Can you hack Chrome OS? Google has over $3 million for you

Google has announced a whopping $3 million prize for its third Pwnium hacking competition. Unlike the last two years, this year's edition will focus on Chrome OS rather than the Chrome browser.

The prize money for the event is $3.14159 million (approx Rs 17 crore), to be precise, and the contest will be held in Vancouver on March 7. The Mountain View company said on its Chromium blog that since Chrome is already featured in the larger Pwn2Own competition, Pwnium 3 will focus on the Chrome OS. Google has been pushing the Chrome OS to OEMs in the light of flagging Windows PC sales.

Samsung Series 5 550 Chromebook

The Samsung Series 5 550 Chromebook will have to be hacked into.


The prize money includes $110,000 for each browser or system level compromise in guest mode or as a logged-in user, delivered via a Web page, and $150,000 for each compromise with device persistence—guest to guest with interim reboot, delivered via a Web page. Google might issue partial rewards too, depending on what people create. More importantly, Google thinks the rewards for the challenge are commensurate with what the hackers will be up against. A blog post states, “We believe these larger rewards reflect the additional challenge involved with tackling the security defenses of Chrome OS, compared to traditional operating systems.

The attack must be demonstrated against a base (Wi-Fi) model of the Samsung Series 5 550 Chromebook, running the latest stable version of Chrome OS. Any installed software (including the kernel and drivers, etc.) may be used to attempt the attack. For those without access to a physical device, note that the Chromium OS developer’s guide offers assistance on getting up and running inside a virtual machine,” wrote Chris Evans, part of the Google Chrome security team.

Evans added, “Standard Pwnium rules apply: the deliverable is the full exploit plus accompanying explanation and breakdown of individual bugs used. Exploits should be served from a password-authenticated and HTTPS-supported Google property, such as Google App Engine. The bugs used must not be known to us or fixed on trunk. We reserve the right to issue partial rewards for partial, incomplete or unreliable exploits.

Last October, Google awarded $60,000 to a hacker who discovered a bug in Chrome at Google's Pwnium 2 competition in Kuala Lumpur. And in March 2012, a Russian teenager demonstrated the first zero-day exploit in Chrome in years at the first Pwnium, which Google patched within 24 hours.

Published Date: Jan 29, 2013 05:57 pm | Updated Date: Jan 29, 2013 05:57 pm