Microsoft Launches Bounty Program for IoT Bugs

As it works to enhance the security of its IoT products, Microsoft has offered a $100,000 bug bounty to ethical hackers who can break into Azure Sphere.

This latest Sphere Security Research Challenge lets the bug hunters communicate directly with the company’s technical team during their attempted break-ins.

Three parts comprise Microsoft Sphere:

• Sphere OS, a custom version of Linux created by Microsoft
• Custom silicon produced by the company’s partners including MediaTek, NXP, and Qualcomm
• A security service that runs in the Azure cloud

Microsoft has offered two $100,000 prizes in its latest hacking challenge. The company will award the first prize to the first successful hacker to infiltrate Plutron — a security subsystem that provides a root of trust to the Sphere microcontroller — and execute code. The system runs a secure boot process that loads select software components before providing runtime services.

The first hacker who infiltrates Secure World and runs code wins the second prize. One of Sphere’s operating modes, the tightly locked down Secure World only permits Microsoft-written code to run. A security monitor protects sensitive hardware like memory and controls access to Pluton.

Contestants must adhere to certain conditions, like not physically attacking the device. Microsoft will also award lower payouts for other attacks that fall under its existing Azure bug bounty program, with bonus payments up to 20%. Qualifying attacks include:

• Running code on networks (a Linux networking daemon)
• Spoofing device authentication
• Unexpected elevation of privilege
• Altering software and configuration options that you’re not supposed to, or alter the firewall built into the microprocessor hardware and cause a Sphere device to communicate with an unauthorized destination

The challenge will run from June 1 to August 31, 2020.