Microsoft rewards hackers that can break Azure Sphere
May 20, 2020
Microsoft is offering financial rewards for those that can hack into Azure Sphere, which offers end-to-end IoT security across hardware, OS and the cloud.
The Azure Sphere Security Research Challenge is an expansion of Azure Security Lab, announced at Black Hat in August 2019. At that time, selected researchers were invited to come and do their worst, emulating criminal hackers in a customer-safe cloud environment.
This latest research challenge aims to spark high impact security research in Azure Sphere. While Azure Sphere implements security upfront and by default, Microsoft recognises security is not a one-and-done event. Risks need to be mitigated consistently over the lifetime of a constantly growing array of devices and services.
Engaging the security research community to research for high-impact vulnerabilities before the bad guys do is part of the holistic approach Azure Sphere is taking to reduce the risk.
This new research challenge is a three-month, application-only security challenge offering special bounty awards and providing additional research resources to programme participants. It runs from June to August 2020.
Microsoft will award up to $100,000 bounty for specific scenarios in the challenge during the programme.
This research challenge is focused on the Azure Sphere OS. Vulnerabilities found outside the research initiative scope, including the cloud portion, may be eligible for the public Azure Bounty programme awards. Physical attacks are out of the scope for this challenge and the public Azure Bounty programme.
The challenge provides resources to support research, including: Azure Sphere development kit; access to Microsoft products and services for research purposes; Azure Sphere product documentation; and direct communication channels with the Microsoft team.
“The security landscape is constantly changing with emerging technology and security threats,” said Sylvie Liu, security programme manager at Microsoft’s security response centre. “Keeping Azure exceptionally secure for our customers is a top priority. By expanding the Azure Security Lab, we’re providing more content and resources to better arm security researchers with the tools needed to research high-impact vulnerabilities in the cloud.”
Liu said Microsoft worked hard to secure its cloud and software and the help of security researchers amplified its ability to continually increase security.
“By discovering and reporting vulnerabilities to Microsoft through coordinated vulnerability disclosure, security researchers have helped us continue to secure millions of customers,” she said. “Additionally, our partnership with the global security community is key to keeping our customers secure. We appreciate the collaboration in this research initiative with our key industry partners, and strongly believe that expanding the Azure Security Lab will help to continue to protect our cloud and Azure Sphere.”
The Azure Sphere Security Research Challenge partnership brings Microsoft together with Avira, Baidu International Technology, Bitdefender, Bugcrowd, Cisco Systems (Talos), Eset, FireEye, F-Secure, HackerOne, K7 Computing, McAfee, Palo Alto Networks and Zscaler, who all bring expertise in IoT security research.
“This kind of collaboration complements Microsoft’s internal work to secure the ecosystem, as digital transformation leads more and more customers to the cloud, where connected IoT devices must be secured,” said Liu.