Microsoft recently announced its Azure Sphere Research Challenge, offering white hat security researchers up to $100,000 if they can find a way to break into Azure Sphere Linux IoT OS platform or discover vulnerabilities in the software.
Released in February this year, Microsoft’s Azure Sphere is a comprehensive IoT security solution designed to actively protect IoT devices and accompanying hardware, OS, and cloud components. The IoT security suite includes an OS that adds layers of protection and ongoing security updates and a security service that brokers trust for device-to-cloud communication.
This week, Microsoft announced that it will give ethical hackers access to developer tools of Azure Sphere to enable them to test the software for security vulnerabilities. The software giant said hackers will have three months to take part in the challenge between 1st Junee and 31st August and will have to apply by 15th May to get a chance to participate in the contest.
“The Azure Sphere Security Research Challenge aims to spark new high impact security research in Azure Sphere, a comprehensive IoT security solution that includes hardware, OS and cloud components. This three-month, application-only security research challenge offers special bounty awards and provides program participants research resources,” Microsoft said in a blog post.
“The Azure Security Lab provides additional resources, environments, and tooling to help security researchers explore and research for high impact vulnerabilities in the cloud. Security researchers will have the opportunity to participate in limited time research challenges and earn awards specific to each research challenge.
“We award up to $100,000 bounty for scenarios in the Azure Sphere Security Research Challenge during the program period,” the company added. The company had offered a reward of up to $100,000 for executing code on Pluton (a security subsystem hardware that protects cryptographic keys) or executing code on Secure World which executes the Microsoft-supplied Security Monitor.
The bug bounty program will also include the following possibilities:
- Ability to execute code on NetworkD through local attack
- Anything allowing execution of unsigned code that isn’t pure return oriented programming (ROP)
- Ability to spoof device authentication
- Anything allowing elevation of privilege outside of the capabilities described in the application manifest
- Ability to modify software and configuration options
- Ability to alter the firewall allowing communication out to other domains not in the app manifest
Sylvie Liu, security program manager at Microsoft Security Response Center, said, “we’re providing more content and resources to better arm security researchers with the tools needed to research high-impact vulnerabilities in the cloud. By discovering and reporting vulnerabilities to Microsoft through Coordinated Vulnerability Disclosure (CVD), security researchers have helped us continue to secure millions of customers.”
Microsoft has been running a Microsoft Azure Bounty Program as well that lets white hat researchers test various software designs for security vulnerabilities to win rewards ranging from $500 to $40,000. The program covers various security threats like remote code execution, privilege escalation, tampering, denial of service, spoofing, and information disclosure to products such as Azure Active Directory, Key Vault, Web Apps, Azure DevOps, Virtual Machines, and Azure IoT Hub.