Azure Sphere IoT Bug Hunt Yields $374,000 in BountiesThree-Month Competition Designed to Sniff Out Problems
Microsoft’s IoT platform, Azure Sphere, which launched in February, is the company’s bet to address the growing security and management problems around connected devices.
Azure Sphere is a Linux-based OS that brings together chip-level security integrations that enforce what kind of applications can run and encryption to ensure a hardware root of trust. It links with Microsoft’s cloud services, which handle updates, device verification and other functions.
The emphasis is on security because IoT devices remain a big worry for enterprises. While there can be strong business cases for use of IoT in manufacturing, asset tracking and remote monitoring, the devices are also new points of attack with usually fewer security features than other computing devices (see: Microsoft's CyberX Acquisition: Securing IoT and OT).
Microsoft’s efforts are centered around ensuring IoT is manageable and secure. Not long after the launch, it opened up Azure Sphere for an encompassing three-month bug hunt. The result has been $374,000 paid out in bounties and a number of improvements to the platform, Galen Hunt, managing director of Azure Sphere, and Benedikt Abendroth, senior program manager, write in a blog post.
“The quality of submissions from participants in the challenge far exceeded our expectations,” they write. “Several participants helped us find multiple potentially high impact vulnerabilities in Azure Sphere.”
How the Challenge Worked
The Azure Sphere Security Research Challenge started in June and ended Aug. 31. Microsoft already has an ongoing bug bounty program for Azure Sphere, with bounties starting at $500 and rising to $40,000. But it offered sweeteners for the competition.
The company offered up to 20% larger rewards for six types of attack scenarios it believed could have high impacts for customers. It also offered $100,000 rewards for two types of attacks. Those included a successful way to execute code on Pluton, a hardware-based security subsystem that ensures a root of trust between when a device was made and when it's deployed to an end user, and issues with Secure World, a mode in which only Microsoft code can run.
The company received a total of 40 submissions, 30 of which resulted in Microsoft making improvements, Hunt and Abendroth write. Sixteen of the issues were eligible for bug bounties. The fixes have been wrapped into Azure Sphere’s recent monthly updates, including 20.07, 20.08 and 20.09, the latest one.
Cisco’s Talos team and McAfee’s Advanced Threat Research team found several big vulnerabilities. McAfee’s ATR team scooped up more than half of the money awarded as bounties, which it donated to three charities, according to its blog post.
McAfee found an entire attack chain, which included three important and three critical bugs. McAfee’s findings also included a potential zero-day exploit within the Linux kernel to escape root privileges, which was fixed by the Linux community, Hunt and Abendroth write. Microsoft says it fixed the issues McAfee identified within 30 days.
Philippe Laulheret, a senior security researcher with McAfee, writes: “This research was an exciting opportunity to look at a new platform with very little prior research, while still being in the familiar territory of an ARM device running a hardened Linux operating system. Through the bugs we found, we were able to get a full chain exploit from a locked device to having root access. However, the Azure Sphere platform has many more security features, such as remote attestation, and a hardware enabled secure core that is still holding strong.”
Quick Fixes Challenge Researchers
Cisco Talos reported 16 vulnerabilities. Among them was “a privilege escalation bug chain to acquire Azure Sphere Capabilities, the most valuable Linux normal-world permissions in the Azure Sphere context,” it writes in a blog post on the competition.
Microsoft was fixing problems as the competition was rolling along, which Cisco says may have resulted “in a much less complete examination of the device than might have been possible, due to researchers being handicapped in ways that an attacker would never be.”
“Lower-value reported targets got fixed periodically, repeatedly leaving researchers to find new routes to the higher level problems,” Cisco writes. “We posit that this type of CTF would just result in everyone going ham on low-hanging targets, leaving the higher level and more critical attack surfaces mostly unexamined.”
Microsoft says the quick fixes were significant accomplishments.
“The success of our challenge should not just be measured by the number and quality of the reports, but also by how quickly reported vulnerabilities were fixed in the product,” the company says. “When it came to fixing the found vulnerabilities, there was no distinction made between the ones that were proven to be exploited or the ones that were only theoretical. Attackers get creative, and hope is not part of our risk assessment or our commitment to our customers.”