Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/5/2020
05:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft Challenges Security Researchers to Hack Azure Sphere

Participants can earn up to $100,000 for finding severe flaws in Microsoft's Linux-based Azure Sphere IoT operating system.

Azure Sphere was unveiled in April 2018 as a means to improve security for devices connected to the Internet of Things (IoT). It's made up of three parts: connected microcontrollers, a Linux-based OS and custom kernel to power them, and a security service to protect the connected devices. Azure Sphere hit general availability in February 2020, and now Microsoft is opening it to researchers. 

The Azure Sphere Security Research Challenge builds on an earlier initiative, Azure Security Lab, which Microsoft debuted at Black Hat USA last summer. A group of researchers was invited to test attacks against Internet-as-a-service (IaaS) scenarios using a set of dedicated cloud hosts isolated from Azure customers. At the time, Microsoft doubled the top bounty reward for Azure flaws to $40,000.

The latest research challenge is application-only and will span three months, starting on June 1 and ending on August 31. Researchers must apply before May 15. Microsoft has invited researchers from industry partners participating in the program and will select a total of 50 people, says Sylvie Liu, security program manager at the Microsoft Security Response Center.

If accepted into the Azure Sphere challenge, participants will be provided resources including the Azure Sphere development kit, Azure Sphere product documentation, access to Microsoft products and services for research purposes, and direct communication with Microsoft's team.

"Working with researchers during the initial phase of the Azure Security Lab, we found that resources, documentation, and more regular connections with the program participants and Microsoft teams were key to successful coordinated vulnerability disclosure," Liu says. Based on these learnings, Microsoft will offer participants communication channels and weekly office hours with members of the Azure Sphere engineering team.

"We've also found that it's valuable to learn from both the successful attempts and unsuccessful attempts of researchers," Liu continues. "As a result, we are asking researchers to document and report both successful and unsuccessful attempts in this research challenge."

Microsoft will award up to $100,000 in rewards for two specific scenarios during the program period. One of these is the ability to execute code on Azure Pluton, the security subsystem built into every Azure Sphere microcontroller unit (MCU). Pluton provides a hardware root of trust for the connected device in which the MCU sits. As part of the chip manufacturing process, a unique key is created to be used as the basis for authentication and cryptography.

Azure Sphere's application platform supports two operating environments: Normal World and Secure World. Applications run in an application container in Normal World user mode, where they can access Azure Sphere libraries and a limited amount of OS services, Microsoft explains. The underlying Linux kernel runs in Normal World supervisor mode; the Security Monitor runs in Secure World. Only Microsoft-supplied code can run in supervisor mode or Secure World.

Vulnerabilities discovered outside the scope outlined for this research challenge, including the cloud portion, may qualify for rewards under the public Azure Bounty Program. Physical attacks are out of scope both for this challenge and the public program, Microsoft says.

To launch the Azure Sphere Security Research Challenge, Microsoft teamed up with several technology companies that bring expertise in IoT security research. These partners include Avira, Baidu International Technology, Bitdefender, Bugcrowd, Cisco Systems (Talos), ESET, FireEye, F-Secure, HackerOne, K7 Computing, McAfee, Palo Alto Networks, and Zscaler.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How InfoSec Pros Can Help Healthcare During the Coronavirus Pandemic."

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
5/12/2020 | 7:14:01 AM
Interesting article
To the person who wrote the article, do you know which variant of Linux they are using?

The article talked about microcontrollers, Linux OS and boot program?

Please advise if you have insight into the Linux OS.

Todd
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4035
PUBLISHED: 2020-06-03
In WatermelonDB (NPM package "@nozbe/watermelondb") before versions 0.15.1 and 0.16.2, a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to...
CVE-2020-13783
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Storage of Sensitive Information.
CVE-2020-13784
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have a predictable seed in a Pseudo-Random Number Generator.
CVE-2020-13785
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have Inadequate Encryption Strength.
CVE-2020-13786
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices allow CSRF.