The findings will improve the security level of the devices and technologies offered by the top firms like Microsoft, Cisco, Qihoo 360, Netgear and ASUS, which are used by millions of people every day.
“GeekPwn encourages security geeks to bring fantastic creativity and unlimited possibilities to change the world with their talents and technologies,” said Wang Qi, founder of GeekPwn and CEO of the KEEN Corporation.
Following responsible vulnerability disclosure policy, vulnerabilities found in GeekPwn will be submitted to manufacturers in aid of product safety improvement. Revealed hacker techniques are used to protect the privacy, property and personal safety of customers by manufacturers paying greater attention to fixing potentially vulnerable aspects of their wares.
Internet-based crime is estimated to cost the global economy USD445 billion a year, double the cost of natural disasters, according to media reports citing figures from the Center for Strategic and International Studies.
During the one-day GeekPwn Macau contest, the first GeekPwn held outside of the Chinese mainland, talent security geeks broke through the security constraints of various devices, taking unexpected and un-welcomed control of smart home devices, drones, routers and even Microsoft’s Surface Pro.
Extraordinary security geeks, including high-school students and female geeks, won an award of nearly RMB1 million (USD150,000) during the contest was at stake.
The competitors from Chaitin Technology were awarded RMB420,000 for hacking 10 routers and a Xiaoyi camera, which made them the biggest winner of the contest; the network security team of Tencent PC Manager hacked the Surface Pro and won an RMB150,000 single award and an extra RMB50,000 for Most Difficult Award; Cao Yue’s team demonstrated TCP hijacking technology and won the RMB100,000 single award and extra RMB50,000 for the Most Creative Idea Award.
Remotely hijacking by vulnerabilities in TCP protocol stack
The demonstration from Cao Yue, a doctoral student from the University of California, Riverside, was the most staggering highlight during the GeekPwn Macau. Cao used the vulnerabilities of TCP protocol stack of Linux kernel, regarded as “the basic infrastructure of the Internet”, to achieve the demonstration of remote hijacking.
Attackers are able to hijack communication anywhere in the world if they know the IP address of the victims. During the demonstration, a false login page appaeared on the news web page and asked victims to input their account and password according to the instructions. After that, the inputted content appeared on Cao’s computer. Unlike common reported network crimes (such as Trojan, Phishing, and Fraud), users become victims without making any mistakes.
There are more than 4 billion possible sequence numbers and more than 60 thousand possible port numbers. The unpredictability for their combination is the cornerstone for TCP protocol’s security.
Cao found a technology able to detect the port number and sequence number of a TCP connection in a short time, which makes most Android and Linux systems on the Internet vulnerable to attacks and hijacking at anytime and in any place.
In the early stages of Internet development in 1990s, Kevin Mitnick received fame with the technology of “session hijacking” by using a vulnerability of the then immature TCP protocols. Under improved and mature TCP protocol today, Cao’s digging out such significant vulnerabilities does make sense to the world information security research.
Security Risks in Surface and Wi-Fi
The team, which once took the crown in another Pwn2Own hacking contest, won the Most Difficult Award during the GeekPwn Macau by hacking a Surface Pro 4 with advanced continuing threat attacking APT technology in the real world.
Taking advantage of vulnerabilities in Windows and Adobe Reader, the online security team from Tencent PC Manager could entirely control Surface Pro. During the GeekPwn Macau demonstration, “hackers” sent a malicious PDF file to the victim. When the victim opened this PDF file, the live video shot on spot by Surface camera were uploaded to the “hacker’s” computer.
Winner team Chaitin Tech demoed hacking processes of 10 routers made by firms including Cisco, Qihoo 360, Netgear and ASUS. After connecting to the vulnerable routers, applications downloaded by authorized Android application stores will be replaced with malicious program with Trojans.
Chaitin Tech also found that ASUS router’s vulnerable service is exposed on the external port, which can be remote attacked by hackers anywhere on the Internet. The number of affected routers was several dozens of thousand units used by many families.
Female hacker and high-school student geeks
The only female hacker during the GeekPwn set her targets on smart home appliances. She broke through CoKon Household Appliance Remote control and demoed to hijack home appliance devices connected and controlled by IR remote control.
The youngest attendants of the GeekPwn Macau were two 16-year-old high school students, who demonstrated how to hijack drones with a phone. They enabled the drones to take off, land and automatically return without owner commands. The two teenagers won the “Geek Encouragement Award” in the contest for their enthusiasm about hacking.
About GeekPwn Macau Content
GeekPwn was organized by Shanghai-based KEEN, the security research team and designed to focuses on helping worldwide leading software and hardware firms discover and fix security vulnerabilities. GeekPwn contests is now held twice a year. Macau contest is added this year on May 12th with more International style and same level of award as GeekPwn Carnival contest to improve smart devices’ manufacturers’ security sense and ability globally. GeekPwn will give several annual best awards to extraordinary security geeks.
GeekPwn Macau focuses on six smart device categories: smartphone, smart transportation, wearable device, smart home, smart entertainment and mobile applications.
KEEN is the first Asian team to win prizes in the history of Pwn2Own. It has also won more Pwn2Own prizes than any other Asian teams. Up to now, hundreds of KEEN’s security outcomes have been applied to every Windows PC, every Apple device and every Android device.
To view the original version on PR Newswire, visit:http://www.prnewswire.com/news-releases/winners-of-geekpwn-hacking-contest-pocket-over-usd150000-in-prize-money-300271470.html