Since 2003, the month of October has been recognized as National Cybersecurity Awareness month and after a three-month research challenge which dovetailed into the beginning of October, Microsoft finally awarded GHC2,245,800 to the global IoT security research community for finding vulnerabilities in Azure Sphere.
In what Microsoft dubbed the Azure Sphere Security Research Challenge, 70 researchers from 21 countries gathered to surface security exploits in the company’s Azure Sphere and over the course of 90-days the researchers found 40 exploits, 20 of which were considered “Critical or Important severity security vulnerabilities.”
According to the Microsoft Security Response Center blog, the company broke up the bounties into two high priority research scenarios that focused on the core of the Azure Sphere OS and then six general scenarios across various levels of Azure Sphere OS. In the end, Microsoft awarded the GHC2,245,800 bounty awards across 16 eligible reports.
“Many of the vulnerabilities found during the research challenge were novel and high impact and led to major security improvements for Azure Sphere in their 20.07, 20.08 and the latest 20.09 updates, which have been automatically pushed to Azure Sphere devices that are connected to the internet to help secure Azure Sphere customers. Security researchers from McAfee ATR and Cisco Talos reported some of the highest impact vulnerabilities in Azure Sphere, especially a full attack chain developed by McAfee ATR that exposed a weakness in the cloud and multiple weaknesses on the device including a previously unknown Linux kernel vulnerability.“
Obviously, there are more details regarding the specific vulnerabilities and the various executions researchers used during the bounty program and most of that info can be found at Microsoft’s Azure Sphere team blog, here.
Microsoft’s Azure Sphere represents much of the company’s efforts into IoT and with new devices and sensors coming online daily that make use of IoT platforms, we should expect to see more dedicated bounty programs pop up throughout the year.