Apple iPhone, Windows XP, And FreeBSD Hacked at PHDays 2012, Moscow

At Positive Hack Days 2012, an international forum on practical information security, the participants of the Hack2own competition demonstratively hacked Apple iPhone 4S and a popular operating system Windows XP. In addition, the CTF contestants detected new vulnerability in FreeBSD, while hackers taking part in the $natch competition showed how to steal money by exploiting vulnerabilities typical of remote banking systems. Russian hackers deserved a special mentioning.

Hacking iPhone

During PHDays Hack2own, Pavel Shuvalov, an information security expert from Russia, demonstrated a way to hack Apple iPhone. The vulnerability that he exploited was contained in the Office² Plus application distributed in Apple App Store. As a prize, the winner received the iPhone 4S he hacked and 75,000 rubles. Pavel Shuvalov had become famous for his utility Vulndisco Mobile 1.7 designed for jailbreaking iOS-based devices. The iOS system as such proved a hard nut to crack: the main prize, 137,000 rubles meant for a person who would hack the iOS shell without exploiting any vulnerabilities of extraneous applications, remained untouched.

0Day Vulnerability in Windows XP

The popular operating system Windows XP was finally hacked by Nikita Tarakanov, an independent expert in information security. To obtain the highest privileges in the system, Nikita exploited a new vulnerability in the system core. This finding made him the winner of the Hack2own competition in the Operating Systems category. Nikita was awarded with 50,000 rubles. Notably, at last year’s Positive Hack Days 2011, Nikita Tarakanov managed to hack the Safari browser for Windows.

Hacking Remote Banking Systems

The banking section, attended by both information security experts and representatives of financial organizations, was ended with the $natch competition. Before the audience, hackers managed to transfer various amounts of money to their virtual accounts by exploiting vulnerabilities typical of remote banking systems, and then cashed them out in an ATM located nearby. The competition was won by Alexey Osipov, a senior student at Moscow Power Engineering Institute, who was able to steal 3,500 rubles from the bank.

Drones and FreeBSD 8.3

Sergey Azovsky, a national security specialist from Yekaterinburg, became the winner of a competition on hacking a drone held as a part of the PHDays CTF contest. Being “cousins” of unmanned aircrafts, drones can be used not only in games: equipped with a camera, they can serve as spies. Fighting the battle, another CTF contestant, a member of the Leet More team, detected a 0day vulnerability in FreeBSD 8.3. The vulnerability enables any local user to bypass security restrictions.

Dozens of Other Competitions

PHDays 2012 offered great number of various competitions on hacking and security assessment. The participants struggled with WPA-PSK encryption of Wi-Fi, cloned RFID marks at a long distance, searched for a way to bypass firewalls, hacked Cisco appliances, and guessed password encryption algorithms. In the nearest future we will provide detailed information about all competitions held at the PHDays 2012 forum and the names of their winners.