Two hackers just pwned the software that runs a majority of the world’s electrical grids. And they did it without breaking a sweat.
Thankfully, the hackers in question were not cybercriminals or nation-state actors out to wreak havoc but adept white hats, who rocked the software on stage in front of an audience at 2022’s Pwn2Own, a hacker conference happening this week in Miami. The point of such conferences is to identify bugs in software so that companies can patch them before they’re exploited by bad guys.
Dutch security researchers Daan Keuper and Thijs Alkemade said that breaking into OPC UA, an open source communications protocol used by a majority of the world’s industrial control systems, was the “easiest” thing they’d hacked at the conference so far, MIT Technology Review originally reported. “In industrial control systems, there is still so much low-hanging fruit,” Keuper told MIT. “The security is lagging behind badly.” Comforting news!
Keuper and Alkemade apparently went to town on droves of different kinds of industrial control software, but the hacking of OPC UA protocol won the duo $40,000 and helped them to secure the conference’s championship title, called “Master of Pwn.”
“OPC UA is used everywhere in the industrial world as a connector between systems,” Keuper told MIT. “It’s such a central component of typical industrial networks, and we can bypass authentication normally required to read or change anything. That’s why people found it to be the most important and interesting. It took just a couple of days to find.”
It’s pretty unsettling timing for this accomplishment to occur, as MIT Tech Review aptly notes. For the last several weeks, national security professionals and White House officials have very publicly worried that Russian nation state hackers might attempt to conduct debilitating cyberattacks on U.S. critical infrastructure as retaliation for U.S. support for Ukraine. The White House recently warned American companies to be on guard against potential cyberattacks and the FBI and other agencies have said they fear Russian attacks on electrical power grids, nuclear power plants, water systems, and more.
The question naturally springs to mind: If it’s a cinch for two contest-goers to hack a utility system, what’s the likelihood that foreign intelligence agencies have the same capabilities? In short: good job, guys! But, also, yikes!