Inside Pwn2Own’s High-Stakes Industrial Hacking Contest
Credit to Author: Andy Greenberg| Date: Thu, 23 Jan 2020 20:35:19 +0000
At Pwn2Own, hackers had no trouble dismantling systems that help run everything from car washes to nuclear plants.
On a small, blue-lit stage in a dim side room of the Fillmore Theater in Miami on Tuesday, three men sat behind laptops in front of a small crowd. Two of them nervously reviewed the commands on a screen in front of them. Steven Seeley and Chris Anastasio, a hacker duo calling themselves Team Incite, were about to attempt to take over the Dell laptop sitting a few inches away by targeting a very particular piece of software it was running: A so-called human-machine interface, sold by the industrial control systems company Rockwell Automation.
Rockwell HMIs appear in industrial facilities around the world, used for manipulating the physical equipment in everything from car washes to nuclear plants. In other words, a hacker can do very dangerous things if they manage to hijack one.
A soft beep signaled that a five-minute countdown timer had started. Seeley hit the enter key on his keyboard. A tense 56 seconds passed as the hackers looked back and forth at their screens and the target. Finally, they both flashed a relieved smile. Seeley mimed wiping sweat from his brow. The third person on the stage, a gruff-looking bald man with a goatee, turned the Dell around, à la Vanna White, revealing the laptop was now running Microsoft Paint. The room broke into applause.
The innocuous Paint application, Seeley explained as he exited stage left, serves as a stand-in for any malicious software of the hacker's choosing. It could just as easily have been full-featured malware that automatically interacts with equipment, or a basic "shell" that would allow a hacker to manually run commands on the target machine. What mattered is that Incite had just proven that they could exploit a bug in Rockwell's HMI to achieve so-called "remote code execution." They could run any program they wanted on the target computer from across the network or even the internet, in this case with no interaction from the victim. "We control this machine," Seeley said simply.
Seeley and Anastasio had just pulled off the first full takeover of a computer at this week's Pwn2Own, the latest round of the world's biggest hacking competition—so named because the hackers get to take home the computers they "pwn," cybersecurity slang for "hack" or "control."
But this isn't like previous Pwn2Own events, which have run for more than a decade and pitted hackers against everything from web browsers to phones to cars. Pwn2Own Miami, held at the S4 industrial control system security conference, has focused its participants' skills for the first time exclusively on industrial control software. Every target is an application that touches physical machinery. The compromises could in many cases have catastrophic effects, from blackouts to life-threatening industrial accidents.
The goal of Pwn2Own has always been to make its hacking targets more secure. The secret vulnerabilities that contestants exploit are discreetly reported to on-sight product vendors, and kept under wraps until the company can release a patch. In this case, the competition aims to highlight a set of targets with more devastating potential consequences than ever before.
"There's a potential for a bad actor to do a lot of damage if they wanted to."
Steven Seeley, Team Incite
It also comes at a time when industrial control system hacking has increasingly materialized in the real world. The blackout attacks that hit electric utilities in Ukraine in 2015 and 2016, the Triton malware designed to disable safety systems in a Saudi oil facility a year later, and more recent hints that Iranian hackers are working to develop industrial control system supply chain attacks all demonstrate the severity of the threat.
"This is the software that runs the critical infrastructure of the world," says Brian Gorenc, the head of vulnerability research at Trend Micro and the lead organizer of Pwn2Own. "If we want to defend against state-sponsored attacks, this is where we want to find the vulnerabilities, before they’re used in the wild."
Pwn2Own's new focus on industrial control systems also brings public scrutiny to software that has long lacked it. Most of the companies here typically don't make that code available to security researchers, and only agreed to provide it at the S4 conference's request. (Two major industrial control system software makers, GE and Siemens, were notably absent.) Nor do these companies offer their own "bug bounty" rewards, meaning security researchers have neither the access nor incentive to find flaws.
So it's significant that the Pwn2Own participants were given three months to study the industrial control system software that would serve as the contest's targets, developing their hacking techniques ahead of the competition. It was the first chance in many of their careers to hack industrial control systems, given that the most of the software licenses cost thousands of dollars.
And yet over the three-day competition, contestants successfully hacked every one of the eight industrial control system applications put before them. The hacker contestants managed to achieve remote code execution on every target except an OPC UA server, for which they achieved only a denial of service attack that crashed the target software. Some of the targets in the contest were even hacked more than once, with multiple teams finding the same hackable flaws or digging up different ones.
Seeley, a full-time vulnerability researcher who has reported more than a thousand software flaws to Trend Micro's "Zero Day Initiative" bug-bounty program over the last five years, says he found industrial control system software "a lot softer" than what he typically studies. "Given the bugs we found for this competition, there's a potential for a bad actor to do a lot of damage if they wanted to," he says. "It's quite frightening, to be honest."
Pwn2Own offered hackers as much as $25,000 if they could exploit the target software to demonstrate seamless remote code execution on the victim machine. The members of whichever team won the most individual awards each get another $25,000 Master of Pwn award. On the first day of Pwn2Own, Team Incite took an early lead with their takeover of the Rockwell Automation HMI. But their points were discounted when the organizers found that the same issue had been reported to Trend Micro's Zero Day Initiative in recent weeks by a researcher who had somehow finagled access to the software—even though the reported bug has yet to be patched.
Two other teams—academics from Ruhr University Bochum in Germany and independent researchers known as Flashback Team—surged past Seeley and Anastasio in the standings when both teams hacked two different pieces of common industrial software, exposing vulnerabilities in a total of four products: a different Rockwell Automation HMI application, two control servers sold by Iconics, and a third sold by Inductive Automation.
On day two, Seeley and Anastasio faced another setback when they tried and failed to gain remote code execution on another HMI sold by Schneider Electric, which another team later successfully compromised. But on the third day, the two-man team staged a comeback, demonstrating two more remote code executions against two more targets, as well as another denial-of-service attack for an extra $5,000. That gave them just enough rewards to barely edge out the competitors from Ruhr University Bochum.
In one moment of high drama, Seeley and Anastasio initially failed at their attempt to hack a Rockwell Automation workstation used for configuring HMIs and industrial control computing equipment. With the countdown clock running out, they managed to sort out the configuration issue in their hacking technique and make it work on a second try, with just five seconds remaining—a buzzer beater that would clinch the Master of Pwn trophy for them. "It was one of the most intense moments in the history of Pwn2Own," says Gorenc.
Even though every single piece of software fell to hackers, the contest nonetheless signaled a positive outcome, says Roger Hill, the security portfolio manager for Rockwell Automation. "I’m not here to walk away squeaky clean. I'm here to get high-quality security testing," Hill says. He argues that in some cases, Rockwell's software could have been configured more securely: The contest used default settings that lacked some protections Rockwell's customers can implement, such as a feature called CIP security that adds an extra layer of authentication. But Hill admits that many of Rockwell's customers don't have those security measures in place, either. "If we had put our best foot forward, we could have walked away unscathed," Hill claims. "But I'm not sure that’s representative of most of our customers."
Still, pointing out the flaws in critical software—and even creating fixes for them—doesn't necessarily solve the underlying problem. Industrial facilities often don't patch, not wanting to risk any disruption to their services that introducing a software update might cause, points out Emily Crose, a penetration tester for industrial control system security firm Dragos. "It's possible we could see that attack show up in eight months," Crose said after watching a team from security firm Claroty hack an HMI sold by Schneider Electric, using two vulnerabilities chained together. "Bless 'em, they're doing the right thing by putting a patch out there, but it's one of those 'you can lead a horse to water but you can't make them drink' things."
Still, Crose argues that a high-profile demonstration of industrial control system hacking might help to dispel any sense that the software in critical infrastructure is inherently secure. Instead, she hopes it will convince users of those systems that they need "defense-in-depth," layers of security that don't rely on any single software component.
After all, if a collection of two-hacker teams incentivized with a mere $25,000 can hunt down hackable flaws in industrial control system software in a matter of months, the state-sponsored hackers with bigger budgets, years-long timelines, and far more malicious intentions can, too.