Survive Hacking at PHDays. Cyber Threats of a Common Apartment

6/23/2014

Items and devices we use are becoming more and more convenient. Today, we have internet connection in our cars and even in certain kinds of microwaves and fridges. According to Gartner, there will be more than 26 billion intelligent home appliances while the market size will grow to 300 billion dollars by 2020.

However, few people realize that common computers with access to the internet and gadgets that make up the so-called internet of things are vulnerable to attacks. PHDays organizers created a model of a real apartment equipped with various electrical appliances and a smart home system in order to demonstrate the possible consequences of hackers' attacks. Due to an error, all devices of the apartment has gone insane and turned out to be a trial for the owner. Participants of the contest needed to release him.

The smart home appliances are controlled by a controller. The controller regulated lighting and water systems, TV, a vacuum cleaner and other appliances.

When getting inside, anyone should go through an identification process. Height and weight of a person were measured by various sensors. There also was a palm recognition system installed in the system.

After completing the identification process, the system unlocked a control HMI. Contestants could get access to the HMI using a tablet left in the apartment. But a contestant needed to unlock it first. There was a defect in Android's Face Unlock technology: it can be bypassed by bringing the owner's photo to the tablet's camera (there was one on the wall). A participant could also unlock the tablet by beating artificial intelligence at a chess game.

Each task had alternative solving methods that involved detection and exploitation of vulnerabilities in the system. "Undocumented features", which allowed bypassing the logical operation of the devices, originated from the incorrect implementation of interaction in a client-server application. But unfortunately, only a few participants used their hacking skills.

To win, a contestant needed to solve all tasks and to gain control over the smart home system faster than competitors. A participant with the nickname Cryden became the winner with a time of 6 minutes and 3 seconds.

The Survive Hacking contest is the continuation of the last year's Labyrinth competition that took place at Positive Hack Days III. During this competition, participants needed to clear obstacles—rooms with laser field, motion detectors etc.