IoT Village

IOT Village is designed to have a practical approach towards device hacking allowing the participants to win the gadgets they actually hack into. There is a wide range of devices like routers, webcams etc. available to be played with during DefCamp.

But beware! You will not be the only one trying…let’s see how you can handle the pressure!

So, if you’d like to discover and test some devices in order to see how secure they are and what are the limits you can break, this is going to be a contest you don’t want to miss.

Be sure to pre-register for the IoT Village to reserve your spot and make the most of it! Just use the Registration button to your right and fill in the details.

Goal of the Competition

Identify and responsibly report vulnerabilities in IoT devices.

Rules of Engagement

This competition is part of DefCamp’s Hacking Village 2021 activity series. You need to have a valid DefCamp ticket

/ Each attendee/team that takes part in the contest will be given the means to connect to the network but personal laptop is needed.

/ Each participant/team will then proceed to attack the devices announced in the contest using whatever tools or scripts they have at their disposal.

/ If the method used has unforeseen results thus making the device unavailable to others, make sure you announce the on-site arbitrator (one of the judges).

/ This is considered an accident and no action will be taken against the participant that used that method of attack.

/ If any of the participants/team needs to take a closer look or needs a reset device, please announce the on-site arbitrator (one of the judges).

/ No participant will be allowed to touch the devices at any given time. The only allowed way for the participants/teams to attack the devices is from the network side only.

/ No more than two participants will be allowed at any given time to get close to the devices.

/ If the participant finds a vulnerability on any of the devices, please announce it to the on-site arbitrator (one of the judges).

/ If the participant exploits a vulnerability on any of the devices, please announce it to the on-site arbitrator (one of the judges).

/ In case of a dispute, the on-site arbitrator (one of the judges) will have the final decision after hearing all the parties involved.

/ Please note that if any of the present rules are not followed as well as any disruptive and/or offensive actions towards any of the other participants/teams will not be tolerated and will result in the disqualification of the participant (and team if member of a team).

/ All vulnerabilities MUST BE REPORTED when found!

/ The on-site arbitrator (one of the judges) will move to see the vulnerability in action but the prize will not be validated until a complete and detailed write-up is submitted to the on-site arbitrators by email.

/ Destroying or bricking any of the devices is strictly forbidden. If you are unsure if your action is allowed, ask the organisers

/ It’s not allowed to change credentials of any device or change wifi settings for the routers / switches provided by the organisers

Terms & Condition of this competition are available here.

Scoring

Owning* one of the devices will automatically eliminate the device from the competition and you will receive the device as a prize and a significant number of points in the general score.

Technical SeverityPoints
P0  Owned device2,000
P1  Critical300 – 500
P2  Severe150 – 300
P3  Moderate100
P4  Low10

Note:

  • *A device is considered owned if you prove to the on-site arbitrator (one of the judges) the exploitation in action which gains you full privileges on the system (without any 3rd party interaction and in less than 15 minutes) by using a set of vulnerabilities which were not publicly known and also you shared a detailed report which can allow the arbitror to reproduce the finding
  • P5 submissions are not rewarded. Taxonomy is based on https://bugcrowd.com/vulnerability-rating-taxonomy
  • Rewards are offered on a First Come First Served (FCFS) basis (if duplicates are found).
  • Known vulnerabilities are out of scope
  • Any default credentials for different protocols (such as www, telnet etc) are out of scope for Owning the system but can bring points within P1-P4 severity levels
  • The vulnerabilities used in the process of Owning the device will not be scored individually, unless the player proves the total value of the bugs taken individually is larger than the score for owning the device
  • If the device is not owned you can still receive it as a prize if you have the highest number of points scored within P1  and P4.

Out of scope

The following kinds of findings are specifically non-rewardable within this program:

  • Brute-Forcing passwords and account lockout not enforced
  • Self XSS
  • Information disclosure of non-confidential information – Any non sensitive information leakage, or descriptive error messages (e.g. stack traces, application or server error messages), without further exploitation
  • Fingerprinting / banner disclosure on common/public services along with any disclosure of known public files or directories, (e.g. robots.txt or .htaccess downloadable file without a security impact)
  • Out of date software versions and any vulnerability due to the version numbering CVE
  • Content Spoofing
  • Vulnerabilities that are limited to unsupported browsers will not be accepted. Exploit must work in Chrome, Firefox, Safari and other popular non-IE browsers
  • Clickjacking or issues exploitable through clickjacking that do not pose a security threat and cannot be used to exfiltrate data
  • Lack of HTTP flags 
  • Non-session related cookies. For example Secure and HTTPOnly cookie flags on Non-Session Cookies
  • Multiple reports for the same vulnerability type with minor differences (only one will be rewarded)
  • Lack of CAPTCHA or other bot preventing shields during registration and login
  • Sessions not expiring after email change
  • Vulnerabilities that require extensive or obtuse social engineering. For example, a user typing an XSS in to an input field and then submitting the form to trigger a non-persistent XSS
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • CSRF on forms that are available to the public 
  • Copy pasting using services like ‘pastebin’ etc. for data exfiltration
  • Default credentials for any service available on the system
  • Known vulnerabilities with(out) CVEs on the system
  • Accepted features, for eg. we don’t consider Code Execution a function of a device that allows you to execute shell commands

How to submit a vulnerability

IoT Village by DefCamp will rely on the Bugcrowd Vulnerability Rating Taxonomy for prioritization of findings, but the vulnerability can either be downgraded or upgraded depending on the impact and the underlying risk it poses to the targeted device. IoT Village points will then be awarded accordingly. Any downgraded submission will come with a full and detailed explanation.

Submission form is available here.

Reproducibility

Our engineers must be able to reproduce the security flaw from your report. Reports that are too vague or unclear are not eligible for a reward. Reports that include clearly written explanations and working code are more likely to garner rewards.

Questions

IoT Village by DefCamp is committed to helping you succeed on this program. If you feel you need more information that may have been omitted here, we would be happy to provide it to you if it’s in the scope. Also if something is unclear or you have any other questions regarding this bug bounty please come at our booth in Hacking Village.

Prizes

The following prizes will be awarded based on the total points obtained.

/ Devices showcased in Hacking Village, if nobody won them but you hit best scores

Terms and conditions are available here.

Targets

  • My Smart Home Hub
  • Mi Smart Light Detection Sensor
  • My Smart Motion Sensor
  • Amazon Echo Dot 4 smart speaker, Alexa Voice Control, Wi-Fi, Bluetooth, Alb
  • Linksys WRT32X, AC3200, Gaming Wireless Router
  • Smart Wi-Fi Bulb TP-Link Tapo L530E, Multicolor, 2.4GHz Wi-Fi, 806 Lumens, E27, Preset as Needed, Program and Timer, Sunrise / Sunset Mode, Voice Control, Remote Control, Away Mode
  • Xiaomi Mi Smart LED light bulb, Wi-Fi, E27, 8W, 810 lm, warm white light
  • Smart TP-Link Tapo C100 Surveillance Camera with Night Vision, Full HD 1080P, Baby Monitor Wireless Audio Video Function, Motion Detection, Sound and Light Alarm, Two-Way Audio, Privacy Mode, Local Storage, IP Wi-Fi, White
  • Wireless Wi-Fi Router 6 TP-Link Archer AX20, Dual-Band Gigabit AX1800, 1.8 Gbps, with OFDMA, 1.5GHz Quad-Core processor, Beamforming, Target Wake Time, WPA3, Airtime Fairness, OpenVPN, Parental Control and USB 2.0
  • Asus RT-AX58U Wi-Fi Router, AX3000, Dual Band, AiMesh, MU-MIMO, Wifi 6
  • Baby Monitor with Artificial Intelligence EbitCam ™ E3-X, 4.0 MP, HD 2624 * 1512, Wireless, IP, Face Detection, Sound Detection, Smart Tracking, ALEXA Voice Function, Auto Rotate, Motion Sensor, Push to Talk, Night vision, Alarm , White
SPONSORED BY

HACKING VILLAGE

Other Competitions

Windows Artifacts Forensics

Overview Back to Contests Windows Artifacts Forensics The Windows Artifacts Forensics challenge invites us to ..

Deceptive Ops

Overview Back to Contests Deceptive Ops The Deceptive Operations contest is designed to challenge your pentest..

Penetration Testing Encyclopedia

Overview Back to Contests Penetration Testing Encyclopedia In this competition, you will receive access to ..

Sponsors & Partners

They help us make this conference possible.

POWERED BY

At Orange Business Services, we help our customers transform their industries, reimagine their services, create a positive impact and unleash the power of their data into an amazing and trusted resource.

With the dual expertise as a global operator coupled with the agility of an end-to-end integrator, Orange Business Services is a global network-native, digital services company. From connectivity, smart mobility services and the cloud to artificial intelligence (AI), analytics and cybersecurity, Orange Business Services helps businesses at every stage of their data management. Orange Business Services is represented in Romania by the business division of Orange Romania and helps large companies, SMEs and public authorities to transform their organizations through the use of technology and digital information.

www.orange.ro

MAIN PARTNERS

PARTNERS

HACKING VILLAGE PARTNERS
COMMUNITY & MEDIA PARTNERS