Null Your Warranty Village was created with a hands-on approach to hardware hacking in mind, enabling participants to find vulnerabilities and learn hardware hacking in order to win fantastic prizes. There are two types of gadgets: “black box” devices that give you points for each vulnerability you identify and enable you to win beautiful rewards, and devices that are offered for educational purposes but have many flaws and many web resources that are accessible to everyone.
You should be familiar with some programming language and electronics, and willing to learn new things. The competition is graded as a Beginner friendly activity but also has some very advanced topics.
Goal
Goal of the Competition
/ Identify and report vulnerabilities having a grasp of hardware hacking perspective.
/ You will learn how to recognize the parts of the motherboard and the typical debug serial ports that can be used to access a variety of devices.
/ You will learn how to make use of the available tools to exploit those debug ports in order to uncover vulnerabilities, gain access to the firmware, and maybe launch a shell on the target devices.
Rules
/ Each attendee/team that takes part in the contest will be given the means to connect to the network but the personal laptop is needed.
/ THE PROVIDED TOOLS AND DEVICES MUST REMAIN INSIDE THE CONTEST AREA ALL THE TIME.
/ Each participant/team will then proceed to attack the devices announced in the contest using whatever tools or scripts they have at their disposal.
/ If the method used has unforeseen results thus making the device unavailable to others, make sure you announce the on-site arbitrator (one of the judges).
/ This is considered an accident and no action will be taken against the participant that used that method of attack.
/ If the participant finds a vulnerability on any of the devices, please announce it to the on-site arbitrator (one of the judges).
/ If the participant exploits a vulnerability on any of the devices, please announce it to the on-site arbitrator (one of the judges).
/ In case of a dispute, the on-site arbitrator (one of the judges) will have the final decision after hearing all the parties involved.
/ Please note that if any of the present rules are not followed as well as any disruptive and/or offensive actions towards any of the other participants/teams will not be tolerated and will result in the disqualification of the participant (and team if member of a team).
/ All vulnerabilities MUST BE REPORTED when found!
/ The on-site arbitrator (one of the judges) will move to see the vulnerability in action but the prize will not be validated until a complete and detailed write-up is submitted to the on-site arbitrators by email.
/ Destroying or bricking any of the devices is strictly forbidden. If you are unsure if your action is allowed, ask the organizers
/ Terms & Conditions are here.
SCORE
Scoring:
Technical Severity Points
- P1 Critical 300 – 500
- P2 Severe 150 – 300
- P3 Moderate 100
- P4 Low 10
Note:
Points will be offered by the arbitrator based on https://bugcrowd.com/vulnerability-rating-taxonomy.
Known vulnerabilities are out of scope.
Gaining more points will raise your ranking and put you closer to winning prizes.
P5 submissions are not rewarded.
FOR FUN
/ Players who just want to experiment, will have all the tools in order to replicate several investigations:
- https://www.riverloopsecurity.com/blog/2020/02/hw-101-spi/
- https://www.riverloopsecurity.com/blog/2020/01/hw-101-uart/
- https://www.riverloopsecurity.com/blog/2021/05/hw-101-jtag-part2/
- https://resources.infosecinstitute.com/topic/hardware-hacking-iot-devices-offensive-iot-exploitation/
- https://openwrt.org/toh/tp-link/tl-wr703n