“OPC UA is used everywhere in the industrial world as a connector between systems,” says Keuper. “It’s such a central component of typical industrial networks, and we can bypass authentication normally required to read or change anything. That’s why people found it to be the most important and interesting. It took just a couple of days to find.”
The 2012 iPhone hack took three weeks of focused work. In contrast, the OPC UA hack was a side project, a distraction from Keuper and Alkemade’s day jobs. But its impact is outsized.
There are immense differences between the consequences of hacking an iPhone and breaking into critical-infrastructure software. An iPhone can be easily updated, and a new phone is always right around the corner.
On the contrary, in critical infrastructure, some systems can last for decades. Some known security flaws can’t be fixed at all. Operators often can’t update their technology for security fixes because taking a system offline is out of the question. It’s not easy to turn a factory on and off again like a light switch—or like a laptop.
“In industrial control systems, the playing field is completely different,” Keuper says. “You have to think about security differently. You need different solutions. We need game changers.”
Despite their success this week, Keuper and Alkemade are not under any delusion that industrial security problems have been instantly solved. But for these two, it’s a good start.
“I do research for public benefit to help make the world a little bit safer,” Alkemade says, “We do stuff that gets a lot of attention so that people listen to us. It’s not about the money. It’s the excitement and to demonstrate what we can do.”
“Hopefully we made the world a safer place,” says Keuper.
Meanwhile, the Pwn2Own competitions rumble on, having given away $2 million last year. Next month, hackers will gather in Vancouver to celebrate the 15th anniversary of the show. One of the targets? A Tesla car.