Chrome OS withstands hacks to keep Google’s $3 million bounty safe

Not even $3.14159 million was motivation enough for competitors to hack into the Chrome OS. Google’s operating system survived many attempts by hackers trying to find a security hole at this year’s Pwnium 3 event.

Google was offering up to $3.14159 million in prize money and announced that there was no winning entry, but it was in the process of evaluating some exploits for partial credit.

Unlike the past years, the 2013 Pwnium 3 was on Chrome OS instead of just the Chrome browser. It’s part of the big push from Google to focus on the OS, which was recently introduced in the high-end Chromebook Pixel touchscreen notebook. Pwnium 3 also included rewards for hackers finding exploits as well.

Visibly like a desktop OS now...

Chrome OS is impregnable for now.


Partial credit was offered to those who could come up with incomplete or unreliable exploits. The hacks had to be demonstrated against a base Wi-Fi model of the Samsung Series 5 500 Chromebook, running the latest stable Chrome OS release. Hackers were allowed to use any of the installed software on the systems, including the kernel and drivers, to attempt their attacks.

A Google spokesperson confirmed through a Google+ post that the Pwnium 3 hacking contest completed without a winning entry coming up. “Pwnium 3 has completed and we did not receive any winning entries. We are evaluating some work that may qualify as partial credit. Working with the security community is one of the best ways we know to keep our users safe, so we’re grateful to the researchers who take the time to help us in these efforts.

The hack on Chrome OS, a Linux-based operating system, could have been more difficult this year as ten bug fixes arrived just before the competition began. Six of these fixes were for high-level bugs and were rewarded appropriately. Four other bug fixes earned payouts of $1,000 to $2,000 from Google for their efforts in finding the bugs.

This year’s competition offered two reward levels. Hackers could get $110,000 for a browser or system-level compromise in guest mode or as a logged-in user, delivered via a web page. And $150,000 was on offer for a compromise with device persistence (guest to guest with interim reboot) delivered via a web page.

Pwnium 3 wasn’t the only competition run by Google to test their products. The company also had the famous browser-centric Pwn2Own competition. During day one of that event, all browsers which were taken on by competitors were hacked. None of the entrants decided to take a shot at breaching Safari this year. Mozilla’s Firefox and Chrome were both victims of successful hacks, which were promptly fixed by the respective companies. For their hack of Chrome on Windows 7 MWR Labs won $100,000.

Vupen Security successfully pwned IE10 on MS Surface Pro, finding two zero-day exploits to achieve a full Windows 8 compromise with sandbox bypass. The company also succesfully targetted Java and the Firefox browser exploiting a 'Use-after-free' vulnerability. Taking down IE10 netted Vupen $100,000, while the Firefox and Java hacks earned them $60,000 and $20,000 respectively.

Published Date: Mar 11, 2013 09:47 AM | Updated Date: Mar 11, 2013 09:47 AM