest wrote:
So much for feeling secure


I feel fine.

View Name:Guest
Subject: Absolutely right
Comment on this Article


You cannot edit your comments.   You cannot delete your comments.
Log in | Register | Having Problems? Reset TMO Cookies & Try Again
Username:   Password:   Log me on automatically each visit   

You are not logged in, and this post will appear as "Guest." Log in with your username and password from the TMO forums. If you do not have a username, you can register here.
Please note that guests are limited to including a maximum of two URLs per post.


Post A Comment
  Subject


  Your Comments



Please enter the word exactly as you see it in the image above. Registered users aren't prompted for this. Having trouble reading the image get a new one.


Recent Headlines - Updated Wednesday, May 14th, 2008

Wed., 1:40 PM
YML: The Boston Apple Store and Photoshop: The Missing Manual
1:15 PM
User Friendly Blog by Ted Landau - The iPhone needs a faster better Safari
1:00 PM
MacTech Releases Office Scripting Advisor
12:35 PM
iPodObserver - MS: 40 Percent of Smartphone Market by 2012
11:30 AM
iPodObserver - O2: 3G iPhone Only Weeks Away
10:45 AM
Cocktail 4.1 Improves Safari 3.1 Support
10:15 AM
Hot Forum Topic - The iPhone's Feature and Expectation Balancing Act
9:35 AM
Icahn May Push for MS/Yahoo Merger
8:50 AM
iPodObserver - Swisscom Bringing iPhone to Switzerland
8:20 AM
GhostReader 1.5 Improves iPhone/iPod Export
7:55 AM
"Sad Song" Joins the Get a Mac Lineup
7:30 AM
iPO Quick Tip - iPhone: Backing Up the Important Stuff
 

The Mac Observer Reader Specials

Apple Stock Quote

  • AAPL: $190.92. Change Today: +0.96.
  • (Prices delayed up to 20 minutes.)
  • Discuss in our Apple Finance Board

Hot Topics

Apple iTunes

Top Deals From DealsOnTheWeb