2018 Pwnie Awards cast light and shade on infosec winners
The Meltdown and Spectre research teams won big at the Pwnie Awards this year at Black Hat, while the late-entry Bitfi Wallet team overwhelmingly won for Lamest Vendor Response.
The Meltdown and Spectre side-channel attacks that exploit weaknesses in major processors scored the top spot in two of three Pwnie Award categories -- Best Privilege Escalation Bug and Most Innovative Research -- but missed on the prize for the most overhyped vulnerability.
The Pwnie Awards, a longtime staple of the Black Hat security conference, are often compared to the Academy Awards, but with spray-painted pony statues, fewer movie stars and more questionable prizes for things like Lamest Vendor Response and Most Overhyped Bug.
This year, the Pwnie Award for Most Innovative Research went to the researchers who discovered the Meltdown and Spectre design flaws. That prize goes to "the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post," according to the Pwnie Awards website. The Pwnie Awards website described Meltdown and Spectre in its nomination for most overhyped bug:
Meltdown and Spectre were vulnerabilities in the way branch prediction worked which would allow attackers the ability to read memory. It was pretty awesome and affected most systems. But at some point, they [sic] hype train jumped the tracks a bit. The normally extremely accurate Fox News called it the worst computer bug in history. One of the researchers who discovered it agreed, calling it 'probably one of the worst CPU bugs ever found.' Bloomberg agreed, the Verge said it was a catastrophe.
Meltdown and Spectre also got the Pwnie Award for Best Privilege Escalation Bug -- a nod toward the seriousness of the flaws, given how unusual it is for a research team to win in more than one category.
Also worthy of honor
Other Pwnie Awards honored more of the best of security research from the past year, including the following:
- The Pwnie for Best Server-Side Bug went to the Intel Advanced Management Technology remote vulnerability, a flaw which enabled an exploit that could bypass endpoint protections, including the Windows firewall.
- The Pwnie for Best Client-Side Bug went to researchers Georgi Geshev and Rob Miller, who built an exploit chain against Android that used 11 bugs in six different applications and was referred to by the Pwnie Awards as "The 12 Logic Bug Gifts of Christmas."
- Pwnie for Best Cryptographic Attack went to researchers Hanno Böck, Juraj Somorovsky and Craig Young for their work on the Return Of Bleichenbacher's Oracle Threat, also known as the ROBOT attack.
The Pwnie Awards initially solicited nominations in 16 categories, but awarded prizes only in the eight categories that received the most nominations, including a Lifetime Achievement Award given to Michal Zalewski, also known as lcamtuf, former director of information security engineering at Google and author of the classic hacker field guide, Silence on the Wire.
Lamest Vendor Response and Most Overhyped Bug
Some of the stiffest competition may have been for the booby prizes.
The competition for overhyped bugs has been fierce recently, as contenders continue to commission websites, logos and social media handles for bugs that might be less than compelling. The nominees for this Pwnie Award honor this year included the Meltdown and Spectre vulnerabilities in microprocessors reported in January, as well as the apparent EFAIL vulnerability in end-to-end encryption technology that turned out to be an issue in email clients.
The winner was a not-quite-tongue-in-cheek parody, Holey Beep, complete with website, logo and tracking assignment as CVE-2018-0492. Beep, a Unix command, "does what you'd expect: it beeps," according to the description from the Holey Beep website. "Beep allows you to control pitch, duration, and repetitions" of the tone.
But it also can give an attacker root on the target system. "Its job is to live inside shell/perl scripts and allow more granularity than one has otherwise. It is controlled completely through command line options. It's not supposed to be complex, and it isn't -- but it makes system monitoring (or whatever else it gets hacked into) much more informative. Also it gives you root."
Meanwhile, Bitfi, maker of the Bitfi Wallet, was the late-entry surprise winner of the Pwnie Award for Lamest Vendor Response. Although the Bifi situation played out just days before Black Hat, The Register reported it received thousands of nominations after hackers comprehensively cracked the devices and demonstrated numerous security failures in the design. Bitfi backed off its offer of a six-figure bounty to any hacker who could manage to hack it by standing behind a very narrow definition of what constituted a hack -- namely, pulling the private key off of a device that doesn't store the key.
The well-documented hacks came after Bitfi's executive chairman, John McAfee, extolled the device as "the world's first unhackable storage for cryptocurrency and digital assets."
As Rev. Robert Ballecer put it on Twitter:
This one was a no-brainer.— Rev. Robert R. Ballecer, SJ (@padresj) August 9, 2018
If you offer a bug bounty and claim your product is "unhackable", then argue that an attacker getting root doesn't count as getting hacked, you win the Pwnie.#BHUSA2018 pic.twitter.com/d61cuu7W3h