The Azure Sphere Security Research Challenge brought together 70 researchers from 21 countries to help secure Azure Sphere customers and expand Microsoft’s partnerships with the global IoT security research community. During the three-month Azure Sphere Security Research Challenge, researchers surfaced 20 Critical or Important severity security vulnerabilities, with Microsoft awarding $374,300 in bounty awards for 16 bounty eligible reports.
Many of the vulnerabilities found during the research challenge were novel and high impact, and led to major security improvements for Azure Sphere in their 20.07, 20.08 and the latest 20.09 updates, which have been automatically pushed to Azure Sphere devices that are connected to the internet to help secure Azure Sphere customers. Security researchers from McAfee ATR and Cisco Talos reported some of the highest impact vulnerabilities in Azure Sphere, especially a full attack chain developed by McAfee ATR that exposed a weakness in the cloud and multiple weaknesses on the device including a previously unknown Linux kernel vulnerability.
To focus research in the highest impact areas, we introduced two high priority research scenarios focused on the core of the Azure Sphere OS with $100,000 awards, and six general scenarios focused on various levels of the Azure Sphere OS with up to 20% additional awards on top of the Azure Bounty Program awards. Participating researchers shared disclosures that successfully achieved three of the general scenarios:
- Anything allowing execution of unsigned code that isn’t pure return oriented programming (ROP) under Linux
- Anything allowing elevation of privilege outside of the capabilities described in the application manifest (e.g. changing user ID, adding access to a binary)
- Ability to modify software and configuration options (except full device reset) on a device in the manufacturing state DeviceCompletewhen claimed to a tenant you are not signed into and have no saved capabilities for
Check out the Azure Sphere team’s blog Why we invite security researchers to hack Azure Sphere for more details on the research challenge results and security improvements. Microsoft is also working on assigning CVEs to vulnerabilities found in Azure Sphere, the documentation for which will be released on Update Tuesdays.
We are excited to see the great results from this research challenge and to learn from the program participants’ experiences. This was our first expansion of the Azure Security Lab, an experiment to provide researchers with additional resources to help spark new, high impact research, and develop close collaboration between the security research community and the Microsoft engineering teams through weekly office hours and opportunities for direct collaboration. We strongly believe that this challenge and upcoming expansions of the Azure Security Lab will help to continue to protect our cloud and Azure Sphere, and we look forward to expanding the resources available to security researchers to support high impact research. Future research challenges will be published on our Azure Security Lab program page, stay tuned!
We continue to invite researchers to hunt for high impact vulnerabilities in Azure Sphere as part of our Microsoft Azure Bounty Program. Qualified submissions are eligible for awards up to $40,000 USD.
We believe our partnership with the global security research community is crucial for keeping our customers secure. We are humbled to have the opportunity working with so many talented researchers and industry partners through Coordinated Vulnerability Disclosure in making Azure Sphere and the broader IoT ecosystem more secure.
We appreciate the collaboration in this research challenge with the global security research community, and our key industry partners including Avira, Baidu International Technology, Bitdefender, Bugcrowd, Cisco Systems Inc (Talos), ESET, FireEye, F-Secure Corporation, HackerOne, K7 Computing, McAfee, Palo Alto Networks and Zscaler.
Sylvie Liu & Lynn Miyashita, Security Program Manager, Microsoft Security Response Center