IOT Village is designed to have a practical approach towards device hacking allowing the participants to win the gadgets they actually hack into. There is a wide range of devices like routers, webcams etc. available to be played with during DefCamp.
But beware! You will not be the only one trying …let’s see how you can handle the pressure!
So, if you’d like to discover and test some devices in order to see how secure they are and what are the limits you can break, this is going to be a contest you don’t want to miss.
Be sure to pre-register for the IoT Village to reserve your spot and make the most of it! Just use the Registration button to your right and fill in the details.
Goal of the Competition
/ Identify and responsibly report vulnerabilities in IoT devices.
/ Each attendee/team that takes part in the contest will be given the means to connect to the network but own laptop is needed.
/ Each participant/team will then proceed to attack the devices announced in the contest using whatever tools or scripts they have at their disposal.
/ If the method used has unforeseen results thus making the device unavailable to others, make sure you announce the on-site arbitrator (one of the judges).
/ This is considered an accident and no action will be taken against the participant that used that method of attack.
/ If any of the participants/team needs to take a closer look or needs a reset device, please announce the on-site arbitrator (one of the judges).
/ No participant will be allowed to touch the devices at any given time. The only allowed way for the participants/teams to attack the devices is from the network side only.
/ No more than two participants will be allowed at any given time to get close to the devices.
/ If the participant finds a vulnerability on any of the devices, please announce it to the on-site arbitrator (one of the judges).
/ If the participant exploits a vulnerability on any of the devices, please announce it to the on-site arbitrator (one of the judges).
/ In case of a dispute, the on-site arbitrator (one of the judges) will have the final decision after hearing all the parties involved.
/ Please note that if any of the present rules are not followed as well as any disruptive and/or offensive actions towards any of the other participants/teams will not be tolerated and will result in the disqualification of the participant (and team if member of a team).
/ All vulnerabilities MUST BE REPORTED when found!
/ The on-site arbitrator (one of the judges) will move to see the vulnerability in action but the prize will not be validated until a complete and detailed write-up is submitted to the on-site arbitrators by email.
/ Destroying or bricking any of the devices is strictly forbidden. If you are unsure if your action is allowed, ask the organisers
/ It’s not allowed to change credentials of any device or change wifi settings for the routers / switches provided by the organisers
Terms & Condition of this competition are available here.
Owning* one of the devices will automatically eliminate the device from the competition and you will receive the device as a prize and a significant number of points in the general score.
|P0 Owned device||2,000|
|P1 Critical||300 – 500|
|P2 Severe||150 – 300|
- *A device is considered owned if you prove to the on-site arbitrator (one of the judges) the exploitation in action which gains you full privileges on the system (without any 3rd party interaction and in less than 15 minutes) by using a set of vulnerabilities which were not publicly known and also you shared a detailed report which can allow the arbitror to reproduce the finding
- P5 submissions are not rewarded. Taxonomy is based on https://bugcrowd.com/vulnerability-rating-taxonomy
- Rewards are offered on a First Come First Served (FCFS) basis (if duplicates are found).
- Known vulnerabilities are out of scope
- Any default credentials for different protocols (such as www, telnet etc) are out of scope for Owning the system but can bring points within P1-P4 severity levels
- The vulnerabilities used in the process of Owning the device will not be scored individually, unless the player proves the total value of the bugs taken individually is larger than the score for owning the device
Out of scope
The following kinds of findings are specifically non-rewardable within this program:
- Brute-Forcing passwords and account lockout not enforced
- Self XSS
- Information disclosure of non-confidential information – Any non sensitive information leakage, or descriptive error messages (e.g. stack traces, application or server error messages), without further exploitation
- Fingerprinting / banner disclosure on common/public services along with any disclosure of known public files or directories, (e.g. robots.txt or .htaccess downloadable file without a security impact)
- Out of date software versions and any vulnerability due to the version numbering CVE
- Content Spoofing
- Vulnerabilities that are limited to unsupported browsers will not be accepted. Exploit must work in Chrome, Firefox, Safari and other popular non-IE browsers
- Clickjacking or issues exploitable through clickjacking that do not pose a security threat and cannot be used to exfiltrate data
- Lack of HTTP flags
- Non-session related cookies. For example Secure and HTTPOnly cookie flags on Non-Session Cookies
- Multiple reports for the same vulnerability type with minor differences (only one will be rewarded)
- Lack of CAPTCHA or other bot preventing shields during registration and login
- Sessions not expiring after email change
- Vulnerabilities that require extensive or obtuse social engineering. For example, a user typing an XSS in to an input field and then submitting the form to trigger a non-persistent XSS
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- CSRF on forms that are available to the public
- Copy pasting using services like ‘pastebin’ etc. for data exfiltration
- Default credentials for any service available on the system
- Known vulnerabilities with(out) CVEs on the system
- Accepted features, for eg. we don’t consider Code Execution a function of a device that allows you to execute shell commands
How to submit a vulnerability
IoT Village by DefCamp will rely on the Bugcrowd Vulnerability Rating Taxonomy for prioritization of findings, but the vulnerability can either be downgraded or upgraded depending on the impact and the underlying risk it poses to the targeted device. IoT Village points will then be awarded accordingly. Any downgraded submission will come with a full and detailed explanation.
Submission form is available here.
Our engineers must be able to reproduce the security flaw from your report. Reports that are too vague or unclear are not eligible for a reward. Reports that include clearly written explanations and working code are more likely to garner rewards.
IoT Village by DefCamp is committed to helping you succeed on this program. If you feel you need more information that may have been omitted here, we would be happy to provide it to you if it’s in the scope. Also if something is unclear or you have any other questions regarding this bug bounty please come at our booth in Hacking Village.
The following prizes will be awarded based on the total points obtained.
/ Hackrf One Software Defined Radio SDR) ANT500 & SMA Antenna Adapter
/ Bundle Yard Stick One’ USB Transceiver & 915MHz antenna
/ Ubertooth One
/ Wifi Pineapple Nano
/ 3 x Router wireless
/ 2 x wifi smart power socket
/ 1 x wireless photo printer
/ 1 x wireless printer
/ 2 x Baby Monitor Wireless
/ 1 x baby smartwatch with gps, wifi & sim
/ 1 x wireless/smart radiator
/ 1 x HDMI Streaming player
/ 3 x wireless surveillance cameras
/ 1 x wireless support towels with hidden spy camera
/ 1 x wireless smart doorbell
Sponsors & Partners
They help us make this conference possible.
Orange „brings you closer to what matters to you”.
This is our brand promise: to bring our clients closer to what’s essential to them and to keep them always connected and in touch with the latest technologies, by offering them the best and safest communication experience.