The company is offering a $100,000 bounty to anyone who can break into Azure Sphere.
In its quest to make their IoT offerings as secure as possible, earlier this month Microsoft announced a new $100,000 bug bounty to anyone who can break into Azure Sphere. The Sphere Security Research Challenge lets the bug hunters communicate directly with the company’s technical team as they make their break in attempts.
Sphere is made up of three parts, the Sphere OS, which is a custom version of Linux created by Microsoft, custom silicon produced by the company’s partners including MediaTek, NXP, and Qualcomm, and a security service that runs in the Azure cloud.
The challenge consists of two $100,000 prizes. The first will be awarded to anyone who can infiltrate Pluton, the security subsystem that provides a root of trust to the Sphere microcontroller, and execute code. The system runs a secure boot process that does not provide runtime services until other software components are fully loaded.
The second prize will be awarded to anyone who can infiltrate Secure World and run code. Secure World is one of the operating modes for Sphere devices and is locked down in a secure mode that only allows Microsoft written code to run. Sensitive hardware like memory is protected by a security monitor that runs in Secure World and also controls access to Pluton.
The challenge will run from June 1st to August 31st and has certain conditions such as no physically attacking the device. The challenge also provides lower payouts for other attacks that fall under Microsoft’s existing bug bounty program for Azure, with bonus payments up to 20%
- Running code on networks (a Linux networking daemon)
- Spoofing device authentication
- Unexpected elevation of privilege
- Altering software and configuration options that you’re not supposed to, or alter the firewall built into the microprocessor hardware and cause a Sphere device to communicate with an unauthorized destination