Contestants will choose the device they wish to compromise during pre-registration with phones such as the BlackBerry Bold 9930, Samsung Galaxy S3, Nokia Lumia 900, and the iPhone 4S as some of the options. The exact OS version, firmware and model numbers will also be coordinated during pre-registration. The only requirement is that it be a current device and running the latest operating system. For those registering on-site, the devices listed above will be available if the target is not already compromised.
A successful attack against these devices must require little or no user interaction and must compromise or exfiltrate useful data from the phone. Any attack that can incur cost upon the owner of the device (such as silently calling long-distance numbers, eavesdropping on conversations, and so forth) is within scope. To avoid interfering with licensed carrier networks, all RF attacks must be completed within the provided RF isolation enclosure. The vulnerabilities utilized in the attack must be an 0-day.
What's a competition without prizes? A successful compromise of any of these targets will win the contestant the cash prize, the device itself, and 20,000 ZDI reward points which immediately qualifies them for Silver standing. (Benefits of ZDI Silver standing include a one-time $5,000 USD cash payment, 15% monetary bonus on all ZDI submissions over the next calendar year, 25% reward point bonus on all ZDI submissions over the next calendar year and paid travel and registration to attend the 2013 DEFCON Conference in Las Vegas.)
On top of that, the first researcher to compromise a device for each of the vectors will receive a BlackBerry PlayBook as well as the prize money listed below.
- Mobile Web Browser - $20,000 USD
- NFC - $40,000 USD
- SMS - $40,000 USD
- Cellular Baseband - $100,000 USD
More information about Pwn2Own from TippingPoint
Discuss in the forums
