IOT Village is designed to have a practical approach towards device hacking allowing the participants to win the gadgets they actually hack into. There is a wide range of devices like routers, webcams etc. available to be played with during DefCamp. But beware! You will not be the only one trying …let’s see how you can handle the pressure! So, if you’d like to discover and test some devices in order to see how secure they are and what are the limits you can break, this is going to be a contest you don’t want to miss.
This competition is organised & sponsored by TAD Group & Bitdefender Romania.
Identify vulnerabilities in IoT devices.
Rules of Engagement
- Each attendee/team that takes part in the contest will be given the means to connect to the network but own laptop is needed.
- Each participant/team will then proceed to attack the devices announced in the contest using whatever tools or scripts they have at their disposal.
- If the method used has unforeseen results thus making the device unavailable to others, make sure you announce the on-site arbitrator (one of the judges). This is considered an accident and no action will be taken against the participant that used that method of attack.
- If any of the participants/team needs to take a closer look or needs a reset device, please announce the on-site arbitrator (one of the judges). No participant will be allowed to touch the devices at any given time. The only allowed way for the participants/teams to attack the devices is from the network side only.
- No more than two participants will be allowed at any given time to get close to the devices.
- If the participant finds a vulnerability on any of the devices, please announce it to the on-site arbitrator (one of the judges).
- If the participant exploits a vulnerability on any of the devices, please announce it to the on-site arbitrator (one of the judges).
- In case of a dispute, the on-site arbitrator (one of the judges) will have the final decision after hearing all the parties involved.
- Please note that if any of the present rules are not followed as well as any disruptive and/or offensive actions towards any of the other participants/teams will not be tolerated and will result in the disqualification of the participant (and team if member of a team).
- All vulnerabilities MUST BE REPORTED when found!
- The on-site arbitrator (one of the judges) will move to see the vulnerability in action but the prize will not be validated until a complete and detailed write-up is submitted to the on-site arbitrators by email.
- Note: prize validation can change from one participant to another depending on the risk of the vulnerability found and reported – but if you’ve got root first, the prize is yours.
Prizes & Targets
- NETGEAR Nighthawk AC1900 Dual Band Wi-Fi Gigabit Router (R7000) with Open Source Support. Compatible with Amazon Echo/Alexa
Zyxel Armor Z2 AC2600 MU-MIMO Wireless Cable Router
- Synology RT2600ac Wireless Router
2. Network Attached Storage
- Western Digital My Cloud EX2 Ultra, 2 Bay-uri, Gigabit, Dual Core, 1300 MHz, 1 GB DDR3 (Negru)
- Qnap TS-251A 2-bay TS-251A personal cloud NAS/DAS with USB direct access
- Synology DS718+ 2-Bay 2GB Black DS718+
- Each NAS will be equipped with (1x) WD Black 1TB Performance Desktop Hard Disk Drive
3. Security Systems
- ANNKE Security Camera System Smart HD 1080P Lite 4+1 Channels DVR Recorder
- Vstarcam C7833-X4 Wireless Remote HD Camera
4. Home appliances
- Bluesmart One – Smart Luggage
- HoneyGuaridan S25 Smart Automatic Pet Feeder (pet or petfood not included)
- LED TV Smart Toshiba, 81 cm
6. Cold Hard Cash
- 50 euros: first blood – must find, report and get validated for more than one vulnerability on any of the devices.
- 50 euros: first multi kill – must find, report and get validated for more than one vulnerability on any 4 different devices.
- 100 euros: first unstoppable – must find, report and get validated for more than one vulnerability on any 9 different devices.
- 100 euros: [email protected] – must find, report and get validated for more than one 0-day vulnerability as well as “g0t r00t” status on any 2 different devices.
- 200 euros: first Godlike – must find, report and get validated for more than one 0-day vulnerability as well as “g0t r00t” status on any 6 the devices.
Organizers of 2017 edition
The participants will be under the watchful eyes of the jury composed of:
- Andrei Rusu (Software Architect @ Bitdefender)
- Bogdan Cazacu (Chief Information Officer @ CCSIR)
The helper squad will consist of:
- Diana Olaru (Front-End Developer)
- Bogdan Calarasu (Junior System Administrator)