No Winning Exploit Found For Chrome OS At Annual Hacking Competition, Pwnium 3

Google’s operating system Chrome OS survived all attempts to hack it at this year’s Pwnium 3 competition, which took place at the CanSecWest security conference in Vancouver, BC this week. Google, which was offering up $3.14159 million in prize money (get it, Pi money?), said that there was no winning entry, but it was in the process of evaluating some exploits for partial credit.

The focus for this year’s Pwnium 3 was on Chrome OS – and the big push from Google to focus on its operating system, recently introduced in the new, high-end Chromebook Pixel touchscreen laptop, also included increased rewards for hackers finding exploits as well. Although in previous years, rewards maxed out at $60,000 for Chrome browser exploits, the company had earmarked up to $3.14 million for hacks on the OS. That was largely just a clever marketing gimmick, however – the actual potential payouts were much lower:

The two reward levels offered this year included:

  • $110,000: browser or system level compromise in guest mode or as a logged-in user, delivered via a web page.
  • $150,000: compromise with device persistence — guest to guest with interim reboot, delivered via a web page.

And, as always, partial credit was offered to those for incomplete or unreliable exploits.

The hacks had to be demonstrated against a base Wi-Fi model of the Samsung Series 5 500 Chromebook, running the latest stable version of the Chrome operating system. Hackers could use any of the installed software, including the kernel and drivers, to attempt their attacks.

A Google spokesperson confirmed the Pwnium 3 hacking contest completed without a winning entry, via the following statement:

Pwnium 3 has completed and we did not receive any winning entries. We are evaluating some work that may qualify as partial credit. Working with the security community is one of the best ways we know to keep our users safe, so we’re grateful to the researchers who take the time to help us in these efforts.

Chrome OS, which is a Linux-based operating system running a Chrome browser, may have been more difficult to hack thanks to ten bug fixes which arrived just before the competition. Six of these were high-level bugs and four earned payouts of $1,000-$2,000 from Google’s ongoing efforts to rewards researchers for finding bugs.

Pwnium 3 ran alongside the browser-focused Pwn2Own, which wraps up today. During day one of that event, all browsers except Safari proved vulnerable to attacks, but only because none of the entrants decided to take on Safari this year. The Chrome browser issue discovered yesterday has now been fixed. During day 2, Adobe Reader, Flash and Java also fell.