Hackers pocket $400,000 After gaining access to ICS Platforms
Hackers have earned over $400,000 after demonstrating previously unknown concepts in industrial control systems. The program, dubbed Pen2Own Miami, in it's second edition has thrown up dozens of previously undiscovered exploits to industrial control systems. The security researchers earned $400,000 in the process.
Hackers pocket $400,000
Pwn2Own Miami followed a similar format to more established hacking contests from Trend Micro’s Zero Day Initiative. They however used a different focus around industrial control systems (ICS) rather than computers or mobile devices.
The event lasted for three days and on the final day, Daan Keuper and Thijs Alkemade from team Computest Sector 7 were crowned Masters of Pwn with 90 points and $90,000.
Besides the two, other researchers and county bug hunters successfully demonstrated previously unknown zero-day vulnerabilities in industrial control platforms. Organizers hailed them as an unqualified success.
Dustin Child's, communication's manager for Trend Micro's ZDO program, said;
“The contest this year was three days of great research put on display. We were awarded $400,000 for 26 unique exploits.
“Our inaugural competition awarded $280,000, so it was great to see the contest grow – especially after being delayed due to the pandemic.”
Attacks against ICS
A good number of clever and subtle attacks against industrial control systems were developed for and showcased during the event.
On the web security front, Sam Thomas, director of research at UK security consultancy Pentest, was straight out of the raps on the first day in demonstrating an authentication bypass and a deserialization bug to achieve code execution on the Inductive Automation Ignition SCADA control software platform.
The contest was a worthwhile exercise for participants, according to Thomas.
Thomas told The Daily Swig: “As always [it was] a fun contest with interesting targets. [ I was] lucky to be drawn first, but it seems like there weren’t many duplicates on this particular target which is interesting to see, hopefully [I will] scope to find something else for next year.”
Other researchers took a variety of other platforms apart, as detailed in a full run-down of the contest put together by ZDI.
Childs said: “One highlight was the bypass of the trusted application check in the OPC Foundation OPC UA .NET Standard by the Computest team. Not only does the bug have a broad impact, it’s one of the best submissions we’ve ever seen at a Pwn2Own event.”
“Others that stood out were the buffer overrun used by Claroty Research against Kepware KEPServerEx and the double-free bug used by Axel ‘0vercl0k’ Souchet against Iconincs Genesis64,” they added.
Editions of ICS
Further editions of the ICS-focused edition of the wider Pwn2Own roster are in the works. Trend Micro ZDI told The Daily Swig that it wanted to build momentum behind the event by persuading more industrial control system vendors to become more closely involved.
“We saw some amazing exploits, and I know vendors are already hard at work developing patches for the bugs we disclosed to them,” Childs said.
“We are pleased with the growth we saw this year, and we’d love to see that continue. Ideally, we can partner with more vendors within the ICS/SCADA community to ensure we have the right targets and get them the best bugs possible to fix before they are exploited by threat actors.”
Do you find this content interesting?
This is just a MIRROR ! Find us via our Main TOR domain
And Let us know by leaving a comment and a rating.
Also, don't forget to follow our Official Telegram Channel to stay informed and safe by Reading NOIRdotNEWS