Microsoft has begun a 3-month long Azure Sphere Security Research Challenge to find security vulnerabilities in its Azure Sphere OS for building Internet of Things (IoT) solutions. This challenge is adding to the Azure Security Lab announcement from Black Hat back in August 2019. If you are a security researcher, you must signup for the challenge by the deadline of May 15, 2020. For those accepted into the challenge, it will run from June 1, 2020 through August 31, 2020.
Microsoft will be awarding up to a $100,000 bounty for specific scenarios in being able to execute code on the Azure Sphere OS under the Pluton security subsystem or within Secure World. Each of these two scenarios have their own $100,000 bounty.
|Ability to execute code on Pluton||$100,000|
|Ability to execute code on Secure World||$100,000|
The Azure Sphere Security Research Challenge is focused solely on the Azure Sphere OS. This is a custom, Linux-based operating system that has been built for Azure Sphere. It includes customization that greatly enhance the security of the operating system to be better suited for building more highly secured IoT devices and solutions. This challenge is not covering the cloud-based Azure Sphere Security Service (AS3).
Here’s a couple links where you can find more information about the Azure Sphere Security Challenge, how to apply to participate, and a few more details about the bounty scenarios of the challenge:
In a way it’d be really great if nobody wins either scenario of the challenge, since that could mean good things for the overall security of Azure Sphere OS. However, we all know that if nobody wins the challenges, then there are probably security vulnerabilities hiding and waiting to be exploited in the future. For this reason, I hope one or more security researcher participating in the Azure Sphere Security Research Challenge is able to break Azure Sphere OS so Microsoft can continue hardening it. This will make sure our IoT solutions of the future become more secure than they otherwise would be.
Happy hacking, and good luck on breaking the security of the Azure Sphere OS.