Mad House on PHDays: cyber threats of an ordinary apartment
The objects around us are becoming more and more functional. Today, the Internet is already not only in cars, but also in some microwaves and refrigerators, and according to the forecast of the analytical company Gartner, by 2020 the number of home appliances connected to the Network will exceed 26 billion with a market volume of 300 billion dollars.
At the same time, few users are aware that, like ordinary computers with Internet access, gadgets that form the so-called Internet of Things, can be attacked by intruders. In order to demonstrate the possible consequences of such an attack, the organizers of PHDays created a copy of a real apartment, equipped with various electronic devices and a smart home system. According to the legend of the competition, because of the failure, the house “went crazy” and became a real trap for its owner, which the participants of the competition should have set free.
')
The heart of the smart home was the controller that controlled the household appliances. In the competitive model of the apartment, this controller could control the lighting, water supply (electric pump), TV, vacuum cleaner and other appliances.
Once in the apartment, the person had to go through identification in order for the smart home system to allow him to control the devices connected to it. The system measured the height and weight of a person. Data was read using a variety of sensors. Also, a special device was installed that recognized the owner by a palm print.
After identification, the system removed the lock from the HMI interface for controlling electrical appliances. It was possible to get access to it through a tablet in the apartment, which also had to be unlocked beforehand.
It was possible to get access to the control interface through the tablet through the lack of Face Unlock technology in Android. It can be “deceived” by bringing the photo of the owner of the protected device to the camera - and on one of the walls in the apartment just hung his photo. The victory over artificial intelligence in the game of chess could also unlock the tablet.
For each of the tasks there was an alternative way of passing, directly related to the search and exploitation of vulnerabilities in the systems indicated above. “Undocumented features” that allow to bypass the logic of the programs, were associated with incorrect implementation of the interaction of the client-server application. Unfortunately, few people resorted to hacker skill, which we all waited for.
In order to win, the participant had to pass all the tests and gain control over the smart home faster than competitors.
The winner, showing the result of 6 minutes and 3 seconds, was the participant hiding behind the Cryden pseudonym.
The Mad House PHDays was a logical continuation of last year’s Labyrinth competition held at Positive Hack Days III. In the course of this competition, participants had to overcome the obstacle course equipped with motion sensors, a laser field and other tests in the shortest time.
At the same time, few users are aware that, like ordinary computers with Internet access, gadgets that form the so-called Internet of Things, can be attacked by intruders. In order to demonstrate the possible consequences of such an attack, the organizers of PHDays created a copy of a real apartment, equipped with various electronic devices and a smart home system. According to the legend of the competition, because of the failure, the house “went crazy” and became a real trap for its owner, which the participants of the competition should have set free.
')
The heart of the smart home was the controller that controlled the household appliances. In the competitive model of the apartment, this controller could control the lighting, water supply (electric pump), TV, vacuum cleaner and other appliances.
Once in the apartment, the person had to go through identification in order for the smart home system to allow him to control the devices connected to it. The system measured the height and weight of a person. Data was read using a variety of sensors. Also, a special device was installed that recognized the owner by a palm print.
After identification, the system removed the lock from the HMI interface for controlling electrical appliances. It was possible to get access to it through a tablet in the apartment, which also had to be unlocked beforehand.
It was possible to get access to the control interface through the tablet through the lack of Face Unlock technology in Android. It can be “deceived” by bringing the photo of the owner of the protected device to the camera - and on one of the walls in the apartment just hung his photo. The victory over artificial intelligence in the game of chess could also unlock the tablet.
For each of the tasks there was an alternative way of passing, directly related to the search and exploitation of vulnerabilities in the systems indicated above. “Undocumented features” that allow to bypass the logic of the programs, were associated with incorrect implementation of the interaction of the client-server application. Unfortunately, few people resorted to hacker skill, which we all waited for.
In order to win, the participant had to pass all the tests and gain control over the smart home faster than competitors.
The winner, showing the result of 6 minutes and 3 seconds, was the participant hiding behind the Cryden pseudonym.
The Mad House PHDays was a logical continuation of last year’s Labyrinth competition held at Positive Hack Days III. In the course of this competition, participants had to overcome the obstacle course equipped with motion sensors, a laser field and other tests in the shortest time.
Source: https://habr.com/ru/post/227245/
All Articles