digg

Facebook Connect Join Digg About
See the original image at engadget.com

PWN 2 OWN over: MacBook Air gets seized in 2 minutes flat

engadget.com "And just think -- last year you were singing Dino Dai Zovi's praises for taking control of a MacBook Pro in nine whole hours. This year, the PWN 2 OWN hacking competition at CanSecWest was over nearly as quickly as it started, as famed iPhone hacker Charlie Miller showed the MacBook Air on display who its father really was.

Who dugg this? Made popular Mar 28, 2008

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

467 Comments

show profanity settings
expand all
  • sixela, on 03/28/2008, -98/+380Eat it macboys.
  • DiggLive, on 03/28/2008, -74/+226In come the Apple apologists that say Macs are perfect bug-free machines that can't be compromised.
  • Farmer77, on 03/28/2008, -21/+166So I guess the conclusion to this story is that people can hack Apple's OS, but only for money, otherwise, it's not worth hacking.
  • liuping, on 03/28/2008, -39/+172He obviously figured out his hack ahead of time. It took him two minute to "direct" safari to his already existing hack (must be a long url?) on his website. Who knows how long it took him to write the actual hack...
  • SeanRoss, on 03/28/2008, -25/+140He hacked it in as much time as most computers take to boot up, wow...
  • inactive, on 03/28/2008, -20/+128Actually, Engadget and Yahoo reported this story wrong. The hack was not done over a live internet connection. It was done using a crossover cable. The hacker's MacBook was connected directly to the MacBook Air in question.

    You can see the rules for the contest here: http://cansecwest.com/post/2008-03-20.21:33:00.Can ...

    In case that link doesn't work, you can see the rules below:

    Limit one laptop per contestant.
    You can't use the same vulnerability to claim more than one box, if it is a cross-platform issue.
    Thirty minute attack slots given to contestants at each box.
    Attack slots will be scheduled at the contest start by the methods selected by the judges.
    ATTACKS ARE DONE VIA CROSSOVER CABLE (attacker controls default route)
    RF attacks are done offsite by special arrangement...
    No physical access to the machines.
    Major web browsers (IE, Safari, Konqueror, Firefox), widely used and deployed plugin frameworks (AIR, Silverlight), IM clients (MSN, Adium, Skype, Pigdin, AOL, Yahoo), Mail readers (Outlook, Mail.app, Thunderbird, kmail) are all in scope.

    This is a picture of the hacker, Charlie Miller, connected to the MacBook Air in question:

    http://dvlabs.tippingpoint.com/blog/2008/03/27/day ...

    http://dvlabs.tippingpoint.com/blog/2008/03/27/ day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture

    If the first link doesn't work, just connect the second one in your browser and remove the space.
  • banmaster, on 03/28/2008, -32/+115What a stupid apple apologist!
    He obviously doesn't know that most PCs are 'hacked' this way, by directing the ignorant user to a compromised site. Mac users are even more ignorant and happily wrapped up in their false sense of security (coz, like, macs can't be hacked or catch viruses).
  • Scynet, on 03/28/2008, -17/+89The same applied to other systems, Vista and Ubuntu. Doesn't matter how you try to twist it, Mac was breached pathetically fast.
  • Chrysaor, on 03/28/2008, -11/+78No one was able to hack Vista and Ubuntu remotely as well, its not Mac only.
  • ariez84, on 03/28/2008, -51/+117This is pretty ***** sweet. Now someone need to parody the ***** out of those Macads.
  • Scynet, on 03/28/2008, -3/+62And:

    "Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages."

    http://security.itworld.com/5013/mac-hacked-first- ...
  • dojonz, on 03/28/2008, -1/+55I do not suggest you ever visit Las Vegas.
  • fremeer, on 03/28/2008, -19/+56hacking and virus's are different. Generally Unix which mac is based on is very secure and you would find it pretty difficult to really write any major virus' for it. It would be easier aiming for quicktime, safari , itunes etc since they are less secure.
  • Rikm, on 03/28/2008, -3/+40Apparently he wrote the exploit overnight:
    http://securitywatch.eweek.com/apple/mac_hacked_vi ...

    And the length of time the exploit took to develop is irrelevant anyway. If your system gets hacked, are you going to care if it took 2 mins or 2 years to develop the code? You're pwned either way. As it stands now, every MacBook Air (and presumably any other OS X system) can be hacked by this code.

    Equally people have had the option to similarly work on Ubuntu and Vista exploits for the past few weeks, and yet neither of these systems have been hacked in the contest so far. You're just grasping at straws now. Face it, the MacBook was not invulnerable to hacking and was hacked first. Granted, this was possibly because the Air was the most desirable prize and so put it under unfair focus compared to the other two systems.

    But if you are going to make that argument then you have to accept that in the real world, Windows' much larger market share puts it at under higher levels of attack than OS X and Linux which is partly why its security is breached so often.
  • Aeuta, on 03/28/2008, -3/+37They had no physical access someone else had to open a email...
  • banmaster, on 03/28/2008, -23/+56Security via obscurity, its the only real protection the mac has ever had.
  • SeanRoss, on 03/28/2008, -11/+41I fully realize that the exploit already existed before he even stepped foot into the contest. But nice try

    I see what ya did there ;)
  • jaydj, on 03/28/2008, -12/+42Yeah! Who wants to surf the web anyway? If you actually use your computer, you deserve to get hacked. [/sarcasm]
  • Rikm, on 03/28/2008, -3/+32You can expect what you want, but the Vista and Ubuntu systems are still going.
    http://dvlabs.tippingpoint.com/blog/2008/03/27/day ...

    "We'll update this blog posting in the event another winner emerges today for the Vista or Ubuntu laptops that remain standing. Stay tuned..."
  • inactive, on 03/28/2008, -6/+35Um, isn't that exactly what most PC viruses etc. do? If it wasn't for IE PC wouldn't have two thirds the issues.......
  • Varz, on 03/28/2008, -3/+32Yeah and most Windows viruses work that way too.
  • pensivewombat, on 03/28/2008, -12/+40Yeah cause people never, you know, click links.
  • Scynet, on 03/28/2008, -5/+31Apparently a lot longer than a Mac. But I guess reading the actual results was too much for you?
  • jeriqo, on 03/28/2008, -6/+30I don't get it.

    "just two minutes to surface"

    Leopard was out for a while, they could have tested it for months.

    Of course, once it is found, an exploit only takes a few minutes to get executed.
  • ifknot, on 03/28/2008, -24/+47RTFA! Dominicc2003 is wrong. He didn't hack the Mac Book Air (It wasn't a hardware hack) he didn't hack Leopard (it wasn't an OS hack) he hacked Safari - he used a new but known exploit of a weakness in Safari and only when user interaction was allowed. Embarrasing for Apple - yes, the end of the world as we know it - no.
  • PocchieTheMan, on 03/28/2008, -11/+32Ain't that the ***** truth. I had one woman tell me her GodMac could survive a lightning strike. She was dead ***** serious.
  • DiggLive, on 03/28/2008, -4/+25Total retard or not, that's how malware spreads to people across the internet. They'll install anything on their systems, and when Mac/Linux ever got as widely used, you'd see more malware and other social engineering written specifically for them.
  • astrosmash, on 03/28/2008, -9/+29I guess he wanted that MacBook Air real bad.
  • inactive, on 03/28/2008, -8/+28people mostly hack for monetary gains. They create Zombie bot nets or data miners using Viruses, worms and Trojans but since the Mac userbase is so low that no one bothers exploiting it because its not profitable. .
  • Tippis, on 03/28/2008, -2/+22In this case, "doing your bidding" wasn't much, though – clicking a link is enough.
    As for the Blaster worm, one of the main reasons it was so immensely successful (if you can call it that) was that the idiots at Microsoft hadn't turned the firewall on by default.
  • dru171, on 03/28/2008, -0/+19Odds of a digger making a fool of himself on the front page: 100%
  • mpeters13, on 03/28/2008, -0/+19I'm still using OS X. What this does show us is that Apple has to start putting up, or shutting up. OS X is not as secure as they tout it to be, and everyday someone will write an exploit to pwn this thing. It doesn't matter if the developer was the original iPhone exploiter, nor does it matter that he already had the tool developed in advance. The fact of the matter is, there are bugs in Safari that shouldn't be there. The lack of anti-phishing tools, alerting the user of dangerous websites, makes this exploit an excellent one for use on unskilled users.

    Debra Wilson (ala Whitney Houston): I SAID FIX IT!!
  • MajorHertz, on 03/28/2008, -1/+20As someone who uses OS X, Windows and Linux, I (and everyone) should at least be somewhat comforted that no one found a 0day exploit to remotely target ANY of the machines.
  • Ranneko, on 03/28/2008, -2/+21Which is how this exploit apparently works.

    None of the machines were hacked during the pure remote network access stage, which is the only stage that is unlikely to involve app vulnerabilities much.
  • Rikm, on 03/28/2008, -3/+22No, the hack was done via a Javascript exploit which got to the machine after the user visited a web link sent in an email.

    The fact that cable access was available is irrelevant, so was the email presumably. You could be pwned by this exploit by just surfing to a malicious webpage.

    Feel free to do some research.
  • burrgrinder, on 03/28/2008, -2/+21You're all doing it wrong. Computers are not analogous to politicians.
  • RetepNamenots, on 03/28/2008, -6/+24Nobody was able to hack the other two, at all...
  • Tippis, on 03/28/2008, -2/+19Physical access wasn't required in this case.
  • HerbSolo, on 03/28/2008, -2/+19exploiting a browser flaw: the browser's fault.
    gaining root access through an exploited browser: the operating system's fault.
  • elTito, on 03/28/2008, -22/+38I use both MS and Mac stuff and I don't think I'm a fanboi of either, but...

    It seems to me that this is an application problem, not an OS problem. I find it hard to believe that there are not multiple ways into all three of the OSs in question via similar techniques.

    Additionally, I'd like to know if the hack was self executing (i.e. simply surfing to the site compromises Safari and OSX) or if someone actually had to download and install something, disregarding at least two warnings and an account password requirement. In other words, was it something that could happen to anyone by accident or only to a total retard?
  • joeanon, on 03/28/2008, -0/+16Most good hacks are planned ahead of time.

    It's not like the movies where they put no their virtual reality eye piece and hack through an SGI scene of 3D binary numbers.

    You research current exploits and then you PERFECT the code to run the exploit and go from there potentially crashing, taking control or plant a trojan.

    Even when hackers HACK, most of the time they are either using known exploits or known weak points in IT defenses or OS defenses.

    In fact, pretty much anyone good at anything practices and plans and plans and practices. Even sports nerds practice practice practice and that, in effect, is coding different uses of exploits or even looking for new exploits.

    Hacking a system by finding a new exploits is probably pretty rare. You would usually be testing for exploits on a test system on your own LAN or virtual machine.

    Obviously the most reliable weak spot in IT is the user, You can hack most any place by doing old fashion detective work easier than penetrating the network. Many security places will target users and either obtain info from them indirectly such as hacking their home system or just watching them OR give away free CD's or free USB keys outside the business knowing their employees will be most likely to use them either at work or home.

    I'm sure this exploit won't be hard to fix. Mac is built on BSD and it's hard to say, even with Apple's code, that it's an insecure OS. It's not built around security, but neither is Linux or Windows. They all allow privilege elevation. So that means your typing your admin password in as much as humanly possible or you allow more root commands to users.

    The plain old detective work makes entering the admin password all the time is a major risk to full blow security. However, overall the PC security market has bigger problems, such as hacking encryption at the hardware level and the overall mystery of how to trust anything a client send you basically as not being forged. Most firewalls are just not up the task either, but WHY bother when you the user is SO STUPID.
    Have a revolving encryption all you want, but if someone compromises a client with a physical attack, it's all for not and that's usually the easiest attack. You can use all types of simple ways to con your way into a business, slip a USB key in somewhere or just pay an employee a small bribe.

    We've definitely got too much focus on the technological side of security while users continue to be the weak point.
  • sirbeta, on 03/28/2008, -12/+28They've had stuff for a long time, you mac guys just strike it from your mind as if it never existed. Believe me, this will be a a simple fairy tale to you guys in a matter of weeks.
  • davidcg, on 03/28/2008, -0/+16It wouldn't be a contest at all if you were allowed to use published/reported exploits. The goal of it all is to find new exploits so they can report them and have them fixed. But that is the key, is IF they get fixed.
  • jj101, on 03/28/2008, -0/+15No he didn't. It has no ethernet port. They must have used the usb to ethernet adapter.
  • inactive, on 03/28/2008, -30/+45"The mystery crack by Charlie Miller was dependent on visiting a website containing malicious code. The exploit took just two minutes to surface at the start of the day, which also invited guests to hack Linux and Windows systems.

    The exploit was presented on the second day of the three-day conference and appeared only once the competition eased rules, permitting hacks to require user actions rather than the strictly automatic hacks that were allowed the day before."

    The sad truth is that any system is vulnerable if you can get the user to do your bidding. However, this fact will not prevent a flood of comments along the lines of - OMG Mac was PWNED! Take that Macboys

    Windows users will conveniently forget about the Blaster worm that PWNED so many Windows boxes which did not require any user interaction.
  • Scynet, on 03/28/2008, -3/+18Bollocks, the same rules were applied to Vista and Ubuntu too, and they STILL couldn't get in after the second day.
  • RetlawST, on 03/28/2008, -0/+15This has been proven false time and again. OSX was built upon a root-access system which prevented users from unintentionally running processes that ran under root. UNIX is easily one of the most secure OS ever written, BSD based off of that, and OSX based off of that. Vista, despite all of its irritations, is much more secure than XP ever was.
  • postalblowfish7, on 03/28/2008, -5/+20Dude it's just a computer.
  • makkaveli19, on 03/28/2008, -1/+16well *****, i guess the odds of me getting laid is even lower than that because it made it to the front page.
  • Rikm, on 03/28/2008, -2/+16So you never "visit web sites or open e-mails" on your system?
  • Fetching more discussions...
    Show 51 - 100 of 466 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.