Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/5/2020
05:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft Challenges Security Researchers to Hack Azure Sphere

Participants can earn up to $100,000 for finding severe flaws in Microsoft's Linux-based Azure Sphere IoT operating system.

Azure Sphere was unveiled in April 2018 as a means to improve security for devices connected to the Internet of Things (IoT). It's made up of three parts: connected microcontrollers, a Linux-based OS and custom kernel to power them, and a security service to protect the connected devices. Azure Sphere hit general availability in February 2020, and now Microsoft is opening it to researchers. 

The Azure Sphere Security Research Challenge builds on an earlier initiative, Azure Security Lab, which Microsoft debuted at Black Hat USA last summer. A group of researchers was invited to test attacks against Internet-as-a-service (IaaS) scenarios using a set of dedicated cloud hosts isolated from Azure customers. At the time, Microsoft doubled the top bounty reward for Azure flaws to $40,000.

The latest research challenge is application-only and will span three months, starting on June 1 and ending on August 31. Researchers must apply before May 15. Microsoft has invited researchers from industry partners participating in the program and will select a total of 50 people, says Sylvie Liu, security program manager at the Microsoft Security Response Center.

If accepted into the Azure Sphere challenge, participants will be provided resources including the Azure Sphere development kit, Azure Sphere product documentation, access to Microsoft products and services for research purposes, and direct communication with Microsoft's team.

"Working with researchers during the initial phase of the Azure Security Lab, we found that resources, documentation, and more regular connections with the program participants and Microsoft teams were key to successful coordinated vulnerability disclosure," Liu says. Based on these learnings, Microsoft will offer participants communication channels and weekly office hours with members of the Azure Sphere engineering team.

"We've also found that it's valuable to learn from both the successful attempts and unsuccessful attempts of researchers," Liu continues. "As a result, we are asking researchers to document and report both successful and unsuccessful attempts in this research challenge."

Microsoft will award up to $100,000 in rewards for two specific scenarios during the program period. One of these is the ability to execute code on Azure Pluton, the security subsystem built into every Azure Sphere microcontroller unit (MCU). Pluton provides a hardware root of trust for the connected device in which the MCU sits. As part of the chip manufacturing process, a unique key is created to be used as the basis for authentication and cryptography.

Azure Sphere's application platform supports two operating environments: Normal World and Secure World. Applications run in an application container in Normal World user mode, where they can access Azure Sphere libraries and a limited amount of OS services, Microsoft explains. The underlying Linux kernel runs in Normal World supervisor mode; the Security Monitor runs in Secure World. Only Microsoft-supplied code can run in supervisor mode or Secure World.

Vulnerabilities discovered outside the scope outlined for this research challenge, including the cloud portion, may qualify for rewards under the public Azure Bounty Program. Physical attacks are out of scope both for this challenge and the public program, Microsoft says.

To launch the Azure Sphere Security Research Challenge, Microsoft teamed up with several technology companies that bring expertise in IoT security research. These partners include Avira, Baidu International Technology, Bitdefender, Bugcrowd, Cisco Systems (Talos), ESET, FireEye, F-Secure, HackerOne, K7 Computing, McAfee, Palo Alto Networks, and Zscaler.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How InfoSec Pros Can Help Healthcare During the Coronavirus Pandemic."

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Another COVID-19 Side Effect: Rising Nation-State Cyber Activity
Stephen Ward, VP, ThreatConnect,  7/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15600
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
CVE-2020-15599
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
CVE-2020-8916
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
CVE-2020-12821
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.
CVE-2020-15008
PUBLISHED: 2020-07-07
A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user su...