Traditionally, this year’s Black Hat honored the most outstanding fails, but also notable achievements in the security world.
The presentation of the so-called Pwnie awards is eagerly awaited by security experts every year at the Black Hat hacker conference in Las Vegas. The organizers brought three new categories to the stage this year: Best Mobile Bug, Best Desktop Bug and Best Remote Code Execution.
NSO Group among the winners
The NSO Group from Israel received the award for the first new category. Their “ForcedEntry” mobile bug enables an iMessage zero-click attack for the infamous Pegasus spyware by bypassing Apple’s “BlastDoor” sandbox mechanism introduced in iOS 14 to mitigate another zero-click exploit.
One of the three nominations for the Best Desktop Bug, which is awarded to researchers who have discovered the most technically demanding and interesting desktop exploit, sounded a bit mysterious at first. This is how it works according to the Twitter announcement this candidate “runs on the latest CPUs from one of the major CPU manufacturers and enables attacks on Trusted Execution Environments”.
At the award ceremony, the organizers revealed that the serious AEPIC leak that had become known in the meantime was behind it, which ultimately also won the race in this category. The bug in the microarchitecture of Intel processors makes it possible to read data from the CPU caches and even from supposedly securely protected SGX enclaves.
- Technical analysis of the 0-click exploit “ForcedEntry” for iOS (voonze Select)
Windows RPC bug: The older, the doller
Kunlun Lab received the Best Remote Code Execution award for discovering a 20-year-old Windows RPC bug. The corresponding vulnerability (CVE-2022-26809) in a core Windows component (RPC) received a CVSS score of 9.8 because the attack does not require authentication, remote code execution, and potentially access to an unpatched Windows host , running SMB. A Microsoft document describes further details, as well as the publication on GitHub. Microsoft has fixed CVE-2022-26809 as part of April 2022 Patchday.
A prize for IT professionals with diverse talents is the “Pwnie for the Best Song”. He went that year to “Dialed Up,” a song that features a mini-CTF (Capture the Flag) with ten challenges. While these puzzles do not require any knowledge of software or binary exploitation, the project participants write, some challenges can be solved much more easily with coding/scripting. Details can be found on the project website.
The “Most Epic Fail” award recognizes the spectacular failure of a person or a company. According to the organizer, this is the type of failure that affects the entire security industry. This year, an employee of the company HackerOne received it. The company operates a platform for coordinating vulnerability disclosures and remediation (Responsible Disclosure) that connects companies with bug hunters. The HackerOne employee honored with the award was caught privately reselling reported vulnerabilities to potential attackers.
How do you prevent counterterrorism? Ask Google!
Google has to be accused of the “uncoolest” way of handling one or more vulnerabilities this year. His top security team “Google TAG” received the “Lamest Vendor Award”, an award that is particularly popular with fans of the Pwnie Awards. By closing eleven zero-day vulnerabilities, the Google team torpedoed an ongoing anti-terrorist operation by Western intelligence agencies (“unilaterally shutting down a counterterrorism operation”).
Other awards went to researchers from UIUC, UT Austin and UW universities for the Hertzbleed side channel attack (Best Cryptographic Attack), to researchers from the Sapienza University in Rome for their Custom Processing Unit (Most Innovative Research), to security expert Yannayl for IP spoofing with IPIP (Most Under-Hyped Research), to Yuki Chen for more than 50 RCE bugs in the Microsoft server (Epic Archievement) and to the Mystic in the House vulnerability (CVE 2021-0691) found by the Dawn Security Lab (Best privilege escalation).
Dino Dai Zovi was honored for his lifetime achievement in the security community. An information security industry veteran and entrepreneur, he is known for his research and speaking at conferences such as DEFCON, Black Hat and CanSecWest. He is also the co-author of various safety books.