The Azure Sphere Security Research Challenge brought together 70 researchers from 21 countries to help secure Azure Sphere customers and expand Microsoft’s partnerships with the global IoT security research community. During the three-month Azure Sphere Security Research Challenge, researchers surfaced 20 Critical or Important severity security vulnerabilities, with Microsoft awarding $374,300 in bounty awards for 16 bounty eligible reports.

Total Reports Received: 40 Reports Led to Improvements: 30 Critical/Important Reports: 20 Bounty Eligible Reports: 16 Total Bounty Awards: $374,300

Many of the vulnerabilities found during the research challenge were novel and high impact, and led to major security improvements for Azure Sphere in their 20.07, 20.08 and the latest 20.09 updates, which have been automatically pushed to Azure Sphere devices that are connected to the internet to help secure Azure Sphere customers. Security researchers from McAfee ATR and Cisco Talos reported some of the highest impact vulnerabilities in Azure Sphere, especially a full attack chain developed by McAfee ATR that exposed a weakness in the cloud and multiple weaknesses on the device including a previously unknown Linux kernel vulnerability.

To focus research in the highest impact areas, we introduced two high priority research scenarios focused on the core of the Azure Sphere OS with $100,000 awards, and six general scenarios focused on various levels of the Azure Sphere OS with up to 20% additional awards on top of the Azure Bounty Program awards. Participating researchers shared disclosures that successfully achieved three of the general scenarios:

  • Anything allowing execution of unsigned code that isn’t pure return oriented programming (ROP) under Linux
  • Anything allowing elevation of privilege outside of the capabilities described in the application manifest (e.g. changing user ID, adding access to a binary)
  • Ability to modify software and configuration options (except full device reset) on a device in the manufacturing state DeviceComplete when claimed to a tenant you are not signed into and have no saved capabilities for

Check out the Azure Sphere team’s blog Why we invite security researchers to hack Azure Sphere for more details on the research challenge results and security improvements. Microsoft is also working on assigning CVEs to vulnerabilities found in Azure Sphere, the documentation for which will be released on Update Tuesdays.

We are excited to see the great results from this research challenge and to learn from the program participants’ experiences. This was our first expansion of the Azure Security Lab, an experiment to provide researchers with additional resources to help spark new, high impact research, and develop close collaboration between the security research community and the Microsoft engineering teams through weekly office hours and opportunities for direct collaboration. We strongly believe that this challenge and upcoming expansions of the Azure Security Lab will help to continue to protect our cloud and Azure Sphere, and we look forward to expanding the resources available to security researchers to support high impact research. Future research challenges will be published on our Azure Security Lab program page, stay tuned!

We continue to invite researchers to hunt for high impact vulnerabilities in Azure Sphere as part of our Microsoft Azure Bounty Program. Qualified submissions are eligible for awards up to $40,000 USD.

Special Thanks to Security Researchers and Industry Partners

We believe our partnership with the global security research community is crucial for keeping our customers secure. We are humbled to have the opportunity working with so many talented researchers and industry partners through Coordinated Vulnerability Disclosure in making Azure Sphere and the broader IoT ecosystem more secure.

We appreciate the collaboration in this research challenge with the global security research community, and our key industry partners including AviraBaidu International TechnologyBitdefenderBugcrowdCisco Systems Inc (Talos)ESETFireEyeF-Secure CorporationHackerOneK7 ComputingMcAfeePalo Alto Networks and Zscaler.

Sylvie Liu & Lynn Miyashita, Security Program Manager, Microsoft Security Response Center



Source link

Is your business effected by Cyber Crime?

If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Contact Digitpol’s hotlines or respond to us online.

Digitpol’s Cyber Crime Investigation Unit provides investigative support to victims of cyber crimes. Digitpol is available 24/7. https://digitpol.com/cybercrime-investigation/

Europe +31558448040
UK +44 20 8089 9944
ASIA +85239733884