ZDI Shares “Crazy” Stories on 15-Year Anniversary
Trend Micro’s Zero Day Initiative (ZDI) this week celebrated its 15-year anniversary and the company has shared some “crazy” and “odd” stories with SecurityWeek.
Since its launch in 2005, ZDI, which describes itself as the world’s largest vendor-agnostic bug bounty program, says it has reported more than 7,500 vulnerabilities to vendors and it has paid out more than $25 million to over 10,000 researchers.
ZDI is also the organizer of the Pwn2Own hacking competitions, where white hat hackers have earned tens or hundreds of thousands of dollars for demonstrating sophisticated exploits targeting smartphones, IoT devices, operating systems, popular software, industrial control systems, and even cars.
Here are the interesting stories from the past 15 years that ZDI has shared with SecurityWeek:
Shutting down government operations:
Back in 2015, we received a submission that demonstrated how to bypass the LNK patch meant to fix a bug used by Stuxnet in 2010. We definitely purchased the bug, and Microsoft patched it quickly. After the Shadow Brokers leak, it came to light that one of the tools was called “EZCheese” – a tool that exploited the LNK patch from 2010. After our submission, the agency (allegedly) developed a different tool called “Brutal Kangaroo” for the same purpose. That’s just one example. Bugs we’ve purchased also helped disrupt the Black Energy APT and were referenced often in the Hacking Team data breach from 2015.
Nearly setting the hotel on fire in Amsterdam:
At Mobile Pwn2Own in 2012, we somehow forgot that European electricity is at a higher voltage than U.S electricity. We had an adapter nearly go up in smoke. We felt a little better about that situation when one of our researchers made the same mistake with a Tesla head unit prior to Pwn2Own in 2019. Fortunately, that just required a new power supply and not a new head unit. To his credit, he bounced back strong and was one half of the duo that won the Tesla Model 3 with a compromise of the infotainment system.
Dropping 0-day on our “parents”:
The ZDI must remain independent of our parent company. This is true to the extent that when we purchase bugs in our parent company’s products, they are subject to the same disclosure timelines. In the past, this has led to multiple instances of the ZDI dropping a 0-day on our parent company’s software. To say these were awkward calls with executives is putting it mildly. However, it does demonstrate to the researcher community that we hold everyone to the same standard.
Winning the Microsoft Bounty:
Our research earned $125,000 from Microsoft for submitting a bypass for defensive measures Microsoft had implemented in their browser. The submission took only a couple of weeks to complete. Our research was unique to the point that we earned a patent on the technique. Even though they paid out, a part of that research ended up being disclosed as a 0-day. All of the money was donated to charities focused on STEM education.
Challenges in Running Pwn2Own:
Once, due to a miscommunication with the conference organizers, we didn’t have laptops. We ended up running around Vancouver looking for identical HP laptops we could use for the contest. One of the biggest challenges is making sure we have all of the latest patches for the devices in the contest. Vendors often patch immediately before the contest, which means we’re up late at night to ensure everything is up to date. This can also be complicated by updates that are only available in certain regions. It’s tough on contestants as well. There have been multiple times where someone lands in Vancouver on a Monday with a working exploit only to have it fail on the Wednesday after Patch Tuesday.
Every program that does vulnerability disclosure receives their fair share of submissions that don’t meet the bar for various reasons. Sometimes the bug is already public. Sometimes it’s a legitimate bug in a product we’re not interested in. Sometimes it just isn’t a real bug. This can lead to some interesting exchanges with those who are convinced their “bug” could set the Internet on fire. In rare cases, we’ve had to deal with people who send in long, rambling conspiracy theories about how their neighbors and every 3-letter agency is out to get them. Still, all things considered, we have a much lower rejection rate than most agencies doing vulnerability disclosure.