The company is offering a $100,000 bounty to anyone who can break into Azure Sphere.
In its quest to make their IoT offerings as secure as possible, earlier this month Microsoft announced a new $100,000 bug bounty to anyone who can break into Azure Sphere. The Sphere Security Research Challenge lets the bug hunters communicate directly with the company’s technical team as they make their break in attempts.
Sphere is made up of three parts, the Sphere OS, which is a custom version
of Linux created by Microsoft, custom silicon produced by the company’s partners
including MediaTek, NXP, and Qualcomm, and a security service that runs in the
The challenge consists of two $100,000 prizes. The first will be awarded to
anyone who can infiltrate Pluton, the security subsystem that provides a root
of trust to the Sphere microcontroller, and execute code. The system runs a
secure boot process that does not provide runtime services until other software
components are fully loaded.
The second prize will be awarded to anyone who can infiltrate Secure World
and run code. Secure World is one of the operating modes for Sphere devices and
is locked down in a secure mode that only allows Microsoft written code to run.
Sensitive hardware like memory is protected by a security monitor that runs in
Secure World and also controls access to Pluton.
The challenge will run from June 1st to August 31st and
has certain conditions such as no physically attacking the device. The challenge
also provides lower payouts for other attacks that fall under Microsoft’s existing
bug bounty program for Azure, with bonus payments up to 20%
- Running code on networks (a Linux networking daemon)
- Spoofing device authentication
- Unexpected elevation of privilege
- Altering software and configuration options that you’re not supposed to, or alter the firewall built into the microprocessor hardware and cause a Sphere device to communicate with an unauthorized destination