Pwn2Own 2012: Changed rules, bigger prizes, no more mobile hacks

Pwn2Own, one of the most anticipated hacking contests that takes place each year at the CanSecWest conference in Vancouver, British Columbia, is set to unfold under dramatically different rules this year.

First and foremost, smartphone hacking is no longer on the table – Pwn2Own returns to its roots and will welcome only researchers targeting Microsoft Internet Explorer, Apple Safari, Google Chrome and Mozilla Firefox, running on Windows or Mac OS.

This year edition will also reward the three most successful participants with cash prizes of $60,000, $30,000 and $15,000, respectively (plus the laptops they manage to compromise).

It used to be that once a target has been compromised, it was made unavailable for other contestants to try their luck on it. A random drawing was used to determine in which order they would have a go at it.

This year, a successfully compromised target will not be pulled from the competition, all contestants can attack all targets during the whole three days of the contest, and the contest will be point-based.

“Any contestant who demonstrates a working 0day exploit against the latest version of the browser will be awarded 32 points,” say the rules. “When the contest begins we will be announcing 2 vulnerabilities per target that were patched in recent years. The first contestant (or team) who is able to write an exploit for the announced vulnerabilities will be awarded 10, 9, or 8 points depending on the day the exploit is demonstrated.”

For exploiting the already known vulnerabilities, contestants will only have to overcome DEP, and don’t have to escape from a sandbox or protected mode. The browsers will be installed on Windows XP and Snow Leopard, and their versions will be made public at the beginning of the contest.

For the zero-days, hackers will be targeting browsers on fully patched Windows 7 and Mac OS X Lion machines. Also, one requirement that contestants must fulfill in order to win is to demonstrate at least one zero-day vulnerability on one of the targets.

As the in the previous year, Google is offering special prizes for Chrome “ownage”: $20,000 for a set of bugs present only in Chrome that allow full unsandboxed code execution, and $10,000 for a compromise that used bugs both in Chrome and the OS for the same type of code execution. It is also interesting to note that researchers can demonstrate as many attacks as they can – each unique exploit will be rewarded with the same prize – so they can, theoretically, earn quite a lot of money.

As always, the vulnerabilities discovered by the winners and the exploits they developed for them become property of the contest organizer, the HP’s TippingPoint Zero Day Initiative. But, as some researchers have noted, the new rules mean that one can reveal zero-day vulnerabilities and not be a winner, and that’s something they will make them thinks twice about participating.