Bug Bounty Express on Evitag: Conand 2018, the cybersecurity congress in Andorra

Bug Bounty Express on EviTag NFC event illustration

Do you have what it takes to hack the contactless security solution by Fullsecure and Freemindtronic Andorra? If yes, then you should join the Bug Bounty Express on Evitag NFC HSM that took place at CONAND 2018, the cybersecurity congress in Andorra. It was a security challenge that consisted of detecting vulnerabilities on the innovative product Evitag NFC HSM, which allows to secure your secrets via an NFC electronic module. The Bug Bounty Express was organized by Fullsecure, partner of CONAND 2018, on its booth during the second edition of the event, on February 7 and 8, 2018.

Conand Show Events

What is CONAND 2018?

CONAND 2018 is an event organized by Andorra Telecom, the telecommunications operator of the country, in collaboration with the government of Andorra, the Cybersecurity Research Center of the University of Andorra and the Chamber of Commerce, Industry and Services of Andorra. It aims to promote cybersecurity as a key element of digital transformation and to strengthen Andorra’s position as a technological and innovative hub. The second edition of this congress took place from February 7 to 8, 2018 at the Congress Center of Andorra la Vella and brought together national and international experts, companies, institutions and researchers around conferences, workshops, demonstrations and business meetings.

Bug Bounty Show Events

What is a Bug Bounty?

A Bug Bounty is a reward offered to anyone who can find and report a security flaw in a software, a hardware, a website or an application. The reward can be monetary, in-kind or in recognition. The Bug Bounty aims to encourage ethical hackers to help improve the security of the products and services they use, and to prevent malicious hackers from exploiting the vulnerabilities they find.

Demo show in booth

How to use Evitag NFC HSM?

To use Evitag NFC HSM, you just need to have an Android NFC smartphone and the Android application developed by Freemindtronic Andorra. By passing the NFC HSM module under the phone, you can display your secret, share it in RSA 4096 (a very robust asymmetric encryption algorithm) or use it directly on your phone or on a computer via a web extension coupled to the phone serving as a terminal.

Safety and Cybersecurity System presented at Conand 2018

What are the advantages of Evitag NFC HSM?

EviTag NFC HSM has several advantages over traditional solutions for storing your secrets:

  • It works without server or database, which reduces costs and risks of hacking.
  • It works only without contact, which avoids compatibility or connectivity issues.
  • It is lifetime without battery, without maintenance and tamperproof and waterproof, which ensures its reliability and durability.
  • It uses an AES 256 encryption algorithm, recognized as one of the safest in the world, to encrypt your secrets stored in the EPROM memory of the NFC.
Use case

Who is Evitag NFC HSM for?

Evitag NFC HSM is for anyone who needs to secure their secrets in a convenient and reliable way. It is especially useful for private users who want to protect their online accounts, digital wallets, social media profiles and other sensitive information. Indeed, with Evitag NFC HSM, you can:

  • Manage and access your secrets easily without having to memorize or write them down.
  • Log in to your online accounts using the NFC HSM to display your password in volatile memory on your phone without leaving any trace of it.
  • Share your secrets with your friends or family in a secure and controlled way.
  • No risk in case of loss, theft or attempted compromise of the NFC HSM module locked to access with more than 9 trust criteria serving as a multifactor authentication system. Knowing that your secrets contained in the NFC HSM can be cloned, backed up in an encrypted way for later restoration in a new NFC HSM.
  • Benefit from a high level of security thanks to the physical and logical protection of the NFC HSM module encrypted in AES 256 with segmented key.
Bug Bounty Information

What was the Bug Bounty Express on Evitag NFC HSM at CONAND 2018?

The Bug Bounty Express on Evitag NFC HSM was a security challenge that consisted of detecting vulnerabilities on the product Evitag NFC HSM. The product included an Android application and an NFC electronic module. The challenge was to recover the login and password hosted inside an Evitag NFC HSM safe.

The Bug Bounty Express lasted for two days, from 10 am to 6:30 pm, on February 7 and 8, 2018. It was free and open to anyone who wanted to participate. It took place on the Fullsecure booth at the Congress Center of Andorra la Vella, where five Evitag NFC HSM devices were available for testing. Each device contained five labels, five login and five passwords, brute force enabled with administrator password and jamming enabled. One device was dedicated to physical brute force attacks (Tamper-proof).

Each participant had to register online and submit their vulnerability reports online. The material provided for testing included an oscilloscope, a NFC reader card for PC, a professional thermal sensor with thermal image capture, a WIFI router for creating a local network for the EVILOCK NFC function, and the Android application and the web plugins for Evitag NFC HSM.

The participant was free to use any type of material to carry out their attacks. The participant brought their material under their sole responsibility, such as computer, smartphone, measuring devices and/or radio frequency.

For physical brute force attacks, the participant had to bring their tools and/or physical attack solutions. However, tools and/or solutions that could harm the physical integrity of people were prohibited within the framework of the CONAND event. In the event that the participant wanted to carry out this type of test, they had to make an explicit and motivated request. The request accepted by Fullsecure, had to be carried out outside the framework of the event in a secure environment by the participant. At least one witness was present during the physical attack and was filmed by a person from Fullsecure.

In general, all brute force attacks were allowed, whether passive and/or intrusive.

What were the rewards for the Bug Bounty Express on Evitag NFC HSM at CONAND 2018?

The rewards for the Bug Bounty Express on Evitag NFC HSM were as follows:

  • For each vulnerability detected, the participant received a certificate of participation and a trophy with the name of the vulnerability and the name of the participant.
  • For the first vulnerability detected, the participant received a gift voucher of 100 euros.
  • For the second vulnerability detected, the participant received a gift voucher of 200 euros.
  • For the third vulnerability detected, the participant received a gift voucher of 300 euros.
  • For the fourth vulnerability detected, the participant received a gift voucher of 400 euros.
  • For the fifth vulnerability detected, the participant received a gift voucher of 500 euros.

The maximum amount of rewards per participant was 1500 euros. The rewards were cumulative and could be combined with other rewards offered by other partners of the event.


How to get Evitag NFC HSM?

Evitag NFC HSM is a product marketed in white label by Fullsecure, a company specialized in the distribution of IT security solutions. To learn more about Evitag NFC HSM or to place an order, you can contact Fullsecure at the following coordinates:

Send us a message

    How to join the Bug Bounty Express on Evitag NFC HSM?

    If you are interested in joining the Bug Bounty Express on Evitag NFC HSM, you can find more information about the challenge, the rules, the rewards and the registration process on the following link: Bug Bounty Express on Evitag NFC HSM. This is a great opportunity to test your skills, learn new techniques and earn incentives for finding vulnerabilities on this innovative product. Don’t miss this chance to join the cybersecurity community and contribute to making the digital world safer.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.