They should be getting at last 20x this. Until we get value based pricing for zero days, we will never be safe from the real threats.
We really should be funding exploit teams to break everything they can so that we have secure infrastructure.
> Two months later, during the Pwn2Own Vancouver 2024 competition, ZDI awarded another $1,132,500 for 29 zero-day bugs. Synacktiv went home with $200,000 and a Tesla Model 3 after hacking its ECU with Vehicle (VEH) CAN BUS Control in under 30 seconds.
It is just supply and demand. The systems are so riddled with security defects that the offered prices are enough to incentivize more reported defects than they can fix (though to be fair, the Pwn2Own bounties are on the low side due to payment in “fame”).
If they offered 20x the price there would likely be so many reported defects that they would go out of business.
You can not “patch and fix” your way to a materially higher level of security “quality” or buy your way to zero defects. Offering prices significantly higher than your security “quality” just gets you a endless stream of reports for real defects.
To put it another way, a bug bounty program is not a mechanism for achieving higher quality, it is a mechanism for public security auditing. It is set at a level where it should almost never trip and should be viewed, publicly, as a initial estimate of security “quality”. A company offering a bounty of X should be viewed as saying: “We are confident that our security is no better than X worth of effort”. That should tell you everything you need to know about the “quality” of these systems.
I would have agreed with your logic until a few years ago when we started seeing companies advertising inflated max bounties that they do not uphold when a critical vulnerability gets discovered.
It feels like there's a legitimate 'cobras problem' risk with this.
Though I guess it's more like hiring and training mercenaries.
Because you are training people with dangerous skills, promising them money in return. If the money dries up, they will start looking for other ways to employ their skills to make a living.
Not that all, or even most, people with those skills would abuse them. But it doesn't take that many, and things might be worse if you start attracting people with insanely big sums.
What would be the analogy? That programmers plant exploits in their code, only to quit their job and collect money from the exploits? That seems pretty far fetched. It also seems like something that could be easily fixed by companies suing anyone who does this into the ground for planting backdoors. Or just prosecuting them in a normal court.
No need to implant new bugs. Having access to the source code is enough to spot bugs. Instead of reporting them to your internal Jira, you sell it on $website. The buyer can fetch the bounty and will be left with a margin.
Cobra is already out of the bag, we see corporations loosing billions over dumb mistakes. The contest showed what some skilled individuals or someone else could eventually do. We can't hide behind access. The threats are too big.
The cobra effect is another phrase for "perverse incentives", named after the time the British paid people to kill cobras without realising this meant they were paying people to breed cobras, and when they realised and stopped all the bread cobras were released into the wild leaving the area with more cobras than when they started: https://en.wikipedia.org/wiki/Perverse_incentive
I think this analogy would only fit if the hackers could somehow "breed" bugs, but as they don't work at the corporations making the buggy software I don't see how that would be possible — but then, I'm British by birth, so perhaps I have a blind spot for creating perverse incentives ;)
62 fairlane, I'd welcome the attempt. If they somehow manage to both prime the fuel pump and trick the carb into introducing enough fuel into the engine to get it to start before the battery's stone dead I'd pay a princely sum for live video of them trying to figure out where first gear is while getting a rude introduction to purely mechanical steering. Given what I paid for it, I could have 6-10 of it stolen before I'm in the neighborhood of sticker on a "cheap" new car.
And column shifters still exist- hell, even the Tesla Model 3 has one- so any gen z kid who knows how a manual transmission works can shift it into gear.
I am quite certain that getting this vehicle started and out of it's parking space is fraught in ways that beggar belief for anyone who hasn't spent a significant portion of their life dealing with the vagaries of shitty vintage project cars, and even then this one's got several tricks up her sleeve that the initiated won't see coming. Think three on the tree, on the floor, with more than one wildly out of place barrier preventing straightforward movement through the shift pattern. Getting this thing in first is less like shifting a car and more like picking an oldschool lock with ward plates. Then there's the combination of dodgy battery and mulish fuel delivery system to contend with. The only person I've ever met who can consistently get this thing to crank cold is the lunatic that chopped out the aftermarket electric fuel pump and replaced it with an OEM mechanical pump out of sheer perversity. Equipment? Hell I could leave the key in the ignition and a sign in a window DARING someone to try and I still like my odds.
2000-2005 is the sweet spot. Cars had immobilizers but not keyless entry. Basic electronics: airbags, electric windows, radio. Engines were naturally aspirated with port injection.
All it takes to pwn a Volkswagen T4 from the mid-90s is to rake the lock, pry open or smash the door, and then about half a minute to hot-wire three pins on the ignition switch (one for the main power and one for the starter motor), although I think that you should be able to motor-rake the ignition switch as well.
Source: owned and heavily worked on one for a few years. Reliable as fuck but thank god Europe doesn't have much of a "joyride" scene.
> I hope these security efforts don't lock legitimate owners out of access to their vehicles.
Well that's the thing with cars. Anything the legitimate owner can do because they have physical access, a thief can also do... and even if you force manufacturers to provide a "rooting mode" aka you enter some PIN that you get at purchase into the car's infotainment and it will relax restrictions on the CAN bus, now you open up the gates for thieves as well.
And on top of that come the actual reasons for the security theatre: people modifying their ECUs to tune up their engines for higher power or speed limiters in trucks than is stated in the vehicle papers (at least in Europe, if you tune your vehicle and don't have the papers updated you're in legit felony territory), doing shit mods like "rolling coal" or otherwise tampering with emission controls (say to avoid having to refill adblue)... governments really REALLY do not like this and so regulations get tightened ever closer.
How do you start this line of work? I think I am pretty versed in many security topics and I "think" I would see (some) vulnerabilities in systems, but I don't know where to start. Do you just "pick a target" and start digging?
I'm also quite impressed that the binary fuzzer of the fourth team found 12 zero days. That's pretty impressive considering it's an automated process compared to the other (human pentester) teams.
All this reminds me of satellite tv cracking in the early 2000s.
They were thoroughly compromised and even card swaps generally didn’t last long.
I’m not even convinced the latest card swaps actually “fixed” the problem, but rather home internet speeds and streaming caught up and it was easier to p2p pirate or gasp pay!
I congratulate these folks on their work to making these products more secure. But it pisses me off a bit that multibillion dollar companies exploit labor to do this for them.
Sure, a few folks get paid out but probably plenty of participants walked away with nothing after 3 days/72 hrs.
They should be getting at last 20x this. Until we get value based pricing for zero days, we will never be safe from the real threats.
We really should be funding exploit teams to break everything they can so that we have secure infrastructure.
> Two months later, during the Pwn2Own Vancouver 2024 competition, ZDI awarded another $1,132,500 for 29 zero-day bugs. Synacktiv went home with $200,000 and a Tesla Model 3 after hacking its ECU with Vehicle (VEH) CAN BUS Control in under 30 seconds.
It is just supply and demand. The systems are so riddled with security defects that the offered prices are enough to incentivize more reported defects than they can fix (though to be fair, the Pwn2Own bounties are on the low side due to payment in “fame”).
If they offered 20x the price there would likely be so many reported defects that they would go out of business.
You can not “patch and fix” your way to a materially higher level of security “quality” or buy your way to zero defects. Offering prices significantly higher than your security “quality” just gets you a endless stream of reports for real defects.
To put it another way, a bug bounty program is not a mechanism for achieving higher quality, it is a mechanism for public security auditing. It is set at a level where it should almost never trip and should be viewed, publicly, as a initial estimate of security “quality”. A company offering a bounty of X should be viewed as saying: “We are confident that our security is no better than X worth of effort”. That should tell you everything you need to know about the “quality” of these systems.
I would have agreed with your logic until a few years ago when we started seeing companies advertising inflated max bounties that they do not uphold when a critical vulnerability gets discovered.
Great way to get pwned.
[dead]
It feels like there's a legitimate 'cobras problem' risk with this. Though I guess it's more like hiring and training mercenaries. Because you are training people with dangerous skills, promising them money in return. If the money dries up, they will start looking for other ways to employ their skills to make a living.
Not that all, or even most, people with those skills would abuse them. But it doesn't take that many, and things might be worse if you start attracting people with insanely big sums.
What would be the analogy? That programmers plant exploits in their code, only to quit their job and collect money from the exploits? That seems pretty far fetched. It also seems like something that could be easily fixed by companies suing anyone who does this into the ground for planting backdoors. Or just prosecuting them in a normal court.
No need to implant new bugs. Having access to the source code is enough to spot bugs. Instead of reporting them to your internal Jira, you sell it on $website. The buyer can fetch the bounty and will be left with a margin.
Then again exposing weaknesses in your development processes.
The cobra analogy doesn't work because there is a finite amount of use after frees and buffer overflows to be exploited in any given codebase.
Companies could choose to outbid the black market on every single one of them if they wanted to, they just don't.
There will be plenty. A"I" is going to copy them from the past to the future in unreviewable speed.
Cobra is already out of the bag, we see corporations loosing billions over dumb mistakes. The contest showed what some skilled individuals or someone else could eventually do. We can't hide behind access. The threats are too big.
The cobra effect is another phrase for "perverse incentives", named after the time the British paid people to kill cobras without realising this meant they were paying people to breed cobras, and when they realised and stopped all the bread cobras were released into the wild leaving the area with more cobras than when they started: https://en.wikipedia.org/wiki/Perverse_incentive
I think this analogy would only fit if the hackers could somehow "breed" bugs, but as they don't work at the corporations making the buggy software I don't see how that would be possible — but then, I'm British by birth, so perhaps I have a blind spot for creating perverse incentives ;)
Most likely these were introduced in the code maliciously, then leaked to the teams to get the money....
Black markets for exploits have been thriving for a long time.
There are plenty of security consultants and penetration testing houses out there getting paid already.
Turns out people put a lot of value on not having to launder black market earnings or deal with opsec of hiding their participation.
The name Pwn2Own is quite ironic. Who really owns their vehicle nowadays?
I hope these security efforts don't lock legitimate owners out of access to their vehicles.
Old basic cars are easier to own, and harder to pwn.
Depends how old. Anything before mid 90s was trivial to steal with little or no equipment.
The cutoff is at modern infotainment systems. If you still have a car stereo, you're probably good.
62 fairlane, I'd welcome the attempt. If they somehow manage to both prime the fuel pump and trick the carb into introducing enough fuel into the engine to get it to start before the battery's stone dead I'd pay a princely sum for live video of them trying to figure out where first gear is while getting a rude introduction to purely mechanical steering. Given what I paid for it, I could have 6-10 of it stolen before I'm in the neighborhood of sticker on a "cheap" new car.
Doesn't take much equipment to steal it, though.
And column shifters still exist- hell, even the Tesla Model 3 has one- so any gen z kid who knows how a manual transmission works can shift it into gear.
I am quite certain that getting this vehicle started and out of it's parking space is fraught in ways that beggar belief for anyone who hasn't spent a significant portion of their life dealing with the vagaries of shitty vintage project cars, and even then this one's got several tricks up her sleeve that the initiated won't see coming. Think three on the tree, on the floor, with more than one wildly out of place barrier preventing straightforward movement through the shift pattern. Getting this thing in first is less like shifting a car and more like picking an oldschool lock with ward plates. Then there's the combination of dodgy battery and mulish fuel delivery system to contend with. The only person I've ever met who can consistently get this thing to crank cold is the lunatic that chopped out the aftermarket electric fuel pump and replaced it with an OEM mechanical pump out of sheer perversity. Equipment? Hell I could leave the key in the ignition and a sign in a window DARING someone to try and I still like my odds.
Really? Mechanical steering column locks were common by the late 70s, right? I'm not aware of any "trivial" bypass, especially not without tools.
Screwdriver. Many of them have sheared pins such that the lock doesn't engage.
true, there's got to be out there some car, recent enough to not be stolen easily and old enough not to have all that hyper connectivity IoT bs
2000-2005 is the sweet spot. Cars had immobilizers but not keyless entry. Basic electronics: airbags, electric windows, radio. Engines were naturally aspirated with port injection.
2005
> and harder to pwn
All it takes to pwn a Volkswagen T4 from the mid-90s is to rake the lock, pry open or smash the door, and then about half a minute to hot-wire three pins on the ignition switch (one for the main power and one for the starter motor), although I think that you should be able to motor-rake the ignition switch as well.
Source: owned and heavily worked on one for a few years. Reliable as fuck but thank god Europe doesn't have much of a "joyride" scene.
That’s why everyone has now installed a hidden fuel pump kill switch in their T4s. At least in the US
> I hope these security efforts don't lock legitimate owners out of access to their vehicles.
Well that's the thing with cars. Anything the legitimate owner can do because they have physical access, a thief can also do... and even if you force manufacturers to provide a "rooting mode" aka you enter some PIN that you get at purchase into the car's infotainment and it will relax restrictions on the CAN bus, now you open up the gates for thieves as well.
And on top of that come the actual reasons for the security theatre: people modifying their ECUs to tune up their engines for higher power or speed limiters in trucks than is stated in the vehicle papers (at least in Europe, if you tune your vehicle and don't have the papers updated you're in legit felony territory), doing shit mods like "rolling coal" or otherwise tampering with emission controls (say to avoid having to refill adblue)... governments really REALLY do not like this and so regulations get tightened ever closer.
Don’t forget the “nothing wrong but the $$$ sensor is broken” bypasses.
How do you start this line of work? I think I am pretty versed in many security topics and I "think" I would see (some) vulnerabilities in systems, but I don't know where to start. Do you just "pick a target" and start digging?
Maybe have a look at YouTube channel John Hammond. He talks about this sort of thing
Seems low, considering zero-days are basically military tech these days.
What's amazing about this is that one person, Sina Kheirkhah (SinSinology), beat those _teams_.
Team Sina Kheirkhah also got 37% of the prize money because of all the zero days they found. 50% higher than the next team. Amazing work.
I'm also quite impressed that the binary fuzzer of the fourth team found 12 zero days. That's pretty impressive considering it's an automated process compared to the other (human pentester) teams.
Seems pretty low. I thought zero days are worth far more than that
Zero‐days are worth less if they’re for a platform so insecure that zero‐days are easy to find.
All this reminds me of satellite tv cracking in the early 2000s.
They were thoroughly compromised and even card swaps generally didn’t last long.
I’m not even convinced the latest card swaps actually “fixed” the problem, but rather home internet speeds and streaming caught up and it was easier to p2p pirate or gasp pay!
2 Own?
So the prizes were paid in cars?
zero days should be like minimum a million a piece for these billion dollar companies
Is there a 'zero-click' category?
I congratulate these folks on their work to making these products more secure. But it pisses me off a bit that multibillion dollar companies exploit labor to do this for them.
Sure, a few folks get paid out but probably plenty of participants walked away with nothing after 3 days/72 hrs.