ZDI Brings Pwn2Own To ICS At S4x20

Prizes available up to $25K per exploit and more than $250K available.

This has been a hard secret to keep. When I asked the team at Trend Micro’s ZDI in late spring if they would be interested in having an ICS Pwn2Own to be held at S4x20, they had already been considering this for years. To ZDI, it was just a question when the ICS community and the ICS products were ready for this. That time is now, or actually next January 21-23 at S4x20 in Miami South Beach.

Trend Micro / ZDI announced Pwn2Own Miami to, in their words, bring ICS into the Pwn2Own World. And they have come big with over $250K allocated to buy 0day exploits on specified important ICS targets. This is quite a change over free ICS vulnerabilities.

How Will Pwn2Own Miami Work?

This is a ZDI event being held at S4x20. The ZDI Pwn2Own Miami team makes the rules and all decisions. As I learned more about the contest there were a few important points that I’m guessing many in the ICS security community don’t know about Pwn2Own.

  • Unlike a CTF, Contestants need to come with the exploit ready.

Contestants are given three 5-minute attempts to exploit a target. This is why the targets are announced approximately three months prior to the contest. Pwn2Own works with registered contestants to make sure they have the appropriately configured target. If you are interested in competing and winning the prize money you should register.

  • Successful exploits are not immediately made public.

If an exploit works (denial of service, information disclosure, or remote code execution) the successful contestant, Pwn2Own team, and ICS vendor, if they choose to participate in the event, go into a private room to reveal the details of the exploit. The vendor will verify this is not a known issue, a true 0day. Then the exploit follows ZDI’s Disclosure Policy which, simply stated, is 120-days until disclosure in most cases.

  • Multiple awards are possible for each target and category

While Pwn2Own is only committed to purchasing one winner per target, they typically will buy many successful exploits for a target. This is why they allocated over $250K in prize money for Pwn2Own Miami.

Pwn2Own gets an incredible amount of offensive security talent to give an important target a hard test by rewarding that talent with money when they succeed. The vendors learn first about these problems and can fix them, which benefits all in the community.

In the enterprise and mobile environment, Pwn2Own was originally viewed negatively by the vendors who had targeted products. It took over 5 years before Microsoft supported the Pwn2Own effort. Now it is seen by companies very serious about security, such as Microsoft, VMware and Tesla, as an opportunity for a great penetration test. As an opportunity to find and fix vulnerabilities. So much so that they are now funding some of prizes to exploit their own products.

We are not there yet in ICS, although it is noteworthy and impressive that Rockwell Automation is making their products available to Pwn2Own contestants. This is a big deal that I’ll write more on later. Pwn2Own Miami is the first try at anything like a significant prize or bug bounty for an ICS exploit, and Trend Micro / ZDI is providing all of the prize money.

Tomorrow: The ICS Target Selection