Microsoft Doles Out $374300 for Azure Sphere IoT Bug Hunting – Toolbox

Microsoft awarded $374,300 to global researchers for the first-ever Azure Sphere bug bounty program. Launched in May this year, the three-month challenge is Microsoft’s way of hardening up IoT security in Azure Sphere, its cloud-based platform for IoT devices. Security researchers dug up 16 critical hackable vulnerabilities that escaped the eyes of Microsoft security experts. 

Microsoft is doubling down on IoT security with its first three-month bug bounty program —  Azure Sphere Security Research Challenge (ASSRC) launched in May this year. The bug bounty challenge focuses specifically on critical IoT vulnerabilities living in Azure Sphere environment — Microsoft’s cloud-based application platform for  IoT devices. 

According to Galen Hunt, Distinguished Engineer and Managing Director, Azure Sphere, and Benedikt Abendroth Senior Program Manager, Azure Sphere, “Our goal with the three-month Azure Sphere Security Research Challenge was twofold — to drive new high-impact security research, and to validate Azure Sphere’s security promise against the best challengers in their field.” 

The IoT space is growing at a frenetic pace — 127 new IoT devices are connected every second. By 2025, 25 billion IoT devices will be connected to the internet, while market spend will rise to a whopping $1.6 trillion. Interestingly, the Azure Sphere was riddled with 40 vulnerabilities. Microsoft shelled out over $374,000 in bounties to researchers and programmers. 

Source: Microsoft

Out of the 40 vulnerabilities reported between June and August, 16 were deemed critical and eligible for the payout.  

Meanwhile, 20 bugs were rated critical, 30 led to significant product improvements while 10 remained ineligible under the ASSRC. Patches for the 30 vulnerabilities in Azure have already been released as part of July, August, and September security updates. 

Microsoft stated, “Many of the vulnerabilities found during the research challenge were novel and high impact, and led to major security improvements for Azure Sphere in their 20.07, 20.08 and the latest 20.09 updates, which have been automatically pushed to Azure Sphere devices that are connected to the internet to help secure Azure Sphere customers.”

See Also: 5 Reasons Why IoT Security Matters in Lockdown

Around 71 researchers from 21 countries participated in the first ASSRC, which led to the 40 vulnerability disclosures. Participants were subject to the following six scenarios which they needed to achieve to be considered eligible:

  1. Unsigned code execution of under any program that isn’t considered a pure return oriented programming (ROP) under Linux
  2. Anything that allows elevation of privilege, not under the purview of application manifest capabilities 
  3. Anything that can result in the modification of software and configuration of a device 
  4. Able to execute code on NetworkD through either local attack or remotely 
  5. Able to spook authentication 
  6. Able to adjust the firewall to allow communication to other domains in application manifest

Bug-hunting hackers and researchers from Avira, Baidu International Technology, Bitdefender, Bugcrowd, Cisco Systems Inc (Talos), ESET, FireEye, F-Secure Corporation, HackerOne, K7 Computing, McAfee, Palo Alto Networks and Zscaler participated in the challenge. Meanwhile, security researchers from McAfee and Cisco Talos emerged as the top contributors by reporting some of the most high impact vulnerabilities.

Philippe Laulheret, Senior Security Researcher at McAfee ATR said, “As security researchers, the Azure Sphere platform is an exciting new research target that has been built from the ground up with security in mind. It showcases what might become of the IoT space in the next few years as legacy platforms are slowly phased out. Being at the forefront of what is being done in the IoT space ensures our research remains current and we are ready to tackle future new challenges.”

See Also: Success with IoT in 2020: Key Challenges and Solutions

McAfee’s Advanced Threat Research (ATR) team found three critical vulnerabilities, including a previously unknown one in Linux. The company said they would donate their earnings from ASSRC amounting to $160,000 to ACLU ($100,000), St. Jude’s Children’s Research Hospital ($50,000) and PDX Hackerspace (approximately $20,000). 

Meanwhile, Cisco Talos found more than 15 vulnerabilities that could lead to DDoS attacks, code execution, memory corruption, and information disclosure.

Sylvie Liu and Lynn Miyashita, Security Program Manager at Microsoft Security Response Center said, “This was our first expansion of the Azure Security Lab, an experiment to provide researchers with additional resources to help spark new, high impact research, and develop close collaboration between the security research community and the Microsoft engineering teams through weekly office hours and opportunities for direct collaboration.”

At its core, Azure Sphere is Microsoft’s security solution for IoT devices. It has a Linux-based environment that comprises a secure, connected, crossover microcontroller unit (MCU), and a cloud-driven security service catering specifically to continuous security requirements of operational technology. The solution became generally available in February 2020.

Microsoft Azure Bounty Program is still open to submissions for high impact Azure Sphere vulnerabilities and pays $40,000 for severe bugs and flaws.

Let us know if you liked this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!


Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.