What just happened? This week, two Dutch hackers won this year’s Pwn2Own championship. It is their fourth win at the annual contest in Miami, Florida. This year was their biggest win, with the team pocketing $90,000 and the championship trophy. The pair also took home prizes in 2012, 2018, and 2021. However, in this case, it’s not what they won. It’s how they won that is news, and it’s somewhat disturbing.
At this year’s Pwn2Own, security researchers Daan Keuper and Thijs Alkemade decided to tackle an industrial control software called “OPC UA.” This open-source communications protocol is used worldwide to connect industrial systems like power grids and other critical infrastructure.
It’s disturbing enough to know that Keuper and Alkemade were able to break into OPC UA, but it’s even more unsettling that they said it was surprisingly the “easiest” system they hacked at the conference.
“In industrial control systems, there is still so much low-hanging fruit,” Keuper told MIT Technology Review. “The security is lagging behind badly.”
“This is definitely an easier environment to operate in,” Alkemade added.
The duo attacked several other infrastructure systems, but it took only two days to crack OPC UA.
“OPC UA is used everywhere in the industrial world as a connector between systems,” said Keuper. “It’s such a central component of typical industrial networks, and we can bypass authentication normally required to read or change anything. That’s why people found it to be the most important and interesting. It took just a couple of days to find.”
The fact that it only took two hackers a weekend to infiltrate a system responsible for controlling our electric, water, and nuclear systems is especially frightening considering the turmoil in Ukraine. Last month, the White House warned US corporations to harden their cyber defenses in case Russia tries to retaliate over US sanctions.
Technology Review did not mention whether developers have already patched the flaw. However, the host of the Pwn2Own competition, Zero Day Initiative, has a policy of “rewarding researchers for privately disclosing vulnerabilities.” So presumably, the power grids are safe for now.