Teams battle for victory in the Super Bowl of industrial hacking in Miami
BY KERRY TOMLINSON, AMPERE NEWS
APRIL 28, 2022
It's a nail biter. Eleven teams of hackers from around the globe meet in Miami for what some say is the biggest industrial hacking contest in the world.
Pwn2Own Miami offers up prizes worth up to $400,000.
Who will win --- returning champions from the last event in Miami in 2020, a team that hacked Zoom, or a new team on its way up?
Watch here:
Stress Test
Less than 20 seconds in and there is trouble on the stage at the Pwn2Own at the S4 cybersecurity conference in Miami.
Steven Seeley and Chris Anastasio's hack on industrial equipment isn't working and the team's trying to find out why.
"It is a stressful time for all of the participants, making sure that what they've worked on over the last few months is still working," said Dustin Childs with Trend Micro's Zero Day Initiative, the organization that runs the contest. "Maybe it works at home, but now they're here, the pieces are just a little bit different and that can absolutely play a role in who wins.”
Twenty thousand dollars is at stake just for this one hack, along with points toward the big prize: the Master of Pwn. Pwn is slang for "own," as in hacking something to control it or 'own' it. It's pronounced "pown," rhyming with "own."
Seeley and Anastasio, Team Incite, won that big prize in 2020, when the event last took place. Now they're back for more --- if they can just get this hack to work.
"I love hacking," Anastasio told Ampere News. "And this is one of the biggest hacking events in the world."
Can They Do It?
Finally, the hack succeeds. The team is able to put the paint program up on the screen, as a sign that they are controlling the machine through their code execution hack of ICONICS GENESIS 64.
It turns out the delay wasn't Steven and Chris's fault, but instead a computer licensing issue.
"There was tough competition last time, but this time is even more competition," Seeley said. "So, it's going to be a very tough competition for us and we're not sure how to turn out, but we'll just do our best. "
Tough Competition
Team Incite, from San Francisco and Mexico City, face Team Computest, from the Netherlands, and Team Claroty from Israel, among others.
"We've been preparing for weeks into the night, and no weekends," said Sharon Brizinov from Team Claroty. "My wife is mad at me. And so being able to demonstrate our hard work live on the stage is amazing."
But live on stage is proving difficult for Sharon and his teammates for this hack --- code execution against Kepware KEPServerExworth --- $20,000. They have 20 minutes total, but the time is ticking by.
"They could come in and fail and not get anything or they can come in and succeed and walk away with quite a bit of money," said Childs.
In the end, they succeed to cheers from the audience.
New to Miami
One of their top competitors, Team Computest with Daan Keuper and Thijs Alkemade from the Netherlands, have to grind as well.
They won a big contest last year by finding a security hole in the meeting platform Zoom.
This new one is worth twice as much as the others at $40,000. It's a big deal, an attempt to bypass the trusted application check on the OPC UA .NET Standard.
The hack goes smoothly, putting them in the lead. If they were hackers for evil, they could have caused industrial-sized chaos.
"We actually have a chance of winning this," said Keuper. "That was never the intention. We thought, 'We'll go and we see what happens. But suddenly, we're up for winning as well.' So that was very exciting."
Coming From Behind
Team Incite battles back with another hack, once again a nail biter. Precious minutes go by as they try to make it work, a reminder of their 2020 win with just one second to go.
"Last time they took us down to the last second," said Childs. "It caused people to shout out loud when they finally confirmed it. So, they know how to troubleshoot on stage with everyone staring at them."
And this time? Success. Their code execution on Triangle Microworks SCADA Data Gateway counts for $20,000.
"On their second attempt with no time to spare whatsoever," Childs announces to the room.
"Relieved. My heart is pounding right now," Anastasio said.
"That was our hardest entry," added Seeley.
Final Results
After more hacks, some successes and some failures, the results are in.
Team Claroty is at $45,000.
Team Incite worked its way to $80,000.
But Team Computest pushes by with $90,000.
"In the end, we did win, but it was a close call," said Keuper. "And it was very exciting. Very tense for us. Cost me a new heart, actually!"
Protecting the World
Keuper and Alkemade win the big prize, the money, the trophy --- and the Miami-style white Pwn2Own blazers on stage.
They also know that they're finding security holes before attackers can use them on real industrial equipment --- in real power plants, water plants and factories --- causing damage or even death.
"We're not in it for the money. We're in it because we like doing this. You can always make more money somewhere else. It's passion for us. So, we just like doing it," Keuper said. "We want to make the world a little bit safer. One vulnerability at a time."
Rewards
Security holes like the ones in this contest are valuable. Some groups will buy them from hackers for big money so they can use them for attacking and spying.
But this contest is designed to reward hackers for good and encourage research into industrial vulnerabilities, according to Childs. This way, the organization can notify the equipment makers and have them repair the security gaps before malicious hackers find them.
"At the end of the day, that's really what we want to see happen, is we want to see bugs get fixed," Childs said. "We also want to see researchers get credited and you know, rewarded for their research."
For some hackers in this contest, it's an easy choice to hack for good.
"It's not that I don't care about money, obviously. But I do have a moral responsibility," said Brizinov from the Claroty team. "If I can do this and help to make the industry more secure, obviously, I would pick this path."
For new Pwn2Own 2022 winner Alkemade from the Computest Team, sharing his research is the best part.
"I like to not just find vulnerabilities but also describe them and talk about them to other people. If you want to do 'black hat' [hacking for nefarious purposes] then you really need to keep quiet," said Alkemade. "I like giving presentations, I like talking about the vulnerabilities. I like writing the blog post where we explain everything that we do."