After successful attacks on Safari and Internet Explorer 8 on Wednesday, the second day of Pwn2Own saw the iPhone 4 and then the BlackBerry Torch 9800 successfully exploited. The annual security competition allows researchers to win any systems that they successfully compromise, and also awards them cash rewards if those security flaws are still present in the latest version of the software.

The iPhone was hacked by Pwn2Own veteran Charlie Miller working with Dion Blazakis. In the last three years, Miller has successfully pwned both Apple's phones and laptops at the competition, and he kept his winning streak going this year with a successful attack on the iPhone 4. The flaw used to pwn the iPhone was in its Mobile Safari Web browser; the phone was compromised simply by visiting a specially-crafted Web page, which allowed Miller to run exploit code that allowed him to access the phone's address book.

Past Pwn2Own competitions have required the contestants to test against the latest version of the software under attack, even if released on the day of the competition. This year, the software was frozen last week, preventing the use of last-minute patches to avoid exploitation. Successful exploits of the week-old configuration win the hardware, and if the exploit still exists in the latest software, money is also paid out for the flaw.

The iPhone was running iOS 4.2.1, as its software was frozen prior to this week's release of iOS 4.3. However, Miller was awarded both the hardware and the money: the same security flaw is found in the newest version of Apple's operating system. Demonstrating the significance of the rule changes, however, was the fact that his exploit no longer worked. iOS 4.3 introduces Address Space Layout Randomization (ASLR), and his exploit code did not take measures to defeat this operating system protection.

The next platform to be tested was BlackBerry OS running on a BlackBerry Torch 9800, and this was duly cracked by a team made up of Vincenzo Iozzo, Willem Pinckaers, and Ralf Philipp Weinmann. Iozzo and Weinmann are also Pwn2Own veterans, pwning the iPhone in 2010. The BlackBerry OS attack exploited a flaw in the operating system's new WebKit-based browser. As with the other hacks demonstrated at the competition, merely visiting a specially-crafted Web page was sufficient to compromise the device.

The trio of researchers said that attack was difficult to pull off, not because of operating system protections like Data Execution Prevention (DEP) and ASLR—BlackBerryOS 6 lacks both—but because the system is essentially a black box, with no public documentation about its internals, few useful software tools, and little known about its workings. Even after finding the initial security flaw, converting this into a useful exploit was difficult. In the event, they had to chain together three separate flaws to achieve a successful compromise, using information garnered from two information disclosure issues in conjunction with a third integer overflow flaw to run their exploit code.

WebKit, in contrast to BlackBerry OS, is open source and widely studied as a result of its use in both Chrome and Safari: in moving to the modern browser, RIM has arguably made its platform more approachable to hackers and researchers alike. Were it not for this obscurity, the lack of DEP, ASLR, and code signing would leave it easy to attack, with Iozzo describing it as "way behind the iPhone at the moment, from a security perspective."

The attack was demonstrated on BlackBerry OS 6.0.0.246. RIM has shipped a newer firmware since, but Pinckaers has confirmed that the flaw still exists.

Also due to be tested on Thursday were Firefox, and phones running Android and Windows Phone 7. However, Firefox contestant Sam Thomas withdrew as he felt his exploit wasn't stable, and the competitors on the other platforms failed to turn up. This means that those platforms, in addition to Chrome (which also had its attacker withdraw), are so far undefeated. There is a possibility that this may change on Friday, the final day of the competition.

Listing image by Brian Rowe