Daan Keuper has hacked under a bright spotlight before.

In 2012, he hacked a brand-new iPhone and took home $30,000 while on center stage at Pwn2Own, the biggest hacking contest in the world. Driven by curiosity, Keuper and his colleague Thijs Alkemade then hacked a car in 2018. Last year, motivated by the pandemic, they hacked videoconferencing software and coronavirus apps.

This week, the two Dutch researchers took home $90,000 and a new Pwn2Own championship trophy by targeting the software that helps run the world’s critical infrastructure. 

They say it was their easiest challenge yet.

“In industrial control systems, there is still so much low-hanging fruit,” Keuper says. “The security is lagging behind badly.”

“This is definitely an easier environment to operate in,” agrees Alkemade.

At the exact same time that I was watching the pair on stage in Miami targeting a small arsenal of critical industrial software, the United States and its allies issued a warning about the elevated threat of Russian hackers’ going after infrastructure such as the electric grid, nuclear reactors, water systems, and more. Last week, one group of Russian hackers was caught trying to bring down the Ukrainian power grid, and another hacking group was caught aiming to disrupt critical industrial systems. 

At Pwn2Own, the stakes are a little bit lower, but the systems are the same as what you’ll find in the real world. This week in Miami, the targets were all industrial control systems that run critical facilities. Nearly every piece of software offered up as a target fell to the hackers. That is what the sponsors pay for, after all—hackers who succeed will share all the details so the flaw can be fixed. But it’s also a sign that critical-infrastructure security has a long way to go.

“A lot of the bugs we’re seeing in the industrial control systems world are similar to bugs we saw in the enterprise software world 10 to 15 years ago,” says Dustin Childs, who ran the show this year. “There is still a lot of work to be done.”

Looking for the big one

One notable target at this year’s show was the Iconics Genesis64, a human-machine interface tool that hackers can break into to bring down critical targets while fooling the human operators into thinking nothing is wrong.

We know this is a real threat because a decade ago, a landmark hacking campaign known as Stuxnet targeted the Iranian nuclear program. Hackers believed to be working for the United States and Israel sabotaged the programmable logic controllers inside the gas centrifuges used to separate nuclear materials, but they also told the machines to tell the Iranian operators that everything was going well. That clever extra bit of sabotage multiplied the success of the operation.

In Miami, the Iconics Genesis64 was hacked at least six times to give attackers full control. The teams that took on the challenge won a total of $75,000. 

“I’m surprised to see so many unique bugs on the Iconics Genesis64,” says Childs. “It just shows there is a real depth of bugs to be mined. There is a lot more out there than what people are reporting right now.”

The indisputable highlight of the show belonged to Keuper and Alkemade, who targeted a communications protocol called OPC UA. Think of it as the lingua franca that different parts of a critical-operations system use to talk to each other in industrial settings. Keuper and Alkemade—competing under their company name, Computest—successfully bypassed the trusted-application check.  

When it happened, the room instantly erupted into the biggest applause of the entire weeklong competition. I watched the audience buzz as Keuper and Alkemade turned their laptops around for us all to witness their success. In just a few seconds, the team won $40,000 and enough points to secure the competition’s championship title, “Master of Pwn.” 

“We’re looking for exactly that kind of big thing,” says Childs.

“OPC UA is used everywhere in the industrial world as a connector between systems,” says Keuper. “It’s such a central component of typical industrial networks, and we can bypass authentication normally required to read or change anything. That’s why people found it to be the most important and interesting. It took just a couple of days to find.”

The 2012 iPhone hack took three weeks of focused work. In contrast, the OPC UA hack was a side project, a distraction from Keuper and Alkemade’s day jobs. But its impact is outsized.

There are immense differences between the consequences of hacking an iPhone and breaking into critical-infrastructure software. An iPhone can be easily updated, and a new phone is always right around the corner. 

On the contrary, in critical infrastructure, some systems can last for decades. Some known security flaws can’t be fixed at all. Operators often can’t update their technology for security fixes because taking a system offline is out of the question. It’s not easy to turn a factory on and off again like a light switch—or like a laptop.

“In industrial control systems, the playing field is completely different,” Keuper says. “You have  to think about security differently. You need different solutions. We need game changers.”

Despite their success this week, Keuper and Alkemade are not under any delusion that industrial security problems have been instantly solved. But for these two, it’s a good start.

“I do research for public benefit to help make the world a little bit safer,” Alkemade says, “We do stuff that gets a lot of attention so that people listen to us. It’s not about the money. It’s the excitement and to demonstrate what we can do.” 

“Hopefully we made the world a safer place,” says Keuper.
Meanwhile, the Pwn2Own competitions rumble on, having given away $2 million last year. Next month, hackers will gather in Vancouver to celebrate the 15th anniversary of the show. One of the targets? A Tesla car.