Inside Pwn2Own’s High-Stakes Industrial Hacking Contest EXCLUSIVE
Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference.[1] First held in April 2007 in Vancouver,[2] the contest is now held twice a year,[3] most recently in April 2021.[4] Contestants are challenged to exploit widely used software[5] and mobile devices with previously unknown vulnerabilities.[6] Winners of the contest receive the device that they exploited and a cash prize.[7] The Pwn2Own contest serves to demonstrate the vulnerability of devices and software in widespread use while also providing a checkpoint on the progress made in security since the previous year.
Inside Pwn2Own’s High-Stakes Industrial Hacking Contest
Pwn2Own continues to be sponsored by Trend Micro's Zero Day Initiative, with ZDI reporting vulnerabilities to vendors before going public with the hacks.[3] "One of the largest hacking contests in the world" according to TechCrunch,[22] as of 2019 the contest continues to be held several times a year.[7] Pwn2Own Tokyo was held November 6 to November 7 in Tokyo, Japan, and was expected to hand out $750,000 in cash and prizes.[22] Hacks focus on browsers, virtual machines, computers, and phones.[3] In 2019, the contest added cars for the first time, with $900,000 offered for hacks exploiting Tesla software.[3] In 2019, the contest added industrial control systems.[23]
A March 2019 contest took place in Vancouver at the CanSecWest conference, with categories including VMware ESXi, VMware Workstation, Oracle VirtualBox, Chrome, Microsoft Edge, and Firefox, as well as Tesla.[3] Tesla entered its new Model 3 sedan, with a pair of researchers earning $375,000 and the car they hacked after finding a severe memory randomization bug in the car's infotainment system.[22] It was also the first year that hacking of devices in the home automation category was allowed.[41]
In October 2019, Politico reported that the next edition of Pwn2Own had added industrial control systems.[23] Pwn2Own Tokyo was held November 6 to November 7, and was expected to hand out $750,000 in cash and prizes. Facebook Portal was entered, as was the Amazon Echo Show 5, a Google Nest Hub Max, an Amazon Cloud Cam and a Nest Cam IQ Indoor. Also entered was the Oculus Quest virtual reality kit.[22] In 2019, a team won $60,000 hacking into an Amazon Echo Show 5. They did so by hacking into the "patch gap" that meshed older software patched onto other platforms, as the smart screen used an old version of Chromium.[99][7] The team shared the findings with Amazon,[41] which said it was investigating the hack and would take "appropriate steps."[99]
JACK:Okay, so the head unit is just the electronics inside the car, the infotainment system on the front dashboard, really, because that head unit can basically control the whole car. If you can exploit that, you can pretty much take over the whole car. They shipped these head units out to some of the contestants like Richard and Amat to try to hack into it.
ZDI said that 22 contestants (individual or groups) launched 58 attempts. In each attempt, the researcher has 30 minutes to successfully get control over the target, with points (and money) being awarded for not only hacking the device, but also for the use of zero-day bugs.
05:21Joel: Thank you, Don. Alright. So on April 19th through 21st of this year, Trend Micro's Zero Day Initiative brought their Pwn2Own competition back to the industrial control systems world for a second time at the S4 2022 conference in Miami. Inductive Automation eagerly participated after a successful ICS Pwn2Own at S4 2020. Ignition was registered in the control server category as one of 10 products selected as competition attack targets. Rules of engagement dictated that attempts be launched against the target's exposed network services or by opening default file types from the contestant's laptop. An entry is deemed successful by resulting in arbitrary code execution. It may sound a little counterintuitive, but participating in events like Pwn2Own is actually incredibly valuable, both for us on the design side and end-users, because it offers a safe way to test defenses and make improvements without high stakes consequences, which is a good thing since industrial systems are among the highest of value targets for malicious hackers and unfortunately, also among the most vulnerable.
The security industry faces a tough and growing problem: many of the fundamental decisions made which affect security are made by people that don't have the right cyber skills or experiences. This talk describes how the creation of a realistic, hands-on wargame environment can be leveraged to not only teach participants about attack and defense but to enable other organizational advantages. The game environment puts two attacking teams competing in parallel with a single defending team, with all teams evaluated and scored. The game environment role-plays different attack motivation, technique and mindset with one team playing as hactivists and the other playing as nation state. The defending team manages a diverse mix of IT and OT assets, including an emulated oil refinery comprised of SCADA and HMI using industrial control protocol communications. And, the game leverages the human dimension, inclusive of insider threat and social engineering. The game is 2.5 hours start to finish, comprised of short intro brief, teams then move to their operations areas where they are given team briefings, then an hour of gameplay, concluding with team post-briefs. Winning teams often are those that communicate best. The defending team has the most scoring opportunity but faces the toughest challenges. This talk will present the technical architecture of the game environment for technical attendees interested in building their own. Our talk will present business value to the game for non-technical attendees interested in promoting their organizational capability, building brand awareness, or creating a customer-oriented training service. And, we will show screenshots, videos and detailed diagrams giving all attendees a close view of how the game is built and delivered.
In March this year, the CanSecWest Security Conference took place in Vancouver, Canada. The event featured a Pwn2Own hacking competition during which the first-ever automotive hacking contest took centre stage.