On Wednesday, the winners of this year’s Pwnie Awards were announced in a ceremony following the first full day of conference briefings. Among those walking away with the My Little Pony awards in hand were Charlie Miller and Chris Valasek (Jeep hack), Tavis Ormandy (Antivirus vulnerabilities), and Peiter Zatko (.Mudge) (Lifetime Achievement).
Before, however, a group of hacker all-stars gathered for a group photo.
And now, without further delay, are the winners direct from the Pwnie Award site:
Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.
Cisco’s ASA (Ancient Security Architecture) firewalls had a vulnerability in their IKE fragment re-assembly that permitted remote unauthenticated heap memory corruption. Thanks to a lack of non-executable memory and ASLR protections, these Exodus researchers were able to turn this vulnerability into an epic win just as if they were exploiting a late 90’s Linux box. It just turns out that this late 90’s Linux box happens to be your firewall/NIDS/VPN/IRC Bouncer. Yay.
Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting client-side bug.
This vulnerability was discovered when SSH kept segfaulting when a Google engineer tried to connect to a particular host. Rather than being a bug in SSH, it turned out that Google has ridiculously long internal hostnames that cause stack buffer overflows in glibc’s DNS resolution code. They also have some ridiculously talented security engineers who were able to bypass modern Linux security mitigations like ASLR and exploit this bug.
Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.
The best part about platforms building new layers of privilege with Trusted Execution Environments is that they all present new opportunities for wicked cool privilege escalation vulnerabilities. While Intel is down to somewhere around Ring -37, ARM-based platforms are catching up quickly. A mysterious porcupine slash hacker slash blogger has spent the last year documenting a privilege escalation chain from zero privileges to full dumping of FDE keys outta TrustZone. The exploitation of this vulnerability in the Widevine DRM-protected video trustlet was a work of art and it deserves a video of a round of applause displayed through a hardware-protected video path that fully protects the rights of the content owner end-to-end.
Awarded to the researchers who discovered the most impactful cryptographic attack against real-world systems, protocols, or algorithms. This isn’t some academic conference where we care about theoretical minutiae in obscure algorithms, this category requires actual pwnage.
DROWN is the Mark Dowd Flash Exploit of crypto attacks. It is one of the all-time great papers not just in crypto exploitation, but in exploitation period.
Start here: almost everyone working in software security knows that if you encrypt a message and then don’t authenticate the resulting ciphertext, you’ve got problems. If you encrypt with a block cipher in CBC mode, which is how everyone encrypted until like 5 minutes ago, you have a problem with a name: a padding oracle.
Among all the viable crypto attacks you can pull off with a laptop to get a game-over serverside flaw with, there are two that you can count on a strong pentester to actually know about: hash length extension and the CBC padding oracle.
What a lot of strong pentesters don’t know is that the padding oracle attack that breaks AES in CBC mode also breaks RSA. The attack is trickier, but not that much trickier, and when you pull it off you join a secret society of people who get to make dumb jokes based on the name “Bleichenbacher”. We have a Slack!
So, DROWN exploits the Bleichenbacher RSA padding oracle against TLS. Easy peasy, lemon squeezy, right?
Wrong. There is neither pease nor squeeze to be found anywhere in DROWN.
To start with: the Bleichenbacher oracle doesn’t work against SSL 3.0 or TLS. And SSL 3.0 or TLS is what everyone uses. But DROWN still works. Why?
Because people still have SSL 2.0 servers stood up on the Internet. They don’t use them. They’re not even aware that they’re there. But they are, and because people are lazy, they have the same certificates and keys installed as the TLS servers do. DROWN takes advantage of that: it’s a cross-protocol attack.
In the DROWN attack, attackers start a handshake with a TLS server, and then quickly shuttle the victim’s TLS messages to an SSL 2 server. SSL 2 is vulnerability to RSA oracles, and can be used as a cross-protocol oracle.
But wait: there’s more. SSL 2.0 is not the same protocol as TLS. It can’t do anything with TLS ciphertexts. But there’s an extension to the RSA padding oracle attack that takes advantage of RSA malleability. The same malleability that allows attackers to do the number-theoretic equivalent of flipping bits in a CBC ciphertext also allows attackers to *tune* their corrupted TLS RSA ciphertexts.
The DROWN attack takes advantage of an optimization Bardou used for fast padding oracle attacks against embedded hardware to adapt TLS messages to SSL 2.0, and then use SSL 2.0’s vulnerability to padding oracles to decrypt them.
It’s among the coolest attack papers I’ve ever read. Let’s pretend, just for this one Pwnies event, that it had better branding than Badlock.
Awarded to the researchers who introduced or discovered the most subtle, technically sophisticated, or impactful backdoor in widely used software, protocols, or algorithms.
Although many vendors intentionally backdoor their products, because they hate their users, some companies have to rely on the cyberwarfare divisions of global powers to do so. In late 2015, Juniper issued an advisory claiming that “unauthorized” code in the Netscreen operating system had been active for the last few years. Netscreen firewalls are externally exposed by their very nature and it wasn’t long before two sets of issues were uncovered.
In a nod to grunge 90s, a SSH backdoor was added that allowed anyone (mostly China) to login to a Netscreen device over SSH using a hardcoded backdoor. The security firms who published the details did so knowing that far too many sysadmins were stuck at their in-laws over the December holidays and looking for any excuse to spend some quality time in a dark room by themselves.
The second issue was far more interesting. In an attempt to make all of the privacy crazies^W^W crypto activists feel better about themselves, the Dual_EC RNG constant hardcoded into the Netscreen firmware was changed from one mysterious constant to another. Juniper hasn’t clarified whether the first constant was a backdoor as well, but it is safe to assume that the entire Netscreen platform should be gently lowered into a volcano at this point.
Eight months later, not much is publicly known about how these backdoors were added, or which Juniper developer has a storage unit full of Chinese tiger penis wine as a result.
Awarded to the researchers, their PR team, and participating journalists for the best, most high-profile, and fear-inducing public spectacle that resulted in the most panic-stricken phone calls from our less-technical friends and family members. Bonus points for it being a needlessly sophisticated attack against a needlessly Internet-enabled “Thing.”
They may not have been the first, but in our not-so-biased opinion, Charlie and Chris wore it best. The car hacking papers from researchers at UCSD and UW just lacked sufficient…Andy Greenberg freaking out.
This high-profile demo caused Chrysler to recall 1.4M vehicles in order to address the vulnerabilities that Charlie and Chris identified. More importantly, it demonstrated to the entire industry how expensive not properly securing smart vehicles’ systems could be and that proper software security programs just might be a good idea.
Sometimes the most important part of security research is how you market and sell the vulnerability you discovered. Who cares how impactful the actual vulnerability is, what matters is how sweet your logo turns out!
Credit: Marc Newlin, Bastile’s Threat Research Team
This team didn’t stop at the named vulnerability or the prostyle logo, they produced a 3 minute video outlining the threat of this issue. The video looks impressive including slow motion hacker walking and on screen typing. The voice over, pimping the Bastille team, is not as impressive. Basically, if you can get close to a target that is using a non-bluetooth wireless keyboard or mouse, and not have the victim look at their screen, you’re golden. The movie highlights a victim on the phone but unaware of his computer screen while another victim leaves for coffee. Oscar award winning performances all around. This came in with a CVSS score of 2.9 which is about the same as not using a password manager.
Awarded to the researchers, attackers, defenders, executives, journalists, nobodies, randos, or trolls for pulling off something so truly epic that we couldn’t possibly have predicted it by creating an award category that did it justice.
He’s no stranger to bugs. He knows the rules better than you or I. Remote code execution is what he’s thinking of. You wouldn’t get this from any other guy.
We just want to tell Tavis how we’re feeling. Gonna make him understand…
Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.
Memory deduplication, a well-known technique to reduce the memory footprint across virtual machines, is now also a default-on feature inside the Windows 8.1 and Windows 10 operating systems. Deduplication maps multiple identical copies of a physical page onto a single shared copy with copy-on-write semantics. As a result, a write to such a shared page triggers a page fault and is thus measurably slower than a write to a normal page. Prior work has shown that an attacker able to craft pages on the target system can use this timing difference as a simple single-bit side channel to discover that certain pages exist in the system.
Awarded to the vendor who mis-handled a security vulnerability most spectacularly.
Western Digital is no stranger to redundancy in the context of data integrity, and they’re not cutting any corners in applying those lessons to their cryptographic failures. Their firmware is rich with layers of keys resting adjacent to ciphertext, like a matryoshka doll of plaintext surprises. The most impressive part is that you don’t need to be a firmware extraction connoisseur to benefit from the rewards of their abundant “data recovery” options; take comfort in knowing that the keys themselves are actually just redundant copies of a 32bit rand() value repeated over and over, making the keys impossible to lose!
In response, the good folks at WD “continue to evaluate the observations”, possibly the most indecipherable output they’ve ever produced.
Awarded to the person who discovered a bug resulting in the most hype on the Internets and in the traditional media. Extra points for bugs that turn out to be impossible to exploit in practice.
Countdown timer, logo, website, and excessive Twitter/media hype all for a Denial of Service bug.
What kind of awards ceremony does not have an award for best song?
This cover of Sia’s “Chandelier” was the keynote of Kiwicon 2015, where it was combined with interpretive dance to artistically summarize the deep geopolitical tensions surrounding cyberwar, attribution, and the Wassenaar Arrangement (maybe?).
Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn’t there to document this FAIL for all time? This award is to honor a person or company’s spectacularly epic FAIL.
It turned out that 2015-2016 was the first year that everyone everywhere won at security all year round. Either that or the Internet didn’t give us enough good nominations for this category. It’s most probably the first one, though.
Most hackers have the personality of a supermodel who does discrete mathematics for fun. Like mathematicians, hackers get off on solving very obscure and difficult to even explain problems. Like models, hackers wear a lot of black, think they are more famous than they are, and their career effectively ends at age 30. Either way, upon entering one’s third decade, it is time to put down the disassembler and consider a relaxing job in management.
Peiter C. Zatko, one time L0pht frontman and author of fundamental hacking tools including L0phtcrack is a long-time vulnerability research educator and influencer. He is well known for leading L0pht’s 1998 senate testimony about the end of the world as we know it, which ended up with the US Govt trusting this hacker enough to allow him to control DARPA’s cyber security program. Like most security researchers Mudge also did his time at Google, but has since returned to the beltway to help establish a cyber consumer reports magazine service, apparently by request of the White House.
0wnage, measured in owws, can be delivered in mass quantities to a single organization or distributed across the wider Internet population. The Epic 0wnage award goes to the hackers responsible for delivering the most damaging, widely publicized, or hilarious 0wnage. This award can also be awarded to the researcher responsible for disclosing the vulnerability or exploit that resulted in delivering the most owws across the Internet.
Backdooring cryptographic routines makes them fragile, especially when you are trying to hide said backdoor as a neat coincidence between leaking a lot of key data, failing to use the normal default Q value, and just generally sucking at security engineering. We’re not saying Juniper was backdoored to start with, we’re just saying, hey, what a neat coincidence, and we respect the amount of work that went into that coincidence.
And the genius of the hackers who REBACKDOORED the backdoor is that all they had to do is change one simple number, the fake Q number, and nobody even noticed, because “Hey, we can’t decrypt that stream? Whatever. More where that came from.” is the standard SIGINT response.
Then later, they added an admin/password backdoor, just in case they didn’t have passive collection around a site, and wanted to get more active access.
Hat’s off to you, unknown (Russian) hackers.
There’s no CVE for this issue because CVE is dead.