Hack2Win – VXCON Hong-Kong

Credit to Author: Maor Schwartz| Date: Thu, 13 Apr 2017 08:34:07 +0000

Hi everyone,

We have decided this year to not only sponsor VXCON, but also to have a IoT hacking-village!

Will let you win prizes and show your skills in hacking network based devices.

We have selected 7 devices for you to try and hack.

The goal of the event is to find who is able to gain the highest privileges on any of these devices.
Products:

  1. Synology RT1900ac router
  2. Dahua PoE DH-NVR4108HS-8P-HDS2 H.265
  3. D-Link DIR-850L
  4. HDMI 100M TCP-IP Extneder Tx/Rx
  5. Wifi Doorbell Camera Video Intercom Phone Control IP Door set
  6. EU Plug Portable Free WiFi Home Offices Automation
  7. Samsung SmartThings Hub and Motion sensor

Prizes:
First place winner getting 3,000$ USD
Second place winner getting 2,000$ USD
Third place winner getting 1,000$ USD

Judging Criteria
The decision whether someone wins first, second or third place will be based upon the following:

  • Complexity of attack – what was required to achieve the access
  • Innovative method – XSS, SQLi, RCE, from least to most innovative
  • Whether Attack affects the LAN or WAN – more points if it affects the WAN
  • What is achieved by the attack – no access is given to the challengers, so they would need to reach from no-access to some access – therefore a guest access would be considered less valuable than root
  • Write-up Quality – the best write up (in English), most detailed, best explanation, etc

Device Settings
All the devices will be factory reset – i.e. default settings, and the only non-default setting would be the password for the ‘admin’ (or equivalent) account as documented in the product’s user guide, and the WiFi password (if applicable).

Device Access
The devices will be accessible to participants via the WAN Ethernet interface, or WiFi access.

What counts as ‘hacked’
A device would be considered ‘hacked’ if the participant can prove they:

  • Gained access to the device’s post-authentication admin web interface (remember – you will not be given any credentials)
  • Changed some configuration value, like WiFi password (note: We will not be giving any award for changing the IP address of the device)
  • Made the device do something it’s not supposed to do: like execute code, open a port/service which was previously closed (like SSH, telnet, etc)
  • Did something else that would be innovative and unexpected. Be creative! For example: get images from the Camera without actually hacking it

What we won’t count as a ‘hacked’

  • Causing a malfunction to the device, DoS, making it unresponsive, making it no longer boot, etc – we will immediate disqualify a participant if we feel this is being done intentionally
  • Physically opening of device, connecting to the device in any means other than what we allowed the participant to use (Ethernet or WiFi)
  • Usage of any known method of hacking – known methods including anything that we can use Google/Bing/etc to locate – this includes: documented default password (that cannot be changed), known vulnerabilities/security holes (found via Google, exploit-db, etc)
  • Anything we at Beyond Security would consider as being unfair – like doing Social Engineering on Beyond Security staff or personnel, hacking a device that is not the target and using that as means of gaining access to the device, etc

Eligibility
The contest is open to anyone who is at the legal age to receive a contest prize in your country, if you are not allowed to receive prizes – and please make sure to check this before participating – you may want to team up with a person that is at the legal age to receive prizes.

The contest is not allowed to anyone working for any of the above companies whose device participates in, or are involved in development of any of the above devices.

Announcing the winners
We will announce all the winners at the end of the VXCON event. We plan stop the hacking event 2hrs before the end of the event – so that we can prepare. Please don’t wait until the last minute!

Good luck!

https://blogs.securiteam.com/index.php/feed