IoT Village

Overview

IOT Village is designed to have a practical approach towards device hacking allowing the participants to win the gadgets they actually hack into. There is a wide range of devices like routers, webcams etc. available to be played with during DefCamp.

But beware! You will not be the only one trying…let’s see how you can handle the pressure!

So, if you’d like to discover and test some devices in order to see how secure they are and what are the limits you can break, this is going to be a contest you don’t want to miss.

Be sure to pre-register for the IoT Village to reserve your spot and make the most of it! Just use the Registration button to your right and fill in the details.

Goal

Goal of the Competition

/ Identify and responsibly report vulnerabilities in IoT devices.

Rules

Rules of Engagement

/ This competition is part of DefCamp’s Hacking Village 2021 activity series. You need to have a valid DefCamp ticket!

/ Each attendee/team that takes part in the contest will be given the means to connect to the network but personal laptop is needed.

/ Each participant/team will then proceed to attack the devices announced in the contest using whatever tools or scripts they have at their disposal.

/ If the method used has unforeseen results thus making the device unavailable to others, make sure you announce the on-site arbitrator (one of the judges).

/ This is considered an accident and no action will be taken against the participant that used that method of attack.

/ If any of the participants/team needs to take a closer look or needs a reset device, please announce the on-site arbitrator (one of the judges).

/ No participant will be allowed to touch the devices at any given time. The only allowed way for the participants/teams to attack the devices is from the network side only.

/ No more than two participants will be allowed at any given time to get close to the devices.

/ If the participant finds a vulnerability on any of the devices, please announce it to the on-site arbitrator (one of the judges).

/ If the participant exploits a vulnerability on any of the devices, please announce it to the on-site arbitrator (one of the judges).

/ In case of a dispute, the on-site arbitrator (one of the judges) will have the final decision after hearing all the parties involved.

/ Please note that if any of the present rules are not followed as well as any disruptive and/or offensive actions towards any of the other participants/teams will not be tolerated and will result in the disqualification of the participant (and team if member of a team).

/ All vulnerabilities MUST BE REPORTED when found!

/ The on-site arbitrator (one of the judges) will move to see the vulnerability in action but the prize will not be validated until a complete and detailed write-up is submitted to the on-site arbitrators by email.

/ Destroying or bricking any of the devices is strictly forbidden. If you are unsure if your action is allowed, ask the organisers

/ It’s not allowed to change credentials of any device or change wifi settings for the routers / switches provided by the organisers

Terms & Condition of this competition are available here.

Scoring

Owning* one of the devices will automatically eliminate the device from the competition and you will receive the device as a prize and a significant number of points in the general score.

Technical Severity	Points
P0 Owned device	2,000
P1 Critical	300 – 500
P2 Severe	150 – 300
P3 Moderate	100
P4 Low	10

Note:

*A device is considered owned if you prove to the on-site arbitrator (one of the judges) the exploitation in action which gains you full privileges on the system (without any 3rd party interaction and in less than 15 minutes) by using a set of vulnerabilities which were not publicly known and also you shared a detailed report which can allow the arbitror to reproduce the finding
P5 submissions are not rewarded. Taxonomy is based on https://bugcrowd.com/vulnerability-rating-taxonomy
Rewards are offered on a First Come First Served (FCFS) basis (if duplicates are found).
Known vulnerabilities are out of scope
Any default credentials for different protocols (such as www, telnet etc) are out of scope for Owning the system but can bring points within P1-P4 severity levels
The vulnerabilities used in the process of Owning the device will not be scored individually, unless the player proves the total value of the bugs taken individually is larger than the score for owning the device
If the device is not owned you can still receive it as a prize if you have the highest number of points scored within P1 and P4.

Out of scope

The following kinds of findings are specifically non-rewardable within this program:

Brute-Forcing passwords and account lockout not enforced
Self XSS
Information disclosure of non-confidential information – Any non sensitive information leakage, or descriptive error messages (e.g. stack traces, application or server error messages), without further exploitation
Fingerprinting / banner disclosure on common/public services along with any disclosure of known public files or directories, (e.g. robots.txt or .htaccess downloadable file without a security impact)
Out of date software versions and any vulnerability due to the version numbering CVE
Content Spoofing
Vulnerabilities that are limited to unsupported browsers will not be accepted. Exploit must work in Chrome, Firefox, Safari and other popular non-IE browsers
Clickjacking or issues exploitable through clickjacking that do not pose a security threat and cannot be used to exfiltrate data
Lack of HTTP flags
Non-session related cookies. For example Secure and HTTPOnly cookie flags on Non-Session Cookies
Multiple reports for the same vulnerability type with minor differences (only one will be rewarded)
Lack of CAPTCHA or other bot preventing shields during registration and login
Sessions not expiring after email change
Vulnerabilities that require extensive or obtuse social engineering. For example, a user typing an XSS in to an input field and then submitting the form to trigger a non-persistent XSS
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
CSRF on forms that are available to the public
Copy pasting using services like ‘pastebin’ etc. for data exfiltration
Default credentials for any service available on the system
Known vulnerabilities with(out) CVEs on the system
Accepted features, for eg. we don’t consider Code Execution a function of a device that allows you to execute shell commands

How to submit a vulnerability

IoT Village by DefCamp will rely on the Bugcrowd Vulnerability Rating Taxonomy for prioritization of findings, but the vulnerability can either be downgraded or upgraded depending on the impact and the underlying risk it poses to the targeted device. IoT Village points will then be awarded accordingly. Any downgraded submission will come with a full and detailed explanation.

Submission form is available here.

Reproducibility

Our engineers must be able to reproduce the security flaw from your report. Reports that are too vague or unclear are not eligible for a reward. Reports that include clearly written explanations and working code are more likely to garner rewards.

Questions

IoT Village by DefCamp is committed to helping you succeed on this program. If you feel you need more information that may have been omitted here, we would be happy to provide it to you if it’s in the scope. Also if something is unclear or you have any other questions regarding this bug bounty please come at our booth in Hacking Village.

Prizes

The following prizes will be awarded based on the total points obtained.

/ Devices showcased in Hacking Village, if nobody won them but you hit best scores

Terms and conditions are available here.

Targets

My Smart Home Hub
Mi Smart Light Detection Sensor
My Smart Motion Sensor
Amazon Echo Dot 4 smart speaker, Alexa Voice Control, Wi-Fi, Bluetooth, Alb
Linksys WRT32X, AC3200, Gaming Wireless Router
Smart Wi-Fi Bulb TP-Link Tapo L530E, Multicolor, 2.4GHz Wi-Fi, 806 Lumens, E27, Preset as Needed, Program and Timer, Sunrise / Sunset Mode, Voice Control, Remote Control, Away Mode
Xiaomi Mi Smart LED light bulb, Wi-Fi, E27, 8W, 810 lm, warm white light
Smart TP-Link Tapo C100 Surveillance Camera with Night Vision, Full HD 1080P, Baby Monitor Wireless Audio Video Function, Motion Detection, Sound and Light Alarm, Two-Way Audio, Privacy Mode, Local Storage, IP Wi-Fi, White
Wireless Wi-Fi Router 6 TP-Link Archer AX20, Dual-Band Gigabit AX1800, 1.8 Gbps, with OFDMA, 1.5GHz Quad-Core processor, Beamforming, Target Wake Time, WPA3, Airtime Fairness, OpenVPN, Parental Control and USB 2.0
Asus RT-AX58U Wi-Fi Router, AX3000, Dual Band, AiMesh, MU-MIMO, Wifi 6
Baby Monitor with Artificial Intelligence EbitCam ™ E3-X, 4.0 MP, HD 2624 * 1512, Wireless, IP, Face Detection, Sound Detection, Smart Tracking, ALEXA Voice Function, Auto Rotate, Motion Sensor, Push to Talk, Night vision, Alarm , White

HACKING VILLAGE

Other Competitions

Lock Picking Village

Break a combination lock of beginner/average difficulty and get a lock picking set.

DefCamp Capture the Flag (D-CTF) 2022

DefCamp Capture The Flag ( D-CTF) is the most shattering and rebellious security CTF competition in the ..

Ariadne’s Thread 5.0

You may think that you don’t have what it takes to work in cyber-security, you may not have seen the job ads..

Sponsors & Partners

They help us make this conference possible.

POWERED BY

At Orange Business Services, we help our customers transform their industries, reimagine their services, create a positive impact and unleash the power of their data into an amazing and trusted resource.

With the dual expertise as a global operator coupled with the agility of an end-to-end integrator, Orange Business Services is a global network-native, digital services company. From connectivity, smart mobility services and the cloud to artificial intelligence (AI), analytics and cybersecurity, Orange Business Services helps businesses at every stage of their data management. Orange Business Services is represented in Romania by the business division of Orange Romania and helps large companies, SMEs and public authorities to transform their organizations through the use of technology and digital information.