The IoT Village Story
Hackers. Good or evil, they are both feared and revered for their skills, and media has played a big part in depicting them as heroes or villains. The term is often associated with a hooded figure in a dimly lit room, slipping in and out of private networks by punching cryptic commands into a keyboard.
If this representation ever was accurate, it is dated now. No distinctive trait sets a hacker apart. They congregate at security conferences discussing the latest vulnerabilities, exchanging knowledge and contact details, engaging in hacking contests to prove and improve their skills.
At more and more events, their targets are Internet-of-Things devices, a category that is constantly abused by cybercriminals because they’re easy to exploit and are available in large numbers. One initiative that aims to raise awareness of the insecurity of connected systems, and to minimize attacks on them, is IoT Village. It is organized by security research and consulting firm Independent Security Evaluators (ISE).
IoT Village started at the DEF CON hacker conference four years ago, as the router hacking contest SOHOpelessly Broken, which was inspired by previous research of Jacob Holcomb, ISE Principal Security Analyst. The next year it expanded to include all types of connected devices, and ISE scaled it according to the size of the conference hosting the event.
The event is now hosted at security conferences big and small, providing an opportunity for anyone to step into the shoes of an attacker that wants to take over a victim’s smart product. Depending on the space available, the organizer can bring an assortment of gadgets that are common to most homes: network-attached storage systems, webcams, DVRs, smart home hubs, routers, modern appliances (refrigerators, ovens, washing machines), and even toys.
Contestants can engage in multiple hacking games. The Capture the Flag (CTF) model is the most frequent type of competition, as it is suitable for conferences of any sizes; participants score points by going through different levels, from figuring out the type of gadget they’re dealing with to finding its vulnerabilities and exploiting them to gain control.
Sam Levin, Community Specialist at ISE, says all smart systems in the CTF have known vulnerabilities and the player has to reproduce it on their own. He emphasizes the educational side of the competition: “they [participants] can go online and read some research paper or look up some blogs, but the thing is that if you’ve never actually researched an IoT device or an embedded electronic device, this CTF is a great place to learn about that.”
There are no hints from the organizers, but outsiders may get some general directions that would help them find the right path to start on. These are just the basic steps any attacker would take: getting IP addresses, determining the type of device, checking online for known security issues and trying to take advantage of them.
“They have to do their own research. They have to basically be really good at Google and understanding exploit development and reading research studies on a device to figure out how to reproduce it [the exploit],” Levin says.
Unlike other contests, the CTF at IoT Village comes with a twist: the players compete on a real network, so systems may be assaulted by multiple attackers. Weird behavior is common in such cases. Requests to reset devices because they become unusable or unstable can occur, and possibly even revealing a new approach.
“At smaller hacker conferences we mostly just do the capture the flag contests and depending on the size of the conference we change up the event and do more activities,” Levin says, hinting at the 0-day track, another skill-proving ground, which focuses on vulnerabilities that have not been disclosed publicly. In this arena, participants demonstrate their findings to a judge only after proving that the device vendor is in the know.
This, too, is a score-based contest, where researchers find as many vulnerabilities in the devices as they can and are graded for the severity of their developed exploits. The top rewards for the 0-Day Contest is cash that can be used for free entry at the next DEF Con, the most popular hacker conference on the planet. For the last two years, the IoT Village has been awarded a Black Badge to give to the first-place team, which grants free admission to DEF CON for the rest of their lives.
No matter the size of the conference, the IoT Village space exudes a vibe that welcomes participants into another world. At BSidesCharm this year, ISE created a special ambiance for CTF contestants, with lighting, music and wall projections. At RSA Conference, the IoT Village floor attracted quite a crowd.
DEF CON is where IoT Village is in full operation, the contests being just a fraction of the event. ISE has its own space for the village, where they can host IoT-related talks and panel discussions for the duration of the conference, hold workshops centered on smart devices, and bring in larger IoT devices (think robots) that fit into the room.
Although still young, the IoT Village draws significant interest year over year. At smaller conferences like CypherCon and BSides, the event had between 15 and 38 teams competing. At RSA, attendees numbered in the thousands. At DEF CON, the number of teams almost doubled in the past two years, from 56 to about 100. Mind that teams do not have a restriction on the number of members.
“We’re noticing that our attendees are getting more serious. We try to change the devices and add new challenges every year. The contest is getting more notoriety, getting more popular, we’re definitely anticipating, trying to make it more difficult, trying to give people more of a challenge because they’re taking it more seriously,” Levin says.
So hackers have come out of their dens, revealing the technological cracks in devices, spreading awareness and creating the grounds for building sturdy security standards. They’re passionate and keen on what they do, ready to report bugs and work with the vendors on a fix.
Image credit: ISEBitdefender BOX cybercrime IoT Village security conference