On a small, blue-lit stage in a dim side room of the Fillmore Theater in Miami on Tuesday, three men sat behind laptops in front of a small crowd. Two of them nervously reviewed the commands on a screen in front of them. Steven Seeley and Chris Anastasio, a hacker duo calling themselves Team Incite, were about to attempt to take over the Dell laptop sitting a few inches away by targeting a very particular piece of software it was running: A so-called human-machine interface, sold by the industrial control systems company Rockwell Automation.
Rockwell HMIs appear in industrial facilities around the world, used for manipulating the physical equipment in everything from car washes to nuclear plants. In other words, a hacker can do very dangerous things if they manage to hijack one.
A soft beep signaled that a five-minute countdown timer had started. Seeley hit the enter key on his keyboard. A tense 56 seconds passed as the hackers looked back and forth at their screens and the target. Finally, they both flashed a relieved smile. Seeley mimed wiping sweat from his brow. The third person on the stage, a gruff-looking bald man with a goatee, turned the Dell around, à la Vanna White, revealing the laptop was now running Microsoft Paint. The room broke into applause.
The innocuous Paint application, Seeley explained as he exited stage left, serves as a stand-in for any malicious software of the hacker’s choosing. It could just as easily have been full-featured malware that automatically interacts with equipment, or a basic “shell” that would allow a hacker to manually run commands on the target machine. What mattered is that Incite had just proven that they could exploit a bug in Rockwell’s HMI to achieve so-called “remote code execution.” They could run any program they wanted on the target computer from across the network or even the internet, in this case with no interaction from the victim. “We control this machine,” Seeley said simply.
Seeley and Anastasio had just pulled off the first full takeover of a computer at this week’s Pwn2Own, the latest round of the world’s biggest hacking competition—so named because the hackers get to take home the computers they “pwn,” cybersecurity slang for “hack” or “control.”
But this isn’t like previous Pwn2Own events, which have run for more than a decade and pitted hackers against everything from web browsers to phones to cars. Pwn2Own Miami, held at the S4 industrial control system security conference, has focused its participants’ skills for the first time exclusively on industrial control software. Every target is an application that touches physical machinery. The compromises could in many cases have catastrophic effects, from blackouts to life-threatening industrial accidents.
Digital Flaws, Physical Havoc
The goal of Pwn2Own has always been to make its hacking targets more secure. The secret vulnerabilities that contestants exploit are discreetly reported to on-sight product vendors, and kept under wraps until the company can release a patch. In this case, the competition aims to highlight a set of targets with more devastating potential consequences than ever before.
“There’s a potential for a bad actor to do a lot of damage if they wanted to.”
Steven Seeley, Team Incite
It also comes at a time when industrial control system hacking has increasingly materialized in the real world. The blackout attacks that hit electric utilities in Ukraine in 2015 and 2016, the Triton malware designed to disable safety systems in a Saudi oil facility a year later, and more recent hints that Iranian hackers are working to develop industrial control system supply chain attacks all demonstrate the severity of the threat.
“This is the software that runs the critical infrastructure of the world,” says Brian Gorenc, the head of vulnerability research at Trend Micro and the lead organizer of Pwn2Own. “If we want to defend against state-sponsored attacks, this is where we want to find the vulnerabilities, before they’re used in the wild.”