2022-07-23, 20:00–20:50, Abacus 🧮
Last April we won Pwn2Own Miami by demonstrating five zero-day attacks against software that is commonly used in the ICS world. ICS, or Industrial Control Systems, are systems that are involved with running an industrial process, for example in a factory or power plant. Our targets range from SCADA to HMI systems. During this talk we would like to share details about the competition and the vulnerabilities we found.
ICS is an interesting field for security research. As a successful attack could have devastating results. Luckily the number of successful attacks that truly targeted ICS environments are scarce. At the same time this industry faces some difficult challenges, such as high availability requirements, old technology and a low security maturity.
Pwn2Own Miami is an annual edition of the Pwn2Own competition, that focuses solely on ICS applications. Targets range from OPC UA implementations (on of the main communication protocol in ICS), to data gateways and SCADA systems. They challenge competitors to find zero-days attacks against any of the targets. Participants need to demonstrate their zero-days by compromising a target machine running the latest version of the application.
Last year we participated in the Pwn2Own Austin edition, which focused on Enterprise applications, with a zero-day chain against the Zoom client. This year we decided to participate in the ICS edition. It was a close race, but ultimately we beat the competing teams and won this year's edition. We demonstrated 3 RCE's, one DoS and an interesting certificate verification bypass, which in total was good for 90 points and $90,000.
Thijs Alkemade (@xnyhps) works at the security research division of at Computest. This division is responsible for advanced security research on commonly used systems and environments. Thijs has won Pwn2Own twice, by demonstrating a zero-day attack against Zoom at Pwn2Own Vancouver 2021 and by demonstrating multiple exploits in ICS systems at Pwn2Own Miami 2022. In previous research he demonstrated several attacks against the macOS and iOS operating systems. He has a background in both mathematics and computer science, which gives him a lot of experience with cryptography and programming language theory.
Daan Keuper is the head of security research at Computest. This division is responsible for advanced security research on commonly used systems and environments.
Daan participated three times in the internationally known Pwn2Own competition by demonstrating zero-day attacks against the iPhone, Zoom and multiple ICS applications. In addition Daan did research on internet connected cars, in which several vulnerabilities were found in cars from the Volkswagen Group.