Select Page

Pwn2Own Miami is coming back to find 0days in important ICS products. You can see all the details at the ZDI site, and we encourage you to register with them if you are interested in participating and potentially winning some serious money ($280K was won at the Pwn2Own Miami in 2020). The Pwn2Own targets, prize money and videos from the previous Pwn2Own Miami are also available on our Pwn2Own page.

We are particularly intrigued by the OPC UA targets (United Automation, OPC Foundation, Prosys and Softing) and payloads. OPC UA was designed from the ground up to be a securable protocol (not necessarily a secure protocol because self-signed certificates and certain allowable settings are not secure). Classic OPC was and still is a universal translator for ICS protocols and systems. OPC UA will take on this task, and we are seeing other likely high volume use cases. For example, much of the ICS to edge and edge to cloud communications is via OPC UA.

The use of OPC UA has been a bit like a snowball. It has been around for years. Vendors added support for OPC UA in the early years, but use by asset owners grew slowly. Steadily, at a gradually increasing rate, but probably much slower than the OPC Foundation had hoped for. Just like a snowball though, the number and size of deployments is beginning to grow quickly now that it is rolling.

There are awards for creating a denial of service ($5K) and remote code execution ($20K). The most interesting and lucrative payload is the bypass trusted application check ($40K). The idea here is the contestant creates a two-way authenticated, legitimate, OPC UA session with the server. Once the communication is established the contestant needs to break out of that session so they can execute code on the server.

The reason this is important is OPC UA is often used to pass information through security perimeters. If this type of 0day is found, it could be used by an attacker who has compromised a legitimate OPC UA client outside a security zone to gain control of an asset inside the security zone. Why would we want to encourage the finding of these potentially high impact vulnerabilities? So they can be disclosed initially only to the vendor, get patches or other updates out that address the problem, and make more secure products available to asset owners.

The full list of OPC UA targets, payloads and cash prizes are listed below. This is one of four categories of targets in Pwn2Own Miami.

OPC UA.png