GeekPwn 2018 International Cybersecurity and AI Contest

Special Challenges

PWN Everything

PWN For Fun

GeekPwn Special Challenges include CAAD Competition on Adversarial Attacks and Defenses (Las Vegas), Robot Agent Challenge (Las Vegas/Shanghai), Hacker Room Challenge (Shanghai) and AI Data Tracker (Shanghai). These competitions cover many fields like Machine Learning, Mechanic, Security, etc. We welcome participants from different fields to fulfill those tough tasks.

Adversarial
A&D

AI Data
Tracking

Hacker
Room

Robot
Agent

Prize

CAAD (Competition on Adversarial Attacks and Defenses), total prize $100,000 USD

Description

CAAD (Competition on Adversarial Attacks and Defenses) is organized by GeekPwn committee, Alexey Kurakin, Ian Goodfellow from Google Brain and Professor Dawn Song from UC Berkeley EECS. The competition will open in May. It's purpose is to accelerate research on adversarial examples therefore make AI more secure.

This year, CAAD is focusing on image recognition, which consists of three sub-competitions as below. Participants can select any one to three of them to join. The 3 sub-competitions are: Non-targeted Adversarial Attack, Targeted Adversarial Attack, Defense Against Adversarial Attack

Schedule

Registration Time:May 10th - Aug 31st, 2018

CAAD CTF Invitational will be held at the GeekPwn(Shanghai) on Oct 24th, similar to the one in Las Vegas but rules will have some changes. Please check rules at:CAAD CTF Rules, version 1.0 If you are interested in it, please send email to us at caad@geekcon.top before Sept 30th, please also introduce what you did in the area of Adversarial Examples in the email. Judges will decide the invitation list.

*More details please check CAAD official website (caad.geekpwn.org)

Prize

Hacker Room Challenge, maximum Prize for winning team: $140,000 USD

Description

The organizer has built a cyber environment consisting of smart devices. The constants can freely design an access scheme based on the given list of target devices (target device list (version 1.0)). The qualified contestants will attend the online contest session according to the order automatically decided by the preset formula. They will be required to complete the chained hacking tasks within the specified time.

The contestants can choose between the following three attack conditions:
    1. External network conditions: the contestant only has the network access to the WAN port of the target network, that is, simulating the attack conditions in which the attacker hacks into from the Internet directly into the home network.
    2. Intranet mobile phone: the contestant is allowed to install an APP of their own into the mobile phone inside the target network.
    3. Intranet computer: the contestant has full control of the computer inside the target network.

Example: Scene and attack chain

Compromise the laptop by exploiting the vulnerabilities of the browser, get control of the cell phone connected to the laptop, and then control the smart bulb.
By compromising the webcam, observe sensitive and confidential credit card information located on the tea table in the living room to realize credit card fraud.
Compromise the router to hack into sweeping robot and take photos of the owner sleeping.
Control the Bluetooth speaker and play the horror sound effect.
Control the Bluetooth speaker and send voice commands to another smart speaker.
After hacking into the intranet, project the horror video to the TV through DLNA.
Control the gateway of smart door lock and open the lock remotely.
Control the coffee machine to spill out in high temperature.
Hack into the printer, get shell, implant Trojan horse, make it a jump server to attack others, modify the content of printing.
Control the sweeper robot to knock over the objects in the scene and cause losses.
Compromise the TV, control the camera on the TV, and take pictures or videos.

The principle of evaluation

1. The GeekPwn judge panel will score and screen according to the registration information provided by the contestant, regarding the brand popularity, harm of the vulnerability, the technical difficulty, the demo effect, the length of the attack chain and so on.
2. Duplicate vulnerability judgment: the judge panel decides whether the vulnerability is duplicated according to the vulnerability details that the contestant submitted. In case of duplication, the first contestant who successfully exploited the vulnerability gets the scores and prize.
3. In order to achieve a complete attack chain, contestants can use non-0day vulnerabilities, but they are not taken into account in the prize.
4. The contestants cannot repeatedly submit registrations with the same combination of vulnerabilities or entrust others to repeat the registration. The organizer will monitor the repeated registrations of this kind. Once found, the contestants’ qualification of the competition will be canceled.
5. If the contestant fails to complete the attack in the online stage, the contestant will not be required to submit the vulnerability details to the organizer, and the organizer will clear any records in the online environment. The sponsor will not preserve any information in this project or send it to any third party.
6. In the case of finding some specific vulnerabilities, score and prize of the project can be promoted through the following ways:
    A. Reduce attack conditions.
    B. Combine a longer attack chain. The attack chain includes two aspects, the technology and the scene chain in technology:
        i. attack the router and hack into the LAN -> attack the camera in the LAN, see the password chain in scene
        ii. attack the smart door lock, lock the person indoors -> attack the smart bulb, flash the bulb -> panic the person.
    C. Design an attack scene that has more danger.
    D. Design a demonstration with better effects.

Contest process

Deadline for registration: September 10, 2018
Contestant registration: submit the registration form online.

Offline research phrase:
The organizer announces the target devices list and attack scenarios examples.
The contestants purchase devices to research and find zero-day vulnerabilities of target devices.
The registration is open, and the contestants submit the online registration.
The organizer reviews and screens the registrations and sends the results to the contestants.

Online attack phase:
Registration ends.
The organizer opens the online environment.
The organizer calculates the order of the contestant in online phase.
The organizer deploys the target devices selected by the contestants.
The contestant enters the jump server provided by the organizer and enters the online environment. The jump server is Kali 2018.2, and the contestant has the root privilege of the system.
The contestants are unable to physically contact or approach any devices in the online environment.
The contestant attacks the target devices in the online environment, and finishes compromising the predetermined attack targets within a limited time. The prescribed time is 30 minutes, and the contestant will get extra 5 minutes when he hacks into each node.

Vulnerability submission phase:
If the online attack is finished successfully, the contestant will be required to submit details of the vulnerabilities to the organizer.
The organizer replicates attacks in the environment using the code submitted by the contestants.
The organizer checks whether there are any duplicate vulnerabilities or irregularities (whether the vulnerability description is consistent with the attack code).
The judge panel will review and determine the prize.
**there is any question in the process of registration, please mail to:cfp@geekcon.top

Prize

1st place $15,000-$30,000 USD, Second Place $8,000-$15,000 USD, Third Place $3,000-$8,000 USD

Description

Nakamoto is a top Cryptographer and a Digital Currency player. He mainly stays in his lab everyday. In order to protect himself from theft, he designed a guard system to protect his lab. He also hide his BTC wallet address, keys in different locations in the lab. One night, some special "people" arrived ......
In this contest, each team is required to make a robot, which can enter a simulated lab. Players can remotely control the robot or let the robot move by itself. In scheduled time, if the robot fulfill tasks, it can get corresponding points. The final result is based on the total points.

Rules

Each team will make their robot, then remotely control it or let the robot move by itself. The robot will sneak into a simulated lab environment and get secret information. The robot can enter the lab through door, window or ventilation pipe. After that, it needs to shutdown the laser net or go through it carefully without triggering alarm. Then the robot can place a covert listening device in the lab, open safe to get secret information on card, open a book to get secret on card or plug a malicious USB device to computer... If a robot can retreat to outside of the lab in reasonable and safe way, it can get extra points. Please download and check detailed rule document from here:Robot Agent Challenge Contest Rule Document (Version 2.5, Sept. 2nd)

Schedule

Registration deadline:July 15th (Las Vegas), Sept 30th (Shanghai)

Registration: Please submit your online registration here Registration Form。

*If you want to get detailed explanations on the contest field and evaluation standards, please send email to:cfp@geekcon.top

Vulnerability
Based
Hack

Non-Vuln
Based
Hack

Prize

The maximum individual prize awarded will be: $150,000 USD

Description

Smart devices, AI products, libraries, frameworks and IoT products, that are commercially available or widely used are all acceptable PWN targets. By exploiting security vulnerabilities, the attacker without privileges can get system control, access private data or break through original security mechanisms in reasonable attack conditions.

Examples

Pass face recognition door control with one vulnerability: Contestant exploited a vulnerability to get system control privilege. Modify the face data so pass the control with other person's identity. (GeekPwn2017 Shanghai)
Exploit Home Router vulnerabilities: Contestant exploit vulnerabilities in home router remotely to get admin privileges. (GeekPwn2014 - 2017)
Exploit 9 vulnerabilities, attack Trustzone: Contestant asked user install a malicious app, then the app attack TrustZone, everyone can unlock the phone with finger print. (GeekPwn2016 Shanghai)

*More vulnerability based PWN, like Camera, POS, Robot, Smart Watch, Smart Lock, Shared Bike, etc , please check Hall of Fame

Evaluation and Judgement

1. The PWN target (device, application or security module) should be in factory shipped state with official updates and default settings. The ROM and/or software versions should be >= the latest version 30 days before the GeekPwn event.
2. All the technical approaches must be contestant's original work. All the public known PWN approaches could not be used and win the contest. Winning contestants need to submit technical details report.
3. Awards will be offered by GeekPwn committee based on the PWN technical difficulty, creativity and demonstration effects.

Schedule

Registration deadline: Sept. 30th, 2018

Registration: Please submit your online registration Registration Form。

First round evaluation: GeekPwn Committee will evaluate according to the submit form in 5 business days.
Second round evaluation: GeekPwn Committee will determine if the registration is accepted. Once accepted, GeekPwn Committee will prepare device (or AI products) and presentation environment.

*For any questions, please send an email to: cfp@geekcon.top

Prize

The maximum individual prize awarded will be :$150,000 USD for each PWN

Description

mart devices, AI products, libaries, frameworks and IoT products, that are commercially available or widely used are all acceptable PWN targets. Or, there may be no direct PWN target at all, but only a security scenario. The attack is NOT necessarily exploiting vulnerabilities, but using new creative method.

Examples

Wombie Attack: a new model of worm spreading. (GeekPwn2017 HongKong)
Recognize CAPTCHA images by using DNN: Contestant used trained DNN to crack Google reCAPTCHA (GeekPwn2017 Sillicon Valley)
Attacker uses Machine Learning to learn human voice, then simulate it to pass a voice recognition system. (GeekPwn2017 Shanghai)

*More Non-Vulnerability based PWN, please checkHall of Fame

Evaluation and Judgement

Schedule

Registration deadline: Sept. 30th, 2018

Registration: Please submit your online registration Registration Form.

First round evaluation: GeekPwn Committee will evaluate according to the submit form in 5 business days.

Second round evaluation: GeekPwn Committee will determine if the registration is accepted. Once accepted, GeekPwn Committee will prepare device (or AI products) and presentation environment.

*For any questions, please send an email to: cfp@geekcon.top

Recover
Blurred Image
Challenge

RFID
Long Dist
R&W Challenge

Prize

The participant with highest score(1st palce) in those who use GAN to recover images will get prize: 1.024 Bitcoin. The participant with highest score(1st place) in those who use other AI techniques will get prize: 0.512 Bitcoin . The participant with highest score(1st place) in those who use other methods than AI will get prize: 0.256 Bitcoin

*Winners can choose to get Bitcoin or the equivalent cash on Oct.24th, 2018.

Description

From Aug 1st, 2018, competition platform will publish an image with a blurred area. Totally 10 images will be published in this challenge.
Everyone can get the image and recover it. After that he can upload the image and the competition platform will give it a score automatically
Each participant can upload 10 times for each image in one week.

Evaluation and Judgement

The final score will include total initial automatic score and judge evaluate score, each as 50%

Total initial automatic score:
Each time participant upload an image file, the competition platform will determine a score automaticly based on PSNR (whole picture and blurred area), color consistence, AI classification consistence and Perceptual Loss. Each part will have different percentage. If a participant challenged an image more than once, then only the highest score will be calculated. The highest possible score for one image is 100, total 1000 for all 10 images.

Judge evaluate socre:
Because the results need human involvement to evaluate. We will have experts to determine a score. The evalaution will be based on the techniques used (including codes), the naturalness of recoverd image, etc.

Schedule

Registration deadline:Oct. 10th, 2018

Participants upload recovered image through competition platform (will soon publish, please wait.)
Top scores need to submit tech paper and codes before Oct. 20th so judges can evaluate. Winners will be invited to GeekPwn Shanghai to get prize and share the techniques used in competition.
*Please don't upload illegal images and/or files. Anyone does this takes his own responsibility.

Prize

The prize (RMB) =(successful distance in cm)**2. For example, if a participant successfully R&W at a distance of 150 cm, he can get prize: 150*150 =22500 RMB.

Description

Make a device that can read and write RFID from a distance. The one which can read and write from the maximum distance will be the winner.

Evaluation and Judgement

1. The physical distance of the 2 farthest points on device itself is not more than 80cm, the total weight is not more than 5kg, and the input power is not more than 10W. If necessary, the device can be connected to a computer.
2. The equipment must not have its own battery. It must be powered by 220V AC power supply at the competition site, for sake of monitoring the input power.
3. In the competition, the distance between the device and the card is not less than 100cm. The farther the distance is, the higher the score is.
4. If multiple scores with the same distance appear in the same challenge, the winner is determined according to the order of smaller equipment, lighter weight, and lower input power;
5. Either track has two different distances to challenge, and each distance has two chances to try. Any success in both attempts is considered a success of that distance.
6. The challenge time limit of ID card is 30s, and the challenge time limit M1 card is 60s.

Schedule

Registration deadline：Sept 30th, 2018

Registration: Please submit your online registration at:Registration Form
GeekPwn Committee will determine if the registration is accepted. Once accepted, the participant will be invited to GeekPwn Shanghai *For any questions, please send an email to: cfp@geekcon.top

Contestant Registration: cfp@geekcon.top	Business Cooperations: biz@geekcon.top
Consulting Tickets: ticket@geekcon.top	Media Cooperations: biz@geekcon.top

GeekPwn 2018 Contest Rules, Upgraded