These hackers showed just how easy it is to target critical infrastructure
Daan Kuper has hacked before.
In 2012, he hacked a brand-new iPhone and took home $30,000 while on center stage at Pwn2Own, the biggest hacking contest in the world. Driven by curiosity, Keuper and his colleague Thijs Alkemade then hacked a car in 2018. They hacked coronavirus and videoconferencing software last year, inspired by the pandemic.
“In industrial control systems, there is still so much low-hanging fruit,” Keuper says. Alkemade agrees that security is not up to par .”
” This is definitely a more conducive environment for operation.
At the exact same time that I was watching the pair on stage in Miami targeting a small arsenal of critical industrial software, the United States and its allies issued a warning about the elevated threat of Russian hackers’ going after infrastructure such as the electric grid, nuclear reactors, water systems, and more. Last week, one group of Russian hackers was caught trying to bring down the Ukrainian power grid, and another hacking group was caught aiming to disrupt critical industrial systems.
At Pwn2Own the stakes may be lower but the systems are exactly the same as those found in the real world. All industrial control systems running critical facilities were the targets of the hackers this week in Miami. Hackers took almost every piece of software that was offered as a target. This is what sponsors pay for. Hackers who succeed will share all details so that the flaw can been fixed. But it’s also a sign that critical-infrastructure security has a long way to go.
“A lot of the bugs we’re seeing in the industrial control systems world are similar to bugs we saw in the enterprise software world 10 to 15 years ago,” says Dustin Childs, who ran the show this year. “There is still a lot of work to be done.”
Looking for the big one
One notable target at this year’s show was the Iconics Genesis64, a human-machine interface tool that hackers can break into to bring down critical targets while fooling the human operators into thinking nothing is wrong.
We know this is a serious threat because, a decade ago Stuxnet, a major hacking campaign, targeted Iran’s nuclear program. Hackers believed to have been working for Israel and the United States sabotage the programmable logic controllers in the gas centrifuges that separate nuclear materials. They also instructed the machines to tell Iran’s operators that everything was fine. This clever sabotage added to the success of the operation.
To support MIT Technology Review’s journalism, please consider becoming a subscriber.
In Miami, the Iconics Genesis64 was hacked at least six times to give attackers full control. The teams that took on the challenge won a total of $75,000.
“I’m surprised to see so many unique bugs on the Iconics Genesis64,” says Childs. It just shows that there are many bugs out there. There is a lot more out there than what people are reporting right now.”
The indisputable highlight of the show belonged to Keuper and Alkemade, who targeted a communications protocol called OPC UA. It is the lingua-franca that allows different parts of critical-operations systems to communicate in industrial settings. Keuper and Alkemade–competing under their company name, Computest–successfully bypassed the trusted-application check.
The moment it happened, the room erupted in the largest applause of the entire weeklong contest. As Alkemade and Keuper turned their laptops upside down, the crowd roared with excitement. In just a few seconds, the team won $40,000 and enough points to secure the competition’s championship title, “Master of Pwn.”
“We’re looking for exactly that kind of big thing,” says Childs.
“OPC UA is used everywhere in the industrial world as a connector between systems,” says Keuper. It’s a key component of industrial networks and can be bypassed authentication to allow us to change or read anything. It was therefore deemed the most important and fascinating. It took just a couple of days to find.”
The 2012 iPhone hack took three weeks of focused work. The OPC UA hack, on the other hand, was a side project that distracted from Keuper’s and Alkemades day jobs. Its impact is enormous.
There are immense differences between the consequences of hacking an iPhone and breaking into critical-infrastructure software. An iPhone can be easily upgraded and a new phone is always just around the corner.
However, some systems in critical infrastructure can last for decades. Some security flaws are not fixable. Operators are often unable to update their technology for security updates because it is impossible to take a system offline. It is not easy to turn a factory back on or off like a light switch, or like a laptop.
In industrial control systems, there are completely different rules,” Keuper states. Security must be viewed differently. Different solutions are needed. We need game changers .” Despite their success this week Keuper and Alkemade don’t believe that industrial security issues can be solved instantly. It’s a start, but it’s a start for these two. I do research for public benefits to help make the world safer,” Alkemade said. “We do stuff so that people pay attention to us.” It’s not all about the money. It’s about the excitement and to show what we can do.” “Hopefully we made the world safer,” says Keuper.
Meanwhile, the Pwn2Own competitions rumble on, having given away $2 million last year. Next month, hackers will gather in Vancouver to celebrate the 15th anniversary of the show. One of the targets? A Tesla car.
I’m a journalist who specializes in investigative reporting and writing. I have written for the New York Times and other publications.