Can You Hack Chrome OS? Google Might Give You $3 Million

By  |  0 Comments

Google today announced its third Pwnium hacking competition, but this year’s contest – and more than $3 million in prize money – will focus on Chrome OS rather than the Chrome browser.

Pwnium 3 will take place at the CanSecWest security conference in Vancouver on March 7. Google said it has been working with the Zero Day Initiative (ZDI) on the conference’s rules and decided that since Chrome is already featured in the larger Pwn2Own competition, Pwnium 3 will have a new focus: Chrome OS, Google said.

Google promised to dole out up to $3.14159 million in rewards, including $110,000 for each browser or system level compromise in guest mode or as a logged-in user, delivered via a Web page; and $150,000 for a each compromise with device persistence – guest to guest with interim reboot, delivered via a Web page. Google might issue partial rewards, depending on what people create.

“We believe these larger rewards reflect the additional challenge involved with tackling the security defenses of Chrome OS, compared to traditional operating systems,” wrote Chris Evans with the Google Chrome security team, in a blog post.

The attack must be carried out via the Wi-Fi version of the Samsung Series 5 Chromebook 550 , running the latest version of Chrome OS.

“Any installed software (including the kernel and drivers, etc.) may be used to attempt the attack,” Evans wrote. “For those without access to a physical device, note that the Chromium OS developer’s guide offers assistance on getting up and running inside a virtual machine.”

“Standard Pwnium rules apply: the deliverable is the full exploit plus accompanying explanation and breakdown of individual bugs used. Exploits should be served from a password-authenticated and HTTPS-supported Google property, such as Google App Engine,” he continued. “The bugs used must not be known to us or fixed on trunk. We reserve the right to issue partial rewards for partial, incomplete or unreliable exploits.”

In October, Google awarded $60,000 to a hacker who uncovered a bug in Chrome at Google’s Pwnium 2 competition at Hack in the Box 2012 in Kuala Lumpur. In March – at the first Pwnium – a Russian teenager demonstrated the first zero-day exploit in Chrome in years, which Google patched within 24 hours.

By Chloe Albanesius, PCMag


Leave a Reply