The security problem with the Internet of things is no surprise, and companies are trying their best to plug the gaps in their defenses. While some developers tackle this by refining their code and allowing users to report flaws, Microsoft is paying people $100,000 in a bug bounty if they break into its IoT system.
Rewarding Hackers Instead of Fighting Them
This strategy may seem odd, but it’s a legitimate way for a company to test its defenses. It’s called a bug bounty, and it’s when a business offers a reward for someone who breaches their defenses.
Bug bounties are useful because they draw in a lot of hackers keen on cashing in on the reward. As such, it puts a lot of strain on the system’s defenses, which is useful if a company wants to check if their protection is sufficient.
If someone does manage to break in, they can show proof to the company. The company then pays the hacker a huge sum and uses the data the hacker provided to patch the problem. The hacker gets a lot of money, and the company locates and fixes an issue without any damage done to them – everyone wins.
What Is the Purpose of Microsoft’s Bug Bounty?
Microsoft wants to protect its IoT devices from attackers, which is why they developed Azure Sphere. This is a security solution that IoT developers can link their devices with to keep them safe.
Of course, the quality of this protection depends wholly on how strong Azure Sphere is. IoT developers may entrust their safety in Microsoft, but if Microsoft’s own defense system isn’t up to par, then every device’s security under Azure Sphere is at risk.
This is why Microsoft is offering $100,000 to anyone who breaches Azure Sphere’s security. It’s part of the testing to ensure that Azure Sphere can live up to its responsibility of keeping the devices it shields safe.
There are two ways a hacker can earn $100,000. The first bounty goes to whomever discovers how to run code on Pluton. Pluton is a security subsystem designed to launch software on boot and is meant to give a level of trust to users. If hackers can exploit it to run code, it would severely hamper this trust.
The second bounty goes to whomever can run code in Secure World. Azure Sphere devices can be booted into Secure World mode, at which point only Microsoft-provided code can be run. Again, if a hacker exploited this system to run code in the wild, it would be a nasty breach of security.
How to Apply to Hunt for Exploits
If you want to try your skills against Microsoft to win some money, be sure to register with them first. Interested hackers should register through the Azure Sphere Security Research Program by May 15th, 2020. If you’re accepted, you’ll have from June 1, 2020, to August 31, 2020, to find an exploit.
An Interesting Step in IoT Security
Anyone keeping track of IoT’s security will know how flawed it is. We’ve seen spades of attacks, including a severe flaw in Ring’s system that allowed hackers to spy on people’s houses through smart cameras.
Microsoft’s new Azure Sphere system may be how IoT’s security is handled in the future. Instead of putting the burden of security on individual IoT developers, they can attach their devices to a larger company’s system and let it live under its blanket protection.
This is presumably why Microsoft is offering one of its largest bounty values for any flaws found in Azure Sphere. They need to ensure they can win over the opinions of developers and steer clear of any large-scale security breaches. If a breach happens, it gives wiggle room for a competitor to introduce their own IoT security service.
Keeping Things Secure
With IoT’s overall security looking quite dire, it paves the way for companies to offer a solution that protects developers and their devices. Of course, this solution also has to be airtight. And this is why Microsoft is offering the $100,000 bug bounty to whomever can bust its defenses.
If you want to see what else Microsoft is doing in the IoT space, be sure to check out Microsoft Plug and Play.