Our team won an Award of Excellence at GeekPwn 2016 Carnival for our IoT research!

Our team won an Award of Excellence at GeekPwn 2016 Carnival for our IoT research on Oct. 24, 2016!

Ms. Yiling Xu, Dr. Zhen Ling from Southeast University of China, Ms. Chao Gao, Dr. Xinwen Fu from University of Massachusetts Lowell, and Dr. Wei Zhao from University of Macau formed a team, named Phoenix Decoder. The team participated in GeekPwn 2016 held on Oct. 24, 2016 in Shanghai, China, and won an Award of Excellence. GeekPwn is the first worldwide security geek contest for smart life. This white-hat hacker conference in Shanghai attracted more than 58 known international cybersecurity experts competing for prizes this year.

Ms. Xu and Dr. Ling represented the team Phoenix Decoder and demonstrated their results of IoT research on Edimax smart plugs, which have severe computer security vulnerabilities. They showed a device spoofing attack, which blocks the genuine plug and pretends to be a legal one, waiting for the remote control application on a smartphone to send the authentication credential. With the compromised credentials, they were able to control the plug remotely. They also injected a customized firmware into the plug and turned the plug into a bot. They sent a Weibo (Chinese twitter) post from the controlled bot and could run any commands!

On Oct. 21, 2016, a huge DDoS attacked US networks and caused the shutdown of many web services including Twitter. Behind this attack were the compromised IoT devices, including webcams and other similar products. The manufacturers of those devices have passwords flashed into the hardware and it is hard to change these passwords, which were exposed in 2015. Hackers scanned the Internet and hacked these IoT devices, forming a big botnet. The botnet then generated sea-volume traffic and conjected major DNS servers of Dyn in Manchester, NH, USA. Network services using Dyn were affected!

The research from the team of Phoenix Decoder is to send out a strong warning message to the IoT community and hopefully to enforce smart plug and other IoT device manufacturers/developers to put security at a higher priority. In behalf of Phoenix Decoder, GeekPwn has notified Edimax and provided the details of the vulnerabilities. The code of the attacks is not disclosed.

Phoenix Decoder
From right to left: 1st Dr. Zhen Ling, 3rd Ms. Yiling Xu in the GeekPwn 2016 Shanghai compeition
GeekPwn 2016 grenade
From left to right: Dr. Zhen Ling, Ms. Yiing Xu with the souvenir!