It pleases the Right Honorable Pwnies Judiciary Committee to provide the following timely and accurate record of the WINNERS OF THE 2019 PWNIES AWARDS.
(Feel free to peruse the 2019 nominees here.)
pwnie for best server-side bug
Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.
Pulse Secure SSL VPN (and others!)
Credit: Orange Tsai & Meh Chang
Pulse Secure is apparently leading SSL VPN vendor. Itss SSL VPN was used by Twitter, Uber, Microsoft, sla, SpaceX, probably that weird flamethrower company Elon Musk started, Akamai, Intel, IBM, VMware, e US Navy, the Department of Homeland Security, and, like, half of all Fortune 500 companies.
Orange Tsai and Meh Chang broke other SSL VPNs, and those breaks were nominated too, and so for the purposes of voting, we think you should just take this as “Orange Tsai and Meh Chang broke most of the SSL VPNs”.
pwnie for best client-side bug
Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting client-side bug.
The Horrible Facetime Group Messaging Bug
Credit: Grant Thompson & Daven Morris
There is a famous quote that some people in our community yell at exploit developers after they have spent three weeks on an exploit: ‘JUST FIND A BETTER BUG’. Exploiting this issue required no heap manipulation, or even understanding what a CPU or a buffer is. And it reminded us all: 100% reliability and ease-of-exploitation is usually in logic bugs.
Don’t look up how old Grant Thompson was when he found this. It’ll make you insecure.
pwnie for best privilege escalation bug
Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.
Credit: Qixun Zhao(@S0rryMybad)
This iOS kernel UAF vulnerability affecting ipc_voucher was directly reachable from Safari, and was used to achieve a jailbreak in order to win the TianfuCup hacking contest.
pwnie for best cryptographic attack
Awarded to the researchers who discovered the most impactful cryptographic attack against real-world systems. A Pwnie Cryptography Award should represent a meaningful break in a system actually deployed. The attack can require a math Ph.D to understand its workings, but not to understand its impact, and it can’t require a data center in Utah to exploit.
\m/ Dr4g0nbl00d \m/
Credit: Mathy Vanhoef and Eyal Ronen
There’s a backstory on this bug, which recovers passwords from WPA3 handshakes.
The WPA3 handshake relies on a PAKE (a cryptographic key exchange secured by a password) called Dragonfly. Dragonfly is the invention of a guy named Dan Harkins. Dan Harkins took it upon himself to retrofit elliptic curves onto first-generation multiplicative-group PAKEs like SRP. We’re losing you here but bear with me: there were PAKE protocols that used the same simple math as Diffie Hellman, and Dan Harkins tried to design one that used ECC. Anyways, when Harkins tried to get his new PAKE included in TLS, Trevor Perrin broke it in a mailing list post. The story goes on and involves the NSA and a bunch of intrigue and is worth looking into. Oh how we laughed.
And then WPA3 was released and, oh look, there’s Harkins’ Dragonfly protocol, right there in our wireless handshakes.
It’s pretty clear to us that the WiFi standards groups triggered some ancient mummy curse, because the WiFi standards by themselves are a master class in everything that can go wrong with a crypto protocol. And, as Vanhoef and Ronen show, WPA3 is by itself a lesson in everything that can go wrong with a single handshake: invalid curve attacks! Protocol downgrade attacks! Timing attacks! They’ll teach this one in schools, unless the WiFi people come up with WPA4 or something, which will surely be even worse.
pwnie for most innovative research
Awarded to the researcher or team who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.
Credit: Brandon Falk
If you want to find vulnerabilities or otherwise analyze code at the lowest levels, you need good tools.
When we were young, and walked uphill both ways to school, we had debuggers and some basic memory shadowing tools like valgrind. These tools slow down performance by a factor of 10 or even 1000 and could only perform limited analysis.
Vectorized emulation uses modern hardware tricks to run VMs not even not slower, but actually faster than native code. It does this by rewriting a program using AVX-512 vectorized instructions which allows the simultaneous execution of 16 different VMs at near native speed. This allows for super fast differential code coverage and hardware accelerated taint tracking. Highlights include 4000 fuzz cases per second for MS Word fuzzing, as well as security bugs found in Windows Firewall, and OpenBSD’s dhclient. The author says most people shouldn’t use this tool because it is too fast and finds too many bugs!
Not that that’s a problem we’ve ever had to worry about.
pwnie for lamest vendor response
Awarded to the vendor who mis-handled a security vulnerability most spectacularly.
Not only was BitFi last year’s winner, hands down, in this auspicious category, they nabbed the honor of receiving the most nominations of any in this category! Truly, goals of some sort are being met in their impressive, vociferous social media engagement. Nothing says you care about security like having John Fucking McAfee post videos defending your cyberunbreakableness. Except insulting security researchers repeatedly on social media. If the opposite of love is indifference, BitFi is definitely not in the opposite of love with security research. Bonus for baiting with a bug bounty that never pays out. Could this be a 2 time Pwnie Awards champion?!
pwnie for most over-hyped bug
Awarded to the researcher/team who discovered a bug resulting in the most hype on the Internets and in the traditional media. Extra points for bugs that turn out to be impossible to exploit in practice.
Super Micro - The big hack
Credit: Jordan Robertson and Michael Riley of Bloomberg
China hacked all our computers by implanting a tiny chip on Super Micro’s motherboards.
A top secret probe revealed that this chip, the size of a grain of rice, could allow attackers to create a backdoor into any network that contained one of the altered machines.
The story had every buzzword that make any CISO want to retire: supply chain interdiction, state sponsored, China, Snowden. It was said to affect major banks, government contractors, and even the company they all aspire to be, Apple. This was definitely the computer security story of the year, maybe the decade, except for one small detail.
It seems it was all bullshit.
pwnie for most epic fail
This award is for the defenders who dared to wonder, “What could possibly go wrong?” For the investors who happily departed with eight-figure checks for a pitch presenting snake oil served over word salads on a fool’s gold platter. For the infosec vendors who adopted defense-by-deception as a marketing strategy. This award will honor a person or corporate entity’s spectacularly epic fail – the kind of fail that lets the entire infosec industry down in its wake. It can be a singular incident, marketing piece, or investment – or a smoldering trail of whale-scale fail.
As a resident of the infosec industry, it’s fair to wonder whether words still mean things – and Bloomberg’s cybersecurity reporting is Exhibit A to support the conclusion that they don’t. Beginning with a juicy, bloated entrée, “The Big Hack,” Bloomberg didn’t back down as security experts called them out for their less than rigorous reporting. For dessert, Bloomberg decided to die on the barren hill that end-to-end encryption is a “gimmick” because of a WhatsApp vulnerability (exploited by fellow nominee, NSO Group). It’s one thing to use a term like “cyber weapon” in an article, but it’s another thing to let down an entire industry not once, but twice in a year.
new! pwnie for most under-hyped research
Like good magicians our industry will put a lot of razzle dazzle on the problems we can sell a solution for. But what about the things that are DONTFIX, can’t be scanned for, but are still amazingly cool and high impact? We (as an industry) sweep them under the rug and then they get caught in the UNDERHYPED pwnie awards!
Credit: Jatin Kataria and Red Balloon Security
Let’s address the elephant in the room: this is the first and only vulnerability whose name is written with emojis.
The vulnerability itself affects Cisco devices and provides a bypass to their secure boot mechanism.
The bugchain allowed you to own Cisco Routers. Part of the fun here is modifying the FPGA anchor bitstream, which lives in an unprotected flash RAM, as you would expect.
new! pwnie for epic achievement
Awarded to the researchers, attackers, defenders, executives, journalists, nobodies, randos, or trolls for pulling off something so truly epic that we couldn’t possibly have predicted it by creating an award category that did it justice.
How much information about a bug can you fit in one sentence? Ask Steve Christey Coley, the single most prolific CVE entry writer on the planet. Sure, it was his day job, but Steve went above and beyond, spending over a decade writing dense dialect to define and de-duplicate bug reports for defense. Cataloging bugs may not be as sexy as finding them and making fun of bad vendor responses, but we all benefit from this basic identification infrastructure. Steve is a prominent member of the community and pays particular attention to gender inequity and other issues on the human side of infosec.