Tobias Scharnowski, Niklas Breitfeld and Ali Abbasi (Chair Systems Security) have won a cash prize of 75,000 US dollars and second place in the Pwn2Own hacking competition in Miami. Scharnowski demonstrated on three consecutive days on site on behalf of his team how they successfully hacked into Industrial Control Systems (ICS). Such systems are used in industry to control, measure or regulate various processes within production. They are used in a wide range of industries, from telecommunications to chemical processing. The competition included five categories:
- control server
- OPC Unified Architecture (OPC UA) Server
- DNP3 Gateway
- Human Machine Interface (HMI) / Operator Workstation
- Engineering Workstation Software (EWS)
The team of the Horst Görtz Institute for IT Security had already prepared their attacks weeks before. On site, the teams finally had the opportunity to carry out their attacks in front of a judge. They had half an hour each to deal with previously unknown threats. The details of the attacks are communicated only in private to the initiator of the competition, the "Zero Day Initiative", in order to protect the companies using these control systems. The vulnerabilities are then reported to the developer of the product. "The goal is always to get these bugs fixed before they’re actively exploited by attackers," explains the "Zero Day Initiative".
Find more information on the exploits here.
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.