Once the countdown starts, nothing’s safe.
White-hat hackers (yes, that’s the good guys) from around the world converged on Miami in January for Pwn2Own, an international competition in its 12th year that challenges researchers to find and exploit the holes in computer security, from smartphones and desktop applications to enterprise business applications and self-driving cars. The name comes from the gamer slang word “pwn” for crushing an opponent.
Pwn2Own’s first contest to focus on industrial control systems – the networks that run power plants, sewer systems and other vital infrastructure – and saw an Oak Ridge National Laboratory cyberscientist claim one of the top spots.
Ben McBride, who leads the Vulnerability Science Group in ORNL’s Cyber and Applied Data Analytics Division, placed fifth and was the first contestant to represent any national laboratory in the competition.
“Given our mission of protecting the power grid, we thought this was right up ORNL’s alley,” McBride said. “It’s a great opportunity to increase awareness and visibility into these types of threats.”
The eight contestants were given three months to choose targets from a list and search for chinks in the online armor. Then each had a 20-minute window to launch a successful attack.
“You can’t just crash the thing,” McBride said. “You have to attack it the way a real hacker would.”
McBride zeroed in on three targets. One attack took too long and failed to beat the clock. Two pulled off a remote code execution – in other words, a complete takeover of the system.
“That means I can get on it and run anything I want,” McBride said.
Contestants share the bugs they find with Trend Micro’s Zero Day Initiative, the contest’s sponsor, which reports the weaknesses to the software system makers so the holes can be patched. McBride said he hopes his participation leads more national labs to take part.
“It’s a way to show we’re out here doing the work to keep the grid and all its users secure,” he said. ~ Matt Lakin, Oak Ridge National Laboratory