Collaborating in-person with Google engineers and their fellow hackers was a key highlight for security researchers participating in the latest HardPwn event, which took place at Hardwear.io Netherlands 2023.
A trio of competitors we spoke to variously enthused about how the latest HardPwn enabled them to learn from their peers, meet fellow hackers they’d “been following digitally for years” and “directly communicate the discovered bugs to the vendor face-to-face”.
The event’s fifth annual edition, which took place in The Hague between 30 October and 3 November, saw the hardware hacking elite probe Google’s Pixel Tablet, Pixel Watch, Nest Wifi Pro and Chromecast for vulnerabilities.
Pixel secureboot bypass
Among the most notable bugs uncovered was “a secureboot bypass on the Pixel tablet dock via a two-bug chain”, as described by Nolen Johnson, OT and hardware security consultant at cybersecurity firm DirectDefense, who found the flaw with the help of mobile/IoT software engineer Jan Altensen.
The duo submitted three vulnerabilities in total, with two requiring remediation, while the “jury is still out” on the third, says Johnson.
Certificate validation vulns
Aapo Oksman, founder of IoT/hardware security specialist Juurin Oy, says he “discovered two high severity issues on my own and, together with a team of seven people, we studied multiple devices and managed to find one high/critical severity issue along with multiple low/medium severity issues.”
Asked for his favourite discovery, he notes that his best work involves leveraging a tool he recently released himself: certmitm, which tests for certificate validation vulnerabilities related to TLS connections made by a client device or application.
“This time was no exception and I managed to use certmitm to find bugs from in-scope targets as well as some from vendors not participating in the competition,” says Oksman.
Nest Wifi Pro
Sergei Volokitin, an independent security researcher operating under the name Hexplot, “zeroed in on the Google Nest Wifi Pro, a new target that garnered considerable attention from other participants. By the event’s last day, I was pleased to report four vulnerabilities across various components of the system,” recounts Volokitin.
“The most impactful was a vulnerability nestled within one of the secure stages,” he continues.
“Exploiting it was not only exciting due to the code execution it enabled in the privileged stage, but also for the efficient pathway it opened to explore the system and link the vulnerability with subsequent bugs I uncovered. Establishing an initial foothold is crucial when dealing with protected targets to ensure efficiency, which is critical in a bug hunt.”
Once validated, these exploits earned the hackers rewards based on the Android and Google Devices Security Reward Program Rules, which offers bounties up to $1 million.
For HardPwn Netherlands’ 2023 edition, Google offered a 20% or $500 bonus (whichever is higher) and reduced the severity of vulnerabilities that require physical access by one instead of two CVSS points.
‘Friendly and helpful atmosphere’
However, making money was not the only significant motivation or reward.
“I was thrilled to join HardPwn as it offered precisely what I enjoy: a number of secure devices to break,” says Volokitin.
“It was so enjoyable,” adds Johnson. “I got to meet many hardware hackers I’ve been following digitally for years, as well as tag-team in, and work with these researchers in an open and friendly environment. It isn’t often you find a competition with such a friendly and helpful atmosphere.”
This blend of in-person competition, collaboration and camaraderie seems to inspire the world’s most talented hardware hackers to greater heights than if they were to operate alone. “Everyone was willing to share knowledge, equipment and skillsets, which ultimately led to some insanely cool bugs,” says Johnson.
In-person collaboration is what Oksman “always finds the most rewarding” about HardPwn. “Even if you don’t find bugs, you will learn from each other and share an experience,” he explains. “This time we found a lot of bugs and also had an amazing experience collaborating and meeting with new people.”
Interacting with vendors also makes for low-friction disclosure, as well as invaluable networking that can subsequently lead to job offers or further pentesting/hacking engagements.
“Participating in this event was truly enjoyable as it offered an opportunity to directly communicate the discovered bugs to the vendor face-to-face,” says Volokitin.
Whereas the purely digital bug disclosure process is often “cryptic” and gives hunters minimal feedback or automated responses from vendors, HardPwn provided “a platform to share vulnerabilities directly with Google engineers, discuss attack scenarios and answer their questions – making the entire process interactive and fun.”
Hardware hacking tools
As connected devices continue to proliferate, bug bounty programs remain overwhelmingly focused on software or firmware security. HardPwn therefore stands out by uncovering vulnerabilities in consumer devices at the hardware level, including in custom silicon.
HardPwn was launched at the 2018 edition of Hardwear.io to give hardware manufacturers access to scarce hardware
Hardpwn Netherlands gave hunters access to 30 hardware hacking tools, from pliers, wire cutters , heatgun, soldering iron and electric screwdrivers to nRF52840 Dongles, JTAGulator, LCD Digital Microscopes, Oscilloscope, Chipshouter and SEGGER Microcontroller J-Links.
Google’s latest HardPwn success followed a record number of Google device vulnerabilities surfaced at a hardware hacking event, achieved at HardPwn USA 2023. This included several Chromecast vulnerabilities, as reported last month by Security Week.