Login

Register

Login

Register

Inside Pwn2Own’s High-Stakes Industrial Hacking Contest


On a small, blue-lit stage in a dim side room of the Fillmore Theater in Miami on Tuesday, three men sat behind laptops in front of a small crowd. Two of them nervously reviewed the commands on a screen in front of them. Steven Seeley and Chris Anastasio, a hacker duo calling themselves Team Incite, were about to attempt to take over the Dell laptop sitting a few inches away by targeting a very particular piece of software it was running: A so-called human-machine interface, sold by the industrial control systems company Rockwell Automation.

Rockwell HMIs appear in industrial facilities around the world, used for manipulating the physical equipment in everything from car washes to nuclear plants. In other words, a hacker can do very dangerous things if they manage to hijack one.

A soft beep signaled that a five-minute countdown timer had started. Seeley hit the enter key on his keyboard. A tense 56 seconds passed as the hackers looked back and forth at their screens and the target. Finally, they both flashed a relieved smile. Seeley mimed wiping sweat from his brow. The third person on the stage, a gruff-looking bald man with a goatee, turned the Dell around, à la Vanna White, revealing the laptop was now running Microsoft Paint. The room broke into applause.

The innocuous Paint application, Seeley explained as he exited stage left, serves as a stand-in for any malicious software of the hacker’s choosing. It could just as easily have been full-featured malware that automatically interacts with equipment, or a basic “shell” that would allow a hacker to manually run commands on the target machine. What mattered is that Incite had just proven that they could exploit a bug in Rockwell’s HMI to achieve so-called “remote code execution.” They could run any program they wanted on the target computer from across the network or even the internet, in this case with no interaction from the victim. “We control this machine,” Seeley said simply.

Seeley and Anastasio had just pulled off the first full takeover of a computer at this week’s Pwn2Own, the latest round of the world’s biggest hacking competition—so named because the hackers get to take home the computers they “pwn,” cybersecurity slang for “hack” or “control.”

But this isn’t like previous Pwn2Own events, which have run for more than a decade and pitted hackers against everything from web browsers to phones to cars. Pwn2Own Miami, held at the S4 industrial control system security conference, has focused its participants’ skills for the first time exclusively on industrial control software. Every target is an application that touches physical machinery. The compromises could in many cases have catastrophic effects, from blackouts to life-threatening industrial accidents.

Digital Flaws, Physical Havoc

The goal of Pwn2Own has always been to make its hacking targets more secure. The secret vulnerabilities that contestants exploit are discreetly reported to on-sight product vendors, and kept under wraps until the company can release a patch. In this case, the competition aims to highlight a set of targets with more devastating potential consequences than ever before.

“There’s a potential for a bad actor to do a lot of damage if they wanted to.”

Steven Seeley, Team Incite

It also comes at a time when industrial control system hacking has increasingly materialized in the real world. The blackout attacks that hit electric utilities in Ukraine in 2015 and 2016, the Triton malware designed to disable safety systems in a Saudi oil facility a year later, and more recent hints that Iranian hackers are working to develop industrial control system supply chain attacks all demonstrate the severity of the threat.

“This is the software that runs the critical infrastructure of the world,” says Brian Gorenc, the head of vulnerability research at Trend Micro and the lead organizer of Pwn2Own. “If we want to defend against state-sponsored attacks, this is where we want to find the vulnerabilities, before they’re used in the wild.”



The Original Source For This Story: Source link

Leave a Reply

Shqip Shqip አማርኛ አማርኛ العربية العربية English English Français Français Deutsch Deutsch Português Português Русский Русский Español Español

National Cyber Security Consulting App

 https://apps.apple.com/us/app/id1521390354

https://play.google.com/store/apps/details?id=nationalcybersecuritycom.wpapp


NATIONAL CYBER SECURITY RADIO
[spreaker type=player resource="show_id=4560538" width="100%" height="550px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]
HACKER FOR HIRE MURDERS
 [spreaker type=player resource="show_id=4569966" width="100%" height="350px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]

ALEXA “OPEN NATIONAL CYBER SECURITY RADIO”

National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.   

nationalcybersecurity.com

FREE
VIEW