Hack2Win 2016 – a CodeBlue Conference Event

Hi everyone,
This year again, our Code Blue event will let you win prizes and show your skills in hacking network based devices.
We have selected 9 devices so far for you to try and hack.
We looked wide and far for different devices, all around the 200$ USD range, so that they won’t be expensive for you to buy and try out before the event

The devices are:

  1. Ubiquiti Networks EdgeMAX EdgeRouter X ER-X
  2. TP-LINK TL-WR740N
  3. ヒューレット・パッカード ProCurve Switch 1700-8 J9079A#ACF
  4. NUUO NVRmini 2 – Standalone DVR – 2 x 2 TB – networked
  5. Cisco Systems(Small Business) SG300-10MPP-K9-JP 10-port Gigabit Max PoE+ Managed Switch
  6. UPPEL 720p HD Wireless IP Cameras Remote Hidden Surveillance Wifi P2P Home security Spy Web Cam with 2-way Audio IR Day/Night Vision Motion Detection for Android IOS System
  7. Ugreen HDMI 延長器 HDMI エクステンダー 120mまで延長 HDCP対応 3D 1080P支持 Cat5e/6/7 ルーター利用でマルチ画面可能 ACアダプタ付 送信受信セット
  8. StarTech.com 10/100/1000 Mbps Gigabit 1 Port USB over IP Device Server (USB1000IP)
  9. Home NetWerks 43802-PB WiFi Enabled Key Pad Door Lock with Lever Handle, Polished Brass Finish by Homewerks Worldwide

The names above appear as they are listed on Amazon – in order to make it easier for you to get one – and will be hopefully distinctive enough for you to match it in your local shop.
The goal of the event is to find who is able to gain the highest privileges on any of these devices.
The event will be divided into two days: on the first day, 1 hour will be given to anyone that registers to the contest. On the second day, it will be a “free for all” for anyone that wants to try his or her skills, everyone will be given “simultaneous” access.
Prizes
The prizes for the first day event will be, 8,000$ USD, 4,000$ USD and 2,000$ USD. The prizes for the second day event will be, 3,000$ USD, 2,000$ USD and 1,000$ USD.
The first, second and third prizes for each day, will be given to one person (or group) for hacking any of the above devices that was not previously hacked. If a person (or group) is able to hack a device, it will be removed from the available targets list.
Judging Criteria
The decision whether someone wins first, second or third place will be based upon the following:

  • Complexity of attack – what was required to achieve the access
  • Innovative method – XSS, SQLi, RCE, from least to most innovative
  • Whether Attack affects the LAN or WAN – more points if it affects the WAN
  • What is achieved by the attack – no access is given to the challengers, so they would need to reach from no-access to some access – therefore a guest access would be considered less valuable than root
  • Write-up Quality – the best write up (in English), most detailed, best explanation, etc

Device Settings
All the devices will be factory reset – i.e. default settings, and the only non-default setting would be the password for the ‘admin’ (or equivalent) account as documented in the product’s user guide, and the WiFi password (if applicable).
Device Access
The devices will be accessible to participants via the WAN Ethernet interface, or WiFi access.
What counts as ‘hacked’
A device would be considered ‘hacked’ if the participant can prove they:

  • Gained access to the device’s post-authentication admin web interface (remember – you will not be given any credentials)
  • Changed some configuration value, like WiFi password (note: We will not be giving any award for changing the IP address of the device)
  • Made the device do something it’s not supposed to do: like execute code, open a port/service which was previously closed (like SSH, telnet, etc)
  • Did something else that would be innovative and unexpected. Be creative! For example: get images from the Camera without actually hacking it

What we won’t count as a ‘hacked’

  • Causing a malfunction to the device, DoS, making it unresponsive, making it no longer boot, etc – we will immediate disqualify a participant if we feel this is being done intentionally
  • Physically opening of device, connecting to the device in any means other than what we allowed the participant to use (Ethernet or WiFi)
  • Usage of any known method of hacking – known methods including anything that we can use Google/Bing/etc to locate – this includes: documented default password (that cannot be changed), known vulnerabilities/security holes (found via Google, exploit-db, etc)
  • Anything we at Beyond Security would consider as being unfair – like doing Social Engineering on Beyond Security staff or personnel, hacking a device that is not the target and using that as means of gaining access to the device, etc

Eligibility
The contest is open to anyone who is at the legal age to receive a contest prize in your country, if you are not allowed to receive prizes – and please make sure to check this before participating – you may want to team up with a person that is at the legal age to receive prizes.
The contest is not allowed to anyone working for any of the above companies whose device participates in, or are involved in development of any of the above devices.
Announcing the winners
We will announce all the winners (for first and second day) at the end of the second day. We plan stop the hacking event 2-3hrs before the end of the second day – so that we can prepare. Please don’t wait until the last minute!
What will happen during the contest
A. On the first day, each participant will have 1 hour with the device of his choice
B. Once a device is ‘hacked’, the participant wanting to collect the prize, would need to show, explain and technically describe what he did, both orally (talk) in English as well as provide a written document (at least 500 words) in English – we may accept it in Japanese if we find someone that can help with the translation on site – but that is not guaranteed, so please prepare for the possibility it will need to be in English.
C. The information provided will be given to the 3 judges
D. If the judges believe that the device has been ‘hacked’, we will make that device no longer available for hacking anymore to any additional participants – and we will examine the device. If we later discover that the ‘hack’ was somehow flawed, we will make the device once again available – after factory resetting it back to the previous settings to remove anything left by the previous participant
E. At the end of the first day we will go over all the participant’s handed material and decide which one is the best, second best, third best (see Judging Criteria)
F. If there are not enough participants on the first day, whose provided material is worthy of a prize we will transfer the winning prizes amount from the first day to the second day
G. Devices hacked during day 1 will not be available during day 2
Registration
Only the first day of the event will require you to register, either “on site” or before via email – this will allow us to give you a dedicated time slot with the device or devices of your choice. The second day will be a “free for all” type of event, anyone can hook up their laptop to the “network”. To register for the first day event, please send an email to ssd[@]beyondsecurity.com (remove the [ ] to allow the email to arrive correctly).