GEEKCON· New GeekPwn

DEVELOP AND NURTURE TALENTS OF THE WORLD

QUANTIFY AND ENHANCE VALUE OF THE INDUSTRY

DEVELOP AND NURTURE

TALENTS OF THE WORLD

QUANTIFY AND ENHANCE

VALUE OF THE INDUSTRY

GEEKCON 2024 INTERNATIONAL HIGHLIGHTS

Sat. 25 May - Sun. 26 May
OCBC Arena @ Singapore Sports Hub
SEE YOU NEXT TIME

PHOTO GALLERY

PHOTOS

Yakai Li @ExpAttack Team
Guangming Liu @vivo kiMirrOrs sec lab

The Art of Deception

Large Model Jailbreak Competition
Can AI Be Manipulated by Evil Force?

Slides 1 Slides 2

Kira Chen

DARKNAVY

Surviving MiraclePtr: Navigating of Webp and Beyond

Comprehensive Revelation of a Highly Sophisticated Cyber Warfare Weapon Targeting Browsers (incl. Demo)

Slides

John Doe

Can Airport X-ray Detection Machine Be Trusted?

A Challenge that Using Undisclosed Methods to Bypass Common X-ray Detection Machines

Lianji Li

RealAI

Changing Faces with AI Disguise Glasses

A Challenge to Deceive Face Recognition Systems Using AI Adversarial Attack

Slides

AVSS

DARKNAVY

Adversarial Vulnerability Scoring System

White Paper 1.0
Official Announcement

Download

Connie Lam

CertiK

Friend or Foe: A Bridge Vulnerability About "Public and Friend"

Disclosing a USD5,000,000 Web3 Bridge Vulnerability

Hao Ke
John Wu
Azhara Assanova

Google Android Platform Security

Hardening Android: Insights and Systemic Protections from Google's Front Lines

Unveiling Comprehensive Countermeasures Behind Multiple Covert Attacks on the Android Platform (incl. Demo)
Contributors: Achim Thesmann, Nan Wu

Slides

Ye Wang
Yanze Zhang

University of Macau

Role Play Attack for Web3 DeFi Applications

Reproducing a Unique Method Attacking Decentralized Finance (DeFi) Systems by Mimicking Multiple Roles

Slides

Lars Fröder

Cellebrite

Jailbreak Apple iOS16: Defeating Code Signing Using a PPL Bypass

Deep Dive into the Latest Jailbreak Technique (incl. Demo)

Slides

John Doe

If Autonomous Driving Is Prone to Blinding...

A Challenge that Uses a Low-cost, Miniature Device to Disrupt Radar Systems in Self-driving Cars

Yifei Wu
Cuiying Gao

Dawn Security Lab
JD.com Security

The Secrets Behind Advertising Traffic

Exposing How Criminals Hijack Our Phones to Make Millions: Unveiling the Attacks and Countermeasures（incl. Demo）

Slides

kangel
ttt
Nop

FSL Team

Hostile Takeovers within Cloud Hosts Part 1: From Guest to Host

A Challenge that Exploits Unknown Vulnerabilities to Achieve Escape of a Popular Virtual Machine Platform

Neoni

Hostile Takeovers within Cloud Hosts Part 2: From Host to Root

A Challenge that Exploits Unknown Vulnerabilities to Achieve Local Privilege Escalation of a Specific Operating System

NWMonster
slipper

Offside Labs

Unlocking Crypto Vulnerabilities: Insights into Hardware Wallet Security

How Crypto Currency Disappears from Your Wallet: Delving Deep into the Attack Techniques (incl. Demo)

Yichi Zhang

Tsinghua University

Can Large Models Be Fooled by Illusion?

A Challenge of Adversarial Image Attack on Multi-Modal Large Models

Slides

Boris Larin

Kaspersky

Operation Triangulation: Do Not Attack iPhones of Researchers!

Comprehensive Revelation of a Highly Sophisticated Cyber Warfare Weapon Targeting iPhones (incl. Demo)

Zhaofeng Chen
Yx

CertiK

ModuleBomb: Persistent Blockchain Outage Attack

Reproducing of a SUI Validator Network Vulnerability that Could Crash the Whole BlockChain Network

Slides

Peter Hlavaty

HyperV and Effective Ways of Fuzzing It for RCEs

Pro Bug Bounty Hunter Reveals for the First Time Attack Technique Targeting Microsoft Virtual Machine (incl. Demo)

Jay Turla

VicOne

How Long Does it Take to Stealthily Unlock a Car?

A Challenge that Exploits Vulnerabilities to Unlock Certain Automotives

Slides

YizheZhuang

DARKNAVY

Exploiting Steam: A Journey into Vulnerability Discovery of a CEF-based Application

Revealing Advanced Attack Techniques Infiltrating Client Systems via Popular Gaming Platforms (incl. Demo)

Slides

Chao Zhang

Tsinghua University

Machine Language Model for Binary Analysis

Will AI Overtake Binary Security Researchers?

Slides

Hai Zhao
Yue Liu

Tiangong Lab

Defeating Self-protection of Chips

A Challenge that Exploits Unknown Vulnerabilities to Bypass CSM/DCSM of Certain Chips

Slides

Lorant Szabo
Daniel Komaromy

TASZK Security Labs

Attacking Over the Air: Exploiting Basebands in Radio Layer Two

Disclosing a Remote, Stealthy Smartphone Attack Exploiting Baseband Vulnerabilities (incl. Demo)

Kai Jern Lau

Redefine Reverse Engineering in Web3

Applying Bytecode Level Reverse Engineering Techniques to Web3 Incident Analysis (incl. Demo)

Slides

Haixin Duan
Xiang Li

Tsinghua University

TuDoor in the DNS Wall: The Fastest DNS Cache Poisoning Attack

Disclosing a Sophisticated Attack Exploiting Unknown Vulnerabilities in Popular Internet Protocols to Hijack Sites (incl. Demo)

Slides

Gelei Deng @ NTU
Yuqiang Sun, Daoyuan Wu @ NTU

Will AI Become a More Powerful Hacker?

Demonstrations of Using AI in Cyber Attacks

Slides 1 Slides 2

Zhutian Feng
Haojie He

Singular Security Lab

Overlooked Bugs
Serious Impact

1-click Attack: Leveraging Unknown Vulnerabilities in Mainstream Browsers for Remote Code Execution (incl. Demo)

Slides

Dennis Giese
Braelynn

Could Smart Home Robots Become the Trojan Spying on Our Lives?

A Challenge that Exploits Vulnerabilities to Control Smart Home Robots

AVSS Contest 2024 Final Ranking

First Place

emmmmmmm2024

Second Place

凌武实验室

Third Place

来自东方的神秘力量

Fourth Place

Polaris

Fifth Place

L3H_Sec

AI and Hackers

Annual Themed Debate

AVSS

Contest

DAF

Contest

30 + 5

In-depth Sharing

Web3 and Hackers

Annual Themed Contest

AI and Hackers

Annual Themed Debate

AVSS

Contest

DAF

Contest

30 + 5

In-depth Sharing

Web3 and Hackers

Annual Themed Contest

KEEP ON PWNING EVERYTHING!

Introduction

DAF (Defense & Attack Force) Contest is an immersive, unparalleled and extraordinary hacking contest like no other,

which unveils the real-world vulnerability exploitation threats by showcasing cyber adversarial activities in smart devices and network services.

As an upgraded version of GEEKPWN, DAF Contest continuously encourages contestants to PWN everything.

Schedule

Online submission to cfp@geekcon.top by April 15th. Vulnerability details and codes are not needed in the submission.

The GEEKCON Committee will review the submitted applications according to the order of submissions, and select the final accepted project.

On May 25th - 26th in Singapore, the accepted contestants will tackle on-site challenges and showcase their exploitation to the audience.

Challenge Objectives

Participants in the submission process can select their own challenge targets, encompassing commercially available or commonly used smart devices and software systems, including commercial/open-source software, IoT products, AI-related products, frameworks, and libraries.

Through the exploitation of security vulnerabilities in their chosen targets, participants are expected to achieve actions such as unauthorized control, unauthorized data access, circumventing original security mechanisms, or guiding the target to make incorrect decisions under reasonable attack conditions.

Challenge Rules

Participants are restricted to targeting the original systems, applications, or native security modules of device manufacturers. The software or firmware version of the target device or security module must be equal to or higher than the latest version 30 days before the contest and set to default or commonly used configurations.

GEEKCON organizers, based on the information provided by participants regarding their chosen targets and versions, will prepare corresponding contest equipment and environments. Participants must complete the challenge within the contest environment. In instances where the organizer are unable to prepare the challenge environment, participants can request to provide their own challenge equipment. After verification and approval by the organizers, they can participate in the contest.

The technical methods and exploited security flaws used by participants in the contest must be self-discovered and implemented. Publicly known or existing security flaws and techniques cannot be used as criteria for winning the contest. If the techniques and security flaws used by participants include non-self-discovered elements, they must inform the organizer during submission process.

Participants must complete the challenge within 20 minutes. Failure to do so results in a challenge failure.

Evaluation Criteria

DAF contest participants who successfully complete the challenge will be comprehensively evaluated by the GEEKCON judging committee based on the technical difficulty, technical value, consequences and impact of the challenge project, as well as on-site performance. The final comprehensive score for the challenge project will be calculated.

Participation Rewards

Participants are not obligated to provide details of the vulnerabilities used in their attack to the GEEKCON committee. However, after successfully completing the challenge project, they must provide an overall explanation of how the attack occurred. The judge panel will rate the attack based on the evaluation criteria, determine award levels according to the score, and distribute contest prizes accordingly.

Reference Challenge Projects

Exploitation of Automotive Information System Vulnerabilities: Challenge participants discover a 0-day vulnerability in a specific car. After connecting to the in-car WiFi from outside the vehicle, they exploit the vulnerability to gain administrative privileges and open locked car doors from outside.

Exploitation of Facial Recognition Access Control System Vulnerabilities: Challenge participants discover a 0-day vulnerability in a specific brand's facial recognition access control system. They use this vulnerability to gain control of the system, modify facial information, bypass identity authentication, and unlock access control.

Exploitation of AI Algorithm Deficiencies: Challenge participants can use a special conversational approach to bypass security restrictions of large models like AI. This can induce the targeted model to leak sensitive information, training data, or execute harmful operations.

A BRAND NEW CHALLENGE TO QUANTIFY SECURITY.

Introduction

Two new cars of different brands, which one can better protect the personal safety of the drivers and passengers?

Come to a real crash test, and you will know.

But how can we compare the cyber security levels of different cars?

Which one is more resistant to hackers?

Similarly, how can we compare the cyber security levels of different information systems?

The AVSS (Adversarial Vulnerability Scoring System) Contest can be viewed as a "collision test field" for information systems based on the real adversarial network environment.

We know that there are no vulnerability-free systems in the world.

Most of our security efforts are made to increase the cost and difficulty of exploiting these vulnerabilities.

We are also aware that the investment in product security varies greatly among different companies.

Companies that prioritize user security should be recognized for their security achievements.

Moreover, we hope that ordinary consumers have the right to make more secure choices with greater convenience.

AVSS Contest 2024 International

The "AVSS Contest 2024 International" is designed to target a diverse range of software and systems, with a particular emphasis on systems of mobile phones and V2X.

The competition encompasses multiple challenge sets, each featuring distinct system environments that share common vulnerabilities.

The primary objective is to evaluate participants' proficiency in exploiting these vulnerabilities across varying systems.

Structured as a solving competition, participants in the online qualifier are required to exploit specified vulnerabilities to retrieve flags from target machines. In the on-site finals, participants must exploit designated vulnerabilities to achieve specific challenge objectives.

The competition format is analogous to a Capture The Flag (CTF) contest. It is noteworthy that while anticipated solutions exist for most challenges, exceptions may apply. Additionally, owing to the inclusion of certain older system versions, participants are expected to leverage the attack vectors stipulated in the challenges for vulnerability exploitation.

Schedule

https://avss.geekcon.top/register

document_en or document_cn.

April 20, 2024, 10:00 (UTC+8) to April 22, 2024, 10:00 (UTC+8).

Saturday, May 25, 2024, Singapore.

A DEBATE LIKE NO OTHER!

Submission Guideline

Vulnerability Scope

Real-world vulnerabilities in Web3 infrastructure and applications, including but not limited to L1/L2 public chains, cross-chain bridges, and smart contracts (whether fixed or not).

N-day vulnerabilities will be given priority.

Demonstrations may showcase significant past attack events, but must specify if the discovery is original or a reproduction.

Examples of Attack Effects

Network failure, resulting in transaction confirmation issues or complete shutdown.

Permanent chain split, needing a hard fork.

Direct fund loss.

Funds permanently frozen, requiring a hard fork.

Counterfeit tokens.

Unauthorized token transfers.

Effect Requirements

Clear demonstration of security attack impact.

Preference for live demos that can be presented on-site.

Avoiding impacting normal Web3 infrastructure (public chains, cross-chain bridges, etc.) and Web3 applications directly.

Submission Requirements

Description of Vulnerability and Attack Effect.

Description of Disclosure and Current Patching Situation.

Description of Setup (testnet etc) required to reproduce the attack effect.

Video recording (optional).

For vulnerabilities that have not been made public, the submitting team needs to declare at the time of submission. GEEKCON committee will NOT ask for the 0-Day vulnerability details, however the participant should submit the vulnerabilities to corresponding entity after the event.

Evaluation and Ranking

Participants who successfully complete the live demo challenge will be comprehensively evaluated by the GEEKCON committee based on the technical difficulty, technical value, consequences & impact of the challenge demo, as well as on-site performance. The final score for the challenge demo will be calculated.

GEEKCON committee will rank the demos and provide corresponding prizes to participants.

Introduction

When Web3 first emerged, it brought about a revolution to the entire internet.

However, in 2023, Web3 experienced a bear market and was overshadowed by ChatGPT.

Does this mean that Web3 is heading towards decline? The answer is no.

Numerous Web3 security enterprises have emerged, and people's attention to Web3 security is increasing day by day.

How secure is Web3 itself? How is money lost in the Web3 space?

The "Annual Themed Contest: Web3 & Hackers" provides a platform for Web3 security researchers to disclose security risks, showcase their security capabilities, and present Web3 security scenarios and challenges to the traditional security community.

Come and watch how the researchers replicate the real world Web3 attacks!

Schedule

Submit to cfp@geekcon.top by April 1st.

2. Evaluation by the committee and notifications to submitters in mid to late April.

May 25th – 26th, 2024, Singapore.

A DEBATE LIKE NO OTHER!

Submission Guideline

Problem Scope

Attacks against AI Large Models, including, but not limited to, jail-breaking, prompt injection, adversarial attack, remote code execution, etc.

Using AI for autonomous offensive cybersecurity tasks, including, but not limited to, autonomous pentesting, web hacking, exploiting, and CTF.

Using AI for autonomous defensive cybersecurity tasks, including, but not limited to, vulnerability discovery, reverse engineering, and jailbreak defense.

Examples of Attack Effects

White-box or Black-box jail-breaking attack methods for Large Models.

Jailbreak defense using Large Models or self-trained models.

Novel adversarial attack methods against Large Models.

Remote code execution against Large Models based applications.

Successful pentesting or CTF using AI.

Effective vulnerability detection using AI.

Effect Requirements

Clear demonstration of security attack impact.

Preference for live demos that can be presented on-site.

Avoiding impacting normal Large Models infrastructure and target applications directly.

Submission Requirements

Description of Problem and Attack Effect.

Description of Disclosure and Current Patching Situation.

Description of Setup (environment etc) required to reproduce the attack effect.

Video recording (optional):

Evaluation and Ranking

GEEKCON committee will rank the demos and provide corresponding prizes to participants.

Introduction

During the first AI security competition CAAD in GEEKPWN, we had an optimistic idea:

If one day AI threatens human beings, hackers may be the savior.

As Alan Turing, the father of AI, was also a hacker, we believe hackers can make or break AI,

and they will always find bugs to prevent AI from getting out of control.

The birth of AI has stunned us and prompted deep contemplation.

Could it be that AI is the hacker, and we humans are the BUG?

GEEKCON's annual debate will continue explore the relationships between "AI & Hackers".

This is a session that embraces scientific thinking and encourages all ideas from everyone.

Welcome to defend your ideas through convincing research results.

Schedule

Submit to cfp@geekcon.top by April 1st.

2. Evaluation by the committee and notifications to submitters in mid to late April.

May 25th – 26th , 2024, Singapore.

VISUALIZED INSIGHTS.

Introduction

If you have unique security research findings, one-of-a-kind practical experience, exceptional hacking stories, cutting-edge defense and mitigation techniques, as well as new applications, tools, solutions, and findings on sophisticated cyberespionage campaigns...

We invite you to share your discoveries with security enthusiasts on the "30 + 5 In-depth Sharing" session of GEEKCON 2024 INTERNATIONAL.

January 15, 2024 (12:00 AM UTC+8)

April 15, 2024 (11:59 PM UTC+8)

Middle-April 2024

May 25-26, 2024 / OCBC Arena, Singapore

cfp@geekcon.top

Submission Guidelines

To submit your entry, please follow the following requirements and guidelines：

1. Prepare a live hack show or a demo within 5 minutes; present how you hacked, how you exploited, or other frontier researches in 30 minutes. Each topic will have an additional 5 minutes for questions and answers.

2. We encourage you to share distinctive technical insights regarding your hack/exploits and researches, while avoiding discussion of commonly known facts or basic knowledge.

3. The submitter should clarify the theme, introduction, and the innovative and unique aspects of the application.

4. Presentations which aim to market or promote commercial products or entities will be rejected without consideration.

1 GEEKCON organizing committee (hereinafter referred to as "the committee") recognizes the technical capability of the winner individually, but doesn't acknowledge that it represents the capability of the winner's working organization.

2 We recognize and promote the comprehensive assessment of vulnerability exploitation capabilities and mitigation mechanisms from a confrontational perspective, and do not endorse the judgement of security levels of the target products involved in the event based on a single dimension or non-quantitative dimension.

3 The committee firmly follows the Responsible Disclosure principle. The committee and contestant commit not to disclose any details to third-party before manufactures fix the issues.

4 The committee advocates and encourages in-depth knowledge sharing and communication, but firmly opposes any speech and behavior that violates laws and regulations or infringes on the rights of others.

5 The committee guarantees that the participants' personal information will not be disclosed to third-party or used for commercial activities without their agreement and authentication.

6 We will set up awards and honors based on the research efforts, technical breakthrough, and technical innovation of the projects. As the top 1 security geek IP operator in China, we always advocate a reward mechanism that emphasizes both honor and moderate bounty, encouraging more geeks to participate in technical innovation and knowledge sharing.

ORGANIZER

CREATOR

PARTNERS

PAST PARTNERS

About DARKNAVY

DARKNAVY, an independent and free-spirited security research organization and service provider. We have invented and established AVSS (Adversarial Vulnerability Scoring System) to evaluate and quantify vulnerabilities and the effectiveness of system mitigation mechanisms in real adversarial environments. We have also initiated and organized GEEKCON, a unique and top-class security geek event, to empower the development of the global security community.

Our goal is to create a more secure digital world by eliminating vulnerabilities in IT products/services. By sharing our knowledge through consulting and R&D experiences, we aim to enable organizations to better prepare and protect themselves against the ever-evolving threat of cyber attacks.

About GEEKCON

GEEKCON is the new version of the top security competition, GeekPwn. Initiated by DARKNAVY, GEEKCON aims to become a globally unparalleled technical event for security geeks, pioneering and promoting the visualization and measurable values of security ecosystem capabilities.

Contact

Registration Desk:

cfp@geekcon.top

Business&Media Cooperations:

GC.SG.Biz@DarkNavy.com

Yakai Li @ExpAttack TeamGuangming Liu @vivo kiMirrOrs sec lab

The Art of Deception

Kira Chen

Surviving MiraclePtr: Navigating of Webp and Beyond

John Doe

Can Airport X-ray Detection Machine Be Trusted?

Lianji Li

Changing Faces with AI Disguise Glasses

AVSS

Adversarial Vulnerability Scoring System

Connie Lam

Friend or Foe: A Bridge Vulnerability About "Public and Friend"

Hao KeJohn WuAzhara Assanova

Hardening Android: Insights and Systemic Protections from Google's Front Lines

Ye WangYanze Zhang

Role Play Attack for Web3 DeFi Applications

Lars Fröder

Jailbreak Apple iOS16: Defeating Code Signing Using a PPL Bypass

John Doe

If Autonomous Driving Is Prone to Blinding...

Yifei WuCuiying Gao

The Secrets Behind Advertising Traffic

kangeltttNop

Hostile Takeovers within Cloud Hosts Part 1: From Guest to Host

Neoni

Hostile Takeovers within Cloud Hosts Part 2: From Host to Root

NWMonsterslipper

Unlocking Crypto Vulnerabilities: Insights into Hardware Wallet Security

Yichi Zhang

Can Large Models Be Fooled by Illusion?

Boris Larin

Operation Triangulation: Do Not Attack iPhones of Researchers!

Zhaofeng ChenYx

ModuleBomb: Persistent Blockchain Outage Attack

Peter Hlavaty

HyperV and Effective Ways of Fuzzing It for RCEs

Jay Turla

How Long Does it Take to Stealthily Unlock a Car?

YizheZhuang

Exploiting Steam: A Journey into Vulnerability Discovery of a CEF-based Application

Chao Zhang

Machine Language Model for Binary Analysis

Hai ZhaoYue Liu

Defeating Self-protection of Chips

Lorant SzaboDaniel Komaromy

Attacking Over the Air: Exploiting Basebands in Radio Layer Two

Kai Jern Lau

Redefine Reverse Engineering in Web3

Haixin DuanXiang Li

TuDoor in the DNS Wall: The Fastest DNS Cache Poisoning Attack

Gelei Deng @ NTUYuqiang Sun, Daoyuan Wu @ NTU

Will AI Become a More Powerful Hacker?

Zhutian FengHaojie He

Overlooked BugsSerious Impact

Dennis GieseBraelynn

Could Smart Home Robots Become the Trojan Spying on Our Lives?

Vulnerability Scope

Examples of Attack Effects

Effect Requirements

Submission Requirements

Evaluation and Ranking

Problem Scope

Examples of Attack Effects

Effect Requirements

Submission Requirements

Evaluation and Ranking

Contact

Registration Desk:

Business&Media Cooperations:

Yakai Li @ExpAttack Team
Guangming Liu @vivo kiMirrOrs sec lab

Hao Ke
John Wu
Azhara Assanova

Ye Wang
Yanze Zhang

Yifei Wu
Cuiying Gao

kangel
ttt
Nop

NWMonster
slipper

Zhaofeng Chen
Yx

Hai Zhao
Yue Liu

Lorant Szabo
Daniel Komaromy

Haixin Duan
Xiang Li

Gelei Deng @ NTU
Yuqiang Sun, Daoyuan Wu @ NTU

Zhutian Feng
Haojie He

Overlooked Bugs
Serious Impact

Dennis Giese
Braelynn