The very first Pwn2Own hacking competition that exclusively focuses on the industrial control systems (ICS) has kicked off in Miami. So far, a total of $180,000 has been awarded for pwning five different products.
The contest hosts at Trend Micro’s Zero Day initiative (ZDI) have allocated more than $250,000 in cash and prizes for the contest, which is testing eight targets across five categories.
So far, two teams are the big winners. The Horst Goertz for IT-Security team (Tobias Scharnowski, Niklas Breitfeld and Ali Abbasi) and the Flashback team (Pedro Ribeiro and Radek Domanski) both have $75,000 in winnings going into Day Three.
On Day One, overall, there were six successful hacking attempts and two partially successful attempts against eight hacking targets, according to ZDI. On Day Two, there were three successful hacks and two partials against four total targets.
Prizes and Categories
The categories include Control Servers, which covers server solutions that provide connectivity, monitoring and control across disparate programmable logic controllers (PLCs) and other field systems. The specific targets in this category include control servers from Iconics and Inductive Automation.
OPC Unified Architecture (OPC UA) Servers is another category, encompassing two targets: The Unified Automation ANSI C Demo Server and the OPC Foundation OPC UA .NET Standard. OPC UA serves as the universal translator protocol in the ICS world, used by almost all ICS products to send data between disparate vendor systems.
The DNP3 Gateway category features the Triangle Microworks SCADA Data Gateway product as a target. DNP3 is a set of communications protocols used between various components in ICS systems, and is a primary protocol in the North American Electric Grid. “If the Data Gateway could be compromised, it could serve as a launching point for other attacks within the ICS, or even blind the energy management system (EMS),” according to ZDI.
Human Machine Interface (HMI)/Operator Workstation is the fourth category. The HMI connects the operator of an ICS to the various hardware components of the ICS. Attackers that take over the HMI can also prevent the operator from seeing process issues in the ICS until it is too late.
The HMI category consists of the Rockwell Automation FactoryTalk View SE product and the Schneider Electric EcoStruxure Operator Terminal Expert. Rockwell Automation’s HMI has a large deployed base in manufacturing and is seen in most other sectors as well. The Schneider Electric product is also found in multiple sectors.
And finally, hackers are taking aim at Engineering Workstation Software (EWS), which directly communicates and can configure primary control equipment such as PLCs, and it can also configure role-based mechanisms.
“Attacks on the EWS were seen in the Stuxnet malware, and attackers are focusing on EWS given that it allows them to alter the process,” ZDI explained.
Day 1 Highlights
The Horst Goertz for IT-Security team was the big winner of Day One. They used an out-of-bounds (OOB) access exploit to gain code execution against the Rockwell Automation FactoryTalk View SE in the HMI category, earning them $25,000. And later in the day, they earned an additional $25,000 for using an OOB Access bug to gain code execution on the Iconics Genesis64.
The Flashback team won big as well, after gaining remote code execution with continuation against Iconics Genesis64 with a combination of two bugs. They were ultimately able to gain a system-level remote shell on the target server, earning $25,000.
The Flashback team also successfully used an information leak and an unsafe deserialization bug to gain code execution on the Inductive Automation Ignition in the Control Server category, earning an additional $25,000.
Besides these big hacks, Day One also saw success from the Claroty team. They used a deserialization bug to cause a denial of service (DoS) in the Iconics Genesis64 in the Control Server category, earning $5,000.
The Incite Team of Steven Seeley and Chris Anastasio meanwhile used a stack-based overflow to cause a DoS on the Triangle Microworks SCADA Data Gateway, also earning them $5,000. The team also logged a partial success against the target, demonstrating remote code execution (RCE). However, the bug used had been previously reported, so no money was earned.
And finally, Fabius Artrel had partial success against the Rockwell Automation FactoryTalk View SE, and achieved remote code execution with continuation against this target. However, this bug had also been previously reported and he ended the day with empty pockets.
Day 2 Highlights
On Day Two, the Incite Team saw a big win when they gained remote code execution at system level with continuation against the Inductive Automation Ignition in the Control Server category. They used an information leak along with a deserialization bug to achieve success, earning $25,000.
The Flashback team added to their earnings on Day Two. They gained remote code execution with continuation against the Rockwell Automation Factory Talk View SE on Day Two using a multi-bug chain, also raking in $25,000.
The Claroty team meanwhile used an arbitrary DLL loading bug along with a directory traversal bug to gain remote code execution on the Schneider Electric EcoStruxure Operator Terminal Expert in the HMI category, earning $20,000.
The Horst Goertz for IT-Security team and the Claroty team both earned partial credit for successful remote code execution with continuation against the Inductive Automation Ignition; in both cases, they used bugs that had been previously reported.
Ben McBride of Oak Ridge National Laboratory also saw partial credit, for achieving remote code execution with continuation against the Rockwell Automation FactoryTalk View SE; this bug too had been previously reported.
“We’ve had discussions for years about running a Pwn2Own for ICS, but there are many challenges to holding such a contest,” contest organizers at said in a launch posting last October. “To overcome these issues, we worked with multiple people and companies within the ICS industry to ensure we have the right products and categories to create a meaningful test of the security of these products and protocols. As with our other contests, Pwn2Own Miami seeks to harden these platforms by revealing vulnerabilities and providing that research to the vendors. The goal is always to get these bugs fixed before they’re actively exploited by attackers.”