IoT Village

IOT Village is designed to have a practical approach towards device hacking allowing the participants to win the gadgets they actually hack into. There is a wide range of devices like routers, webcams etc. available to be played with during DefCamp.

But beware! You will not be the only one trying…let’s see how you can handle the pressure!

So, if you’d like to discover and test some devices in order to see how secure they are and what are the limits you can break, this is going to be a contest you don’t want to miss.

Be sure to pre-register for the IoT Village to reserve your spot and make the most of it! Just use the Registration button to your right and fill in the details.

Goal of the Competition

Identify and responsibly report vulnerabilities in IoT devices.

Rules of Engagement

This competition is part of DefCamp’s Hacking Village 2021 activity series. You need to have a valid DefCamp ticket

/ Each attendee/team that takes part in the contest will be given the means to connect to the network but personal laptop is needed.

/ Each participant/team will then proceed to attack the devices announced in the contest using whatever tools or scripts they have at their disposal.

/ If the method used has unforeseen results thus making the device unavailable to others, make sure you announce the on-site arbitrator (one of the judges).

/ This is considered an accident and no action will be taken against the participant that used that method of attack.

/ If any of the participants/team needs to take a closer look or needs a reset device, please announce the on-site arbitrator (one of the judges).

/ No participant will be allowed to touch the devices at any given time. The only allowed way for the participants/teams to attack the devices is from the network side only.

/ No more than two participants will be allowed at any given time to get close to the devices.

/ If the participant finds a vulnerability on any of the devices, please announce it to the on-site arbitrator (one of the judges).

/ If the participant exploits a vulnerability on any of the devices, please announce it to the on-site arbitrator (one of the judges).

/ In case of a dispute, the on-site arbitrator (one of the judges) will have the final decision after hearing all the parties involved.

/ Please note that if any of the present rules are not followed as well as any disruptive and/or offensive actions towards any of the other participants/teams will not be tolerated and will result in the disqualification of the participant (and team if member of a team).

/ All vulnerabilities MUST BE REPORTED when found!

/ The on-site arbitrator (one of the judges) will move to see the vulnerability in action but the prize will not be validated until a complete and detailed write-up is submitted to the on-site arbitrators by email.

/ Destroying or bricking any of the devices is strictly forbidden. If you are unsure if your action is allowed, ask the organisers

/ It’s not allowed to change credentials of any device or change wifi settings for the routers / switches provided by the organisers

Terms & Condition of this competition are available here.

Scoring

Owning* one of the devices will automatically eliminate the device from the competition and you will receive the device as a prize and a significant number of points in the general score.

Technical SeverityPoints
P0  Owned device2,000
P1  Critical300 – 500
P2  Severe150 – 300
P3  Moderate100
P4  Low10

Note:

  • *A device is considered owned if you prove to the on-site arbitrator (one of the judges) the exploitation in action which gains you full privileges on the system (without any 3rd party interaction and in less than 15 minutes) by using a set of vulnerabilities which were not publicly known and also you shared a detailed report which can allow the arbitror to reproduce the finding
  • P5 submissions are not rewarded. Taxonomy is based on https://bugcrowd.com/vulnerability-rating-taxonomy
  • Rewards are offered on a First Come First Served (FCFS) basis (if duplicates are found).
  • Known vulnerabilities are out of scope
  • Any default credentials for different protocols (such as www, telnet etc) are out of scope for Owning the system but can bring points within P1-P4 severity levels
  • The vulnerabilities used in the process of Owning the device will not be scored individually, unless the player proves the total value of the bugs taken individually is larger than the score for owning the device
  • If the device is not owned you can still receive it as a prize if you have the highest number of points scored within P1  and P4.

Out of scope

The following kinds of findings are specifically non-rewardable within this program:

  • Brute-Forcing passwords and account lockout not enforced
  • Self XSS
  • Information disclosure of non-confidential information – Any non sensitive information leakage, or descriptive error messages (e.g. stack traces, application or server error messages), without further exploitation
  • Fingerprinting / banner disclosure on common/public services along with any disclosure of known public files or directories, (e.g. robots.txt or .htaccess downloadable file without a security impact)
  • Out of date software versions and any vulnerability due to the version numbering CVE
  • Content Spoofing
  • Vulnerabilities that are limited to unsupported browsers will not be accepted. Exploit must work in Chrome, Firefox, Safari and other popular non-IE browsers
  • Clickjacking or issues exploitable through clickjacking that do not pose a security threat and cannot be used to exfiltrate data
  • Lack of HTTP flags 
  • Non-session related cookies. For example Secure and HTTPOnly cookie flags on Non-Session Cookies
  • Multiple reports for the same vulnerability type with minor differences (only one will be rewarded)
  • Lack of CAPTCHA or other bot preventing shields during registration and login
  • Sessions not expiring after email change
  • Vulnerabilities that require extensive or obtuse social engineering. For example, a user typing an XSS in to an input field and then submitting the form to trigger a non-persistent XSS
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • CSRF on forms that are available to the public 
  • Copy pasting using services like ‘pastebin’ etc. for data exfiltration
  • Default credentials for any service available on the system
  • Known vulnerabilities with(out) CVEs on the system
  • Accepted features, for eg. we don’t consider Code Execution a function of a device that allows you to execute shell commands

How to submit a vulnerability

IoT Village by DefCamp will rely on the Bugcrowd Vulnerability Rating Taxonomy for prioritization of findings, but the vulnerability can either be downgraded or upgraded depending on the impact and the underlying risk it poses to the targeted device. IoT Village points will then be awarded accordingly. Any downgraded submission will come with a full and detailed explanation.

Submission form is available here.

Reproducibility

Our engineers must be able to reproduce the security flaw from your report. Reports that are too vague or unclear are not eligible for a reward. Reports that include clearly written explanations and working code are more likely to garner rewards.

Questions

IoT Village by DefCamp is committed to helping you succeed on this program. If you feel you need more information that may have been omitted here, we would be happy to provide it to you if it’s in the scope. Also if something is unclear or you have any other questions regarding this bug bounty please come at our booth in Hacking Village.

Prizes

The following prizes will be awarded based on the total points obtained.

/ Devices showcased in Hacking Village, if nobody won them but you hit best scores

Terms and conditions are available here.

Targets

  • My Smart Home Hub
  • Mi Smart Light Detection Sensor
  • My Smart Motion Sensor
  • Amazon Echo Dot 4 smart speaker, Alexa Voice Control, Wi-Fi, Bluetooth, Alb
  • Linksys WRT32X, AC3200, Gaming Wireless Router
  • Smart Wi-Fi Bulb TP-Link Tapo L530E, Multicolor, 2.4GHz Wi-Fi, 806 Lumens, E27, Preset as Needed, Program and Timer, Sunrise / Sunset Mode, Voice Control, Remote Control, Away Mode
  • Xiaomi Mi Smart LED light bulb, Wi-Fi, E27, 8W, 810 lm, warm white light
  • Smart TP-Link Tapo C100 Surveillance Camera with Night Vision, Full HD 1080P, Baby Monitor Wireless Audio Video Function, Motion Detection, Sound and Light Alarm, Two-Way Audio, Privacy Mode, Local Storage, IP Wi-Fi, White
  • Wireless Wi-Fi Router 6 TP-Link Archer AX20, Dual-Band Gigabit AX1800, 1.8 Gbps, with OFDMA, 1.5GHz Quad-Core processor, Beamforming, Target Wake Time, WPA3, Airtime Fairness, OpenVPN, Parental Control and USB 2.0
  • Asus RT-AX58U Wi-Fi Router, AX3000, Dual Band, AiMesh, MU-MIMO, Wifi 6
  • Baby Monitor with Artificial Intelligence EbitCam ™ E3-X, 4.0 MP, HD 2624 * 1512, Wireless, IP, Face Detection, Sound Detection, Smart Tracking, ALEXA Voice Function, Auto Rotate, Motion Sensor, Push to Talk, Night vision, Alarm , White
SPONSORED BY

HACKING VILLAGE

Other Competitions

Memory Leak

Overview Back to Contests Memory Leak Get ready to unravel the PCB enigma in “Memory Leak” at ..

DefCamp Capture the Flag (D-CTF) 2023

DefCamp Capture The Flag ( D-CTF) is the most shattering and rebellious security CTF competition in the ..

Reverse Engineering Kindergarten

Overview Back to Contests Reverse Engineering Kindergarten Reverse Engineering Kindergarten was designed to ..

Sponsors & Partners

They help us make this conference possible.

POWERED BY

Orange Romania is part of the Orange Group, one of the largest global telecommunications operators that connects hundreds of millions of customers worldwide. With over 11 million local customers and an annual turnover exceeding 1.5 billion euros, Orange Romania connects 1 in 2 Romanians and offers an extensive range of communication solutions for both individual and corporate customers, from basic connectivity services to complete mobile, fixed internet, TV packages, and complex IT&C solutions through Orange Business

Orange Romania is the number 1 operator in terms of network performance, and also holds nine consecutive Top Employer certifications, which confirm that Orange Romania, in addition to the remarkable products and services it offers, pays special attention to its employees and working environment. In the past 3 years Orange has launched two 5G Labs in Bucharest and Iasi, that aim to support researchers, startups and companies to test their 5G solutions in advance. 

In addition, Orange is a long-term supporter of the startup ecosystem through the Orange Fab accelerator program designed to support entrepreneurs in the development of innovative products and their distribution locally and internationally.

Gold Partners

Silver Partners

Bronze Partner

HACKING VILLAGE PARTNERS

COMMUNITY & MEDIA PARTNERS