Pwn2Own is an annual hacker competition sponsored by security provider TippingPoint and held at the CanSecWest security conference.
Pwn2Own encourages experts to hack devices and use software for different platforms in order to win the hacked device and a cash prize. Once a device has been hacked, TippingPoint produces a detailed report on how the hacker exploited the software and makes it available to the product vendor. Its reports alert the vendor to lead and help them in fixing the crucial portions of their software.
Back in Pwn2Own 2010, a group of hackers managed to hack the Apple iPhone and Internet Explorer 8. TippingPoint will not disclose any information about how the software was hacked until the vendors have resolved the issues.
The goal of Pwn2Own has always been to make its hacker targets more secure. The secret vulnerabilities exploited by participants are discreetly reported to product vendors in sight and kept under lock and key until the company can release a patch. In this case, the competition aims to highlight a number of targets with more devastating potential consequences than ever before.
Pwn2Own’s new focus on industrial control systems also puts software that has not been in the public eye for a long time to the test. Most of the companies represented here do not usually make this code available to security researchers and only agreed to make this code available upon request of the S4 conference. (Two major producers of industrial control software, GE and Siemens, were remarkably absent) These companies also do not offer their own “bug bounty” rewards, which means that security researchers have neither access nor incentive to find bugs.
It also comes at a time when hacking of industrial control systems is increasingly taking place in the real world. The power outage attacks that affected Ukraine’s power utilities in 2015 and 2016, the malware Triton, which a year later was supposed to disable security systems in a Saudi oil factory, and recent evidence that Iranian hackers are working on developing attacks on the supply chain of industrial control systems demonstrate the seriousness of the threat.
It is therefore significant that the Pwn2Own participants had three months to study the industrial control system software that was to be the target of the competition and to develop their hacking techniques before the competition. It was the first chance in many of their careers to hack industrial control systems, considering that most software licenses cost thousands of dollars.
Seeley, a full-time vulnerability researcher who has reported more than a thousand software bugs in Trend Micro’s “Zero Day Initiative” bug bounty program over the past five years, says he found industrial control system software “much softer” than what he normally investigates.
But during the three-day competition, participants successfully hacked each of the eight industrial control system applications presented to them. The hackers were able to achieve remote code execution on any target except an OPC UA server, for which they only achieved a denial of service attack that crashed the target software. Some of the competition targets were even hacked more than once, with multiple teams finding the same hackable bugs or digging up different bugs.
The Intensity of Competitive Hacking
Pwn2Own hosted a $25,000 reward if hackers can exploit the target software to demonstrate seamless remote code execution on the victim machine. However, their points were deducted when the organizers discovered that the same problem had been reported in recent weeks by a researcher to Trend Micro’s Zero Day Initiative who somehow gained access to the software – although the reported bug has not yet been fixed. The members of the team that has won the most individual awards will each receive an additional Master of Pwn award of $25,000. On the first day of Pwn2Own, Team Incite took the lead early on with the acquisition of Rockwell Automation HMI.
Two other teams – academics from Ruhr University Bochum in Germany and independent researchers known as the Flashback Team – stormed past Seeley and Anastasio in the rankings as both teams hacked two different parts of a common industrial software, uncovering vulnerabilities in a total of four products: another HMI application from Rockwell Automation, two control servers sold by Iconics, and a third sold by Inductive Automation.
On day two, Seeley and Anastasio faced another setback when they tried and failed to obtain remote code execution on another HMI sold by Schneider Electric, which was later successfully compromised by another team. But on the third day, the two-man team staged a comeback, demonstrating two more remote code executions against two other targets and another denial of service attack for an additional $5,000. That gave them just enough reward to barely beat their rivals from the Ruhr University of Bochum.
Team Incite shows its Master of Pwn trophy.
In a moment of great drama, Seeley and Anastasio first failed in their attempt to hack a Rockwell Automation workstation used to configure HMIs and industrial control computer equipment. When the countdown clock ran out, they managed to fix the configuration problem with their hacking technique and on a second attempt, they managed to get it working with a delay of just five seconds – a buzzer that earned them the trophy of Master of Pwn.
Patches and Other Improvements
Even though every single piece of software fell to hackers, the competition still signaled a positive outcome, according to Roger Hill, Security Portfolio Manager at Rockwell Automation. Hill argues that in some cases Rockwell Automation software could have been configured more securely: The competition used default settings that lacked some safeguards that Rockwell’s customers could implement a component referred as CIP security which adds an extra step for authentication.
Nevertheless, pointing out bugs in critical software – and even making corrections for them – does not necessarily solve the underlying problem. Industrial plants often don’t patch because they don’t want to risk service disruption that the introduction of a software update could cause, says Emily Crose, a penetration tester for Dragos, a security company responsible for industrial control systems.
Because if a collection of two-hacker teams, with an incentive of only $25,000, can detect hackable bugs in the software of industrial control systems within a few months, so can the government-sponsored hackers with larger budgets, years of schedules, and far more malicious intentions.