Microsoft chose Linux instead of Windows 10 to power an IoT security platform, and now it’s offering hackers $100,000 (£81,000) if they can break it.
There are, of course, conditions attached.
For a start, this isn’t a challenge to hack into any old Linux OS. Instead, it’s a very specific Linux OS that Microsoft has in mind: one that powers its Internet-of-Things (IoT) end-to-end security platform.
That platform is Azure Sphere.
The Azure Sphere operating system is a customized high-level and very compact Linux-based one, combined with a secure application environment for additional hardening. Throw this into a mix of hardware, software, and the inevitable cloud, and you get Microsoft’s IoT end-to-end security platform.
Azure Sphere is designed to help take much of the risk out of the IoT equation, and that’s why Microsoft has announced, May 5, a new phase in its Azure Sphere Security Research Challenge.
This new challenge will only run for a three-month period starting June 1. However, to apply to take part in the hacking bounty program, security researchers will need to submit their applications before May 15.
The 50 hackers who are accepted into the challenge pool will get all the resources they need to take on the scenario-based vulnerability discovery test. Resources that will include full access to the Azure Sphere development kit as well as to other Microsoft products and services that could be used during their research.
As part of the holistic approach to risk that Microsoft is adopting, it is hoped that the challenge will engage the security research hacking community to uncover any critical vulnerabilities that might otherwise go unnoticed.
Unnoticed, that is, until threat actors find and exploit them. Microsoft would hope that there are no such vulnerabilities that could enable the execution of code on the Pluton root of trust security subsystem for Azure Sphere, but if there are, then that could be $100,000 right there.
Find a vulnerability that would enable code execution on Secure World, situated below the custom Linux kernel, and where only Microsoft-supplied code should be able to run courtesy of the Security Monitor, and there’s another potential $100,000.
“Security is a team sport,” Sylvie Liu, the security program manager at the Microsoft Security Response Center, said, “and security researchers are so important to making technology as secure as possible.”