macnn
03/28/2008, 11:55am, EDT
Friday, March 28th
MacBook Air hacked within two minutes at expo
The defenses of MacBook Air were hacked within moments in a recent security expo contest, reports say. During the CanSecWest conference's "PWN 2 OWN" competition, participants were expected to hack into one of three notebooks, and read the contents of a file using only an original zero-day attack. An award of $10,000 plus an Air is said to have gone to Charlie Miller, who broke into the computer within two minutes. This was accomplished by redirecting a web browser to a site with exploit code by Miller.
Under the terms of the competition, Miller cannot talk about the details of his exploit until the contest's sponsor notifies Apple, giving it a chance to rectify the problem. It is believed however that since the rules of the competition dictate relying on pre-installed software, the hack was directed through Apple's Safari software.
The speed of the hack is considered especially impressive given that last year, a break-in for the MacBook Pro required nine hours. At the end of Thursday's competition timeframe, two PC notebooks -- a Sony Vaio and Fujitsu U810 -- had yet to be cracked, according to observers.
Filed under: computers, security
Other story tags: MacBook Air, Safari
, 
, 45
, 
, 
, 
, 
, 
Top
subscribe to comments
for this article
He exploited a bug in Safari. Nothing says this guy didn't find the exploit in Safari before going. Does this exploit affect firefox also?
No one could hack the Mac remotely via the network alone.
The second day, they relaxed the rules and allowed the contestants physical access to the Mac so that they could install an automated user to receive emails or use a browser to go to a malicious website set up by the contestant.
Duh.
It took more than 24-hours to hack the Mac. It takes days to program an automated user or develop and program a malicious website. They had to do the work even before the contest.
And it took physical access to the computer to hack it. They could not hack it over the network at all!
Thus the contest is a crock.
I doubt any user will allow a crook or stranger physical access to their personal computer. Once a person has physical access to a computer then any computer can be hacked. Through the firewire ports, any Windows computer is instantly compromised, for example.
I agree this was a bit unlikely, but people do leave their machines on and unattended. People do click on what used to be a benign link. People do (sadly) click links in unsolicited email messages, and/or allow images to be displayed in their email messages automatically,..
I smelled something fishy with this when it was pointed out that the hack was a browser redirect/malicious link dealie. Someone had to be using the machine and directed to click said link. It wasn't an "unattended" machine being hacked.
Answers to these questions are the interesting bit.
Security issues on modern systems are often triggered by user behaviour. Some of the more virulent attacks in the past (usually on Windows) have been links in emails, or attachment that have been opened by users.
Therefore, if all systems passed an external attack (day 1), but a boxed Mac (running OS X, Apple Safari and any other Apple bundled software) fell over before a standard Windows install (with the bundled IE, etc.) or a Linux Distro, then I would argue the the Apple kit failed RELATIVE to Windows and Linux.
This is not good news for me, as an OS X user, that my machine is less secure that my wife's Windows laptop, despite the Apple rhetoric about how secure their systems are compared to Windows. Not good at all.