toggle

AAPL Stock: 101.32 ( + 0.74 )

Printed from http://www.macnn.com

MacBook Air hacked within two minutes at expo

updated 11:55 am EDT, Fri March 28, 2008

Two-minute MB Air hack

The defenses of MacBook Air were hacked within moments in a recent security expo contest, reports say. During the CanSecWest conference's "PWN 2 OWN" competition, participants were expected to hack into one of three notebooks, and read the contents of a file using only an original zero-day attack. An award of $10,000 plus an Air is said to have gone to Charlie Miller, who broke into the computer within two minutes. This was accomplished by redirecting a web browser to a site with exploit code by Miller.

Under the terms of the competition, Miller cannot talk about the details of his exploit until the contest's sponsor notifies Apple, giving it a chance to rectify the problem. It is believed however that since the rules of the competition dictate relying on pre-installed software, the hack was directed through Apple's Safari software.

The speed of the hack is considered especially impressive given that last year, a break-in for the MacBook Pro required nine hours. At the end of Thursday's competition timeframe, two PC notebooks -- a Sony Vaio and Fujitsu U810 -- had yet to be cracked, according to observers.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. Flying Meat

    Joined: Dec 1969

    0

    woopsie!

    Racers, start yer security software bashing engines.

  1. t6hawk

    Joined: Dec 1969

    0

    Not entirely accurate

    The supposed hack was on the second day of the challenge which isn't mentioned by MacNN. Not a single attendee entered the contest on day one, when all vulnerabilities had to reside in the machine's operating system, drivers or network stack. On day two, the attack surface was expanded to include browsers, mail applications and other common applications.

    He exploited a bug in Safari. Nothing says this guy didn't find the exploit in Safari before going. Does this exploit affect firefox also?

  1. James Katt

    Joined: Dec 1969

    0

    Ah, not 2 minutes

    What the article does not point out is that on the first 24-hours of the contest, the contestants were suppose to do an attack on the Mac remotely via the network alone.

    No one could hack the Mac remotely via the network alone.

    The second day, they relaxed the rules and allowed the contestants physical access to the Mac so that they could install an automated user to receive emails or use a browser to go to a malicious website set up by the contestant.

    Duh.

    It took more than 24-hours to hack the Mac. It takes days to program an automated user or develop and program a malicious website. They had to do the work even before the contest.

    And it took physical access to the computer to hack it. They could not hack it over the network at all!

    Thus the contest is a crock.

    I doubt any user will allow a crook or stranger physical access to their personal computer. Once a person has physical access to a computer then any computer can be hacked. Through the firewire ports, any Windows computer is instantly compromised, for example.

  1. Flying Meat

    Joined: Dec 1969

    0

    I doubt

    anyone would click on a malicious link?

    I agree this was a bit unlikely, but people do leave their machines on and unattended. People do click on what used to be a benign link. People do (sadly) click links in unsolicited email messages, and/or allow images to be displayed in their email messages automatically,..

    I smelled something fishy with this when it was pointed out that the hack was a browser redirect/malicious link dealie. Someone had to be using the machine and directed to click said link. It wasn't an "unattended" machine being hacked.

  1. mr.mouse

    Joined: Dec 1969

    0

    Any others?

    Were any Windows or Linux machines hacked on Day 1? Also, on day 2, were any Windows or Linux machines hacked before the Mac?

    Answers to these questions are the interesting bit.

  1. manleycreative

    Joined: Dec 1969

    0

    yeah

    So...he had to use the browser to do it? Use the OS then get back to me with any serious claims of security flaws etc. with OS X.

  1. jameshays

    Joined: Dec 1969

    0

    Final Rule

    So, the final rule is that if I click on a bogus link or I allow somebody on my machine to have complete access while I'm away, I'm a good candidate for a break in. Well, that's good to know....

  1. mgpalma

    Joined: Dec 1969

    0

    Social Engineering hack

    More accurately. This took a user visiting a malicious or compromised site to work. Though no matter what version of Safari you are using, etc., this definitely has to be addressed by Apple, and it is. A lot of viruses, trojans, etc. are spread through socially engineered methods and so in my book are completely valid concerns. Obviously Mac OS X Leopard is much more secure than Windows at any level, but Apple really needs to be on top of releasing security patches quickly to show it's users that they take these matters seriously. ANd yeah, like te others have posted, this 'hack' did NOT take 2 minutes to craft. Execute, maybe, but not craft. There is a BIG difference.

  1. mr.mouse

    Joined: Dec 1969

    0

    Re: yeah

    Was it not an Apple browser? Safari?

    Security issues on modern systems are often triggered by user behaviour. Some of the more virulent attacks in the past (usually on Windows) have been links in emails, or attachment that have been opened by users.

    Therefore, if all systems passed an external attack (day 1), but a boxed Mac (running OS X, Apple Safari and any other Apple bundled software) fell over before a standard Windows install (with the bundled IE, etc.) or a Linux Distro, then I would argue the the Apple kit failed RELATIVE to Windows and Linux.

    This is not good news for me, as an OS X user, that my machine is less secure that my wife's Windows laptop, despite the Apple rhetoric about how secure their systems are compared to Windows. Not good at all.

  1. designr

    Joined: Dec 1969

    0

    What Version of Safari

    What Version of Safari was installed?

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Life n Soul 8 Driver Bluetooth headphones

When it comes to music on the go, consumers generally have some options to consider when looking for the best experience. While Blueto ...

Pure Jongo T2 wireless speaker

Multi-room audio compatibility is a key metric for wireless sound systems these days. The entry cost into a house-spanning system can ...

Logitech Z213 multimedia speakers

Desktop computer speakers sit in a weird area of limbo: many consumers have forgone the era of desktop listening for the privacy and v ...

toggle

Most Commented