Crazy House at PHDays: Cyberthreats of an Ordinary Apartment

    The objects around us are becoming more functional and more convenient. Today, the Internet is no longer only in cars, but also in some microwave ovens and refrigerators, and according to the forecast of Gartner, by 2020 the number of household devices connected to the Network will exceed 26 billion with a market volume of 300 billion dollars. However, few users are aware that, like ordinary computers with Internet access, gadgets that make up the so-called Internet of things can be attacked by cybercriminals. To demonstrate the possible consequences of such an attack, the organizers of PHDays


    created a copy of a real apartment equipped with various electronic devices and a smart home system. According to the legend of the contest, due to a malfunction, the house “went crazy” and became a real trap for its owner, which participants of the competition should have set free.

    The heart of the smart home was the controller that controlled household appliances. In the competitive apartment model, this controller could control lighting, water supply (electric pump), TV, vacuum cleaner and other devices.

    Once in the apartment, the person had to be identified in order for the smart home system to allow him to control the devices connected to it. The system measured the height and weight of a person. Data was read using a variety of sensors. A special device was also installed that recognized the owner by a fingerprint.

    After identification, the system unlocked the HMI electrical appliance control interface. It was possible to access it through a tablet, which was in the apartment, which also had to be previously unlocked.


    Access to the control interface through the tablet was possible through the lack of Face Unlock technology in Android. She can be “fooled" by bringing a photo of the owner of the protected device to the camera - and on one of the walls in the apartment his photo was just hanging. By defeating artificial intelligence in a game of chess, it was also possible to unlock the tablet.

    For each of the tasks, there was an alternative way of passing, directly related to the search and exploitation of vulnerabilities in the systems indicated above. "Undocumented features", allowing to bypass the logic of the programs, were associated with the incorrect implementation of the interaction of the client-server application. Unfortunately, few have resorted to hacking dexterity, which is what we have all been waiting for.

    In order to win, the participant had to pass all the tests and gain control of the smart home faster than competitors.

    The winner, showing the result of 6 minutes and 3 seconds, was the participant hiding behind the pseudonym Cryden.

    Mad House PHDays was the logical continuation of last year's Labyrinth competition held at Positive Hack Days III. During this competition, participants had to overcome an obstacle course equipped with motion sensors, a laser field and other tests in the shortest possible time.

    Also popular now: