Hacks in Taiwan Conference (HITCON) 2016 was held on 22 – 23 July 2016 in Taipei, Taiwan. The theme of HITCON Community this year is “Security or Nothing”, focusing on hacking techniques and information security.
About 1,500 participants attended to the event coming from the United States, India, Korea, China, Japan and Taiwan. The attendees enjoyed their opportunities to meet security experts, security researchers and malware analysts from each country to discuss information security, APT research and malware analysis. Among them, more than 20 percent were students who possess high skills and promising futures.
This conference agenda included various topics: a 0-day exploit of the Windows 10 built-in browser “Edge”, research regarding an attempt to break the key of an IoT intelligent electric network, and talks on ransomware.
The following are summaries of a few of the impressive presentations:
- BLE authentication design challenges on IoT Devices: Analyzing Gogoro Smart Scooter
Mr. GD (Team T5) introduced how to analyze Bluetooth Low Energy (BLE) and provided details of communication protocols between IoT devices and a smartphone that controls them. He explained a problem in authentication mechanism and application protocol of the Gogoro smart scooter. He demonstrated that other people were able to unlock the scooter and proposed a better authentication mechanism to solve the problem.
2. Bug Bounty: The story of a bug hunter
Mr. Orange Tsai (student) explained what a bug bounty program is, including how to get ready and cautions for participating in a bug bounty. He shared his point of view over finding bugs, as well as examples from his own experiences. Some remote code executions on Facebook, Uber, Apple and Yahoo! were introduced. In addition, he talked about eBay’s SQL Injection and several cross-site scripting cases on Facebook, Apple and Google by showing sample code for each.
If you are interested, you can see the HITCON 2016 presentations at http://hitcon.org/2016/CMT/#hitcon_agenda.
The last session of the 2nd day was a “Lightning talk show” which included technical short presentations that covered recent topics. For example, the first speaker talked about how to communicate with an APT operator and showed the attributions in a recent incident. Another speaker introduced how to crack and hack “Pokémon GO” and they demonstrated how to hook the GPS and control it. They published their code as an open source project on GitHub.
This conference did not consist only of briefings, but also some fun events: a hacker board game, a Raspberry Pi Wargame challenge and the Wall of Sheep. One funny thing that occurred was when some captured traffic indicated someone made a connection to a Japanese dating site via the HITCON public Wi-Fi. It was a window of opportunity for attendees to learn their own vulnerabilities.
The official language of this conference was Chinese, but there were no worries; The event staff wearing an “ask me anything” (何でも聞いて) -sticker with a cute-smile-emoji helped attendees with English and Japanese translations.
In conclusion, HITCON 2016 was really interesting and exciting. We really enjoyed this conference and plan to attend in years to come. The HITCON community has another event, HITCON Pacific (http://hitcon.org/2016/) from 28 November to 3 December 2016. Hopefully we will be in attendance for that one as well:)