Industrial control insecurity laid bare during competition

Hackers earned $400,000 after demonstrating previously unknown vulnerabilities in industrial control systems

The second edition of Pwn2Own Miami has thrown up dozens of previously undiscovered exploits to industrial control systems, earning security researchers pay-outs of $400,000 in the process.

Pwn2Own Miami followed a similar format to more established hacking contests from Trend Micro’s Zero Day Initiative but with a different focus around industrial control systems (ICS) rather than computers or mobile devices.

At the end of the three-day event, Daan Keuper (@daankeuper) and Thijs Alkemade (@xnyhps) from team Computest Sector 7 were crowned Master of Pwn with 90 points and $90,000.

Other researchers and bug bounty hunters successfully demonstrated previously unknown zero-day vulnerabilities in industrial control platforms during the event, which organizers hailed as an unqualified success.

Dustin Childs, communications manager for Trend Micro’s ZDI program, told The Daily Swig: “The contest this year was three days of great research put on display. We awarded $400,000 for 26 unique exploits.

“Our inaugural competition awarded $280,000, so it was great to see the contest grow – especially after being delayed due to the pandemic.”

Catch up with the latest Internet of Things (IoT) security news

A variety of clever and subtle attacks against industrial control systems were developed for and showcased during the event.

On the web security front, Sam Thomas, director of research at UK security consultancy Pentest, was straight out of the raps on the first day in demonstrating an authentication bypass and a deserialization bug to achieve code execution on the Inductive Automation Ignition SCADA control software platform.

The contest was a worthwhile exercise for participants, according to Thomas.

Thomas told The Daily Swig: “As always [it was] a fun contest with interesting targets. [ I was] lucky to be drawn first, but seems like there weren’t many duplicates on this particular target which is interesting to see, hopefully [I will] scope to find something else for next year.”

Other researchers took a variety of other platforms apart, as detailed in a full run-down of the contest put together by ZDI.

DON’T MISS Hack Me, I’m Famous: Bug bounty hackathon nets security researcher €10,000 overnight

Childs said: “One highlight was the bypass of the trusted application check in the OPC Foundation OPC UA .NET Standard by the Computest team. Not only does the bug have a broad impact, it’s one of the best submissions we’ve ever seen at a Pwn2Own event.”

“Others that stood out were the buffer overrun used by Claroty Research against Kepware KEPServerEx and the double-free bug used by Axel ‘0vercl0k’ Souchet against Iconincs Genesis64,” they added.

Further editions of the ICS-focused edition of the wider Pwn2Own roster are in the works. Trend Micro ZDI told The Daily Swig that it wanted to build momentum behind the event by persuading more industrial control system vendors to become more closely involved.

“We saw some amazing exploits, and I know vendors are already hard at work developing patches for the bugs we disclosed to them,” Childs said.

“We are pleased with the growth we saw this year, and we’d love to see that continue. Ideally, we can partner with more vendors within the ICS/SCADA community to ensure we have the right targets and get them the best bugs possible to fix before they are exploited by threat actors.”

RELATED Pwn2Own Miami: Hackers scoop $250,000 in prizes during inaugural ICS security contest