Hackers Contest
Wibu-Systems has been organizing hackers' contests for many years to prove the strength of its protection and security technologies. By involving hackers early on in the process and letting the door open even to countries like Russia and China known to have the highest piracy rates in the world, we prove that our products represent the pinnacle of secure licensing and intellectual property protection.
And the result is: No contestant has ever succeeded in cracking the sample application protected by CodeMeter. Customers can stay reassured that Wibu-Systems does not just enforce high quality standards of its own, but is also taking the necessary steps to have hackers, crackers, and pirates test its technology first hand before it is commercialized.
Global Hackers' Contest 2017
To test the validity and strength of the newly patented encryption method Blurry Box, integrated with the anti-debug and obfuscation methods of CodeMeter Protection Suite, we launched a new contest, open to all hackers around the globe. The underlying principle of Blurry Box is the exact opposite of “security through obscurity”; based on Kerckhoffs’ Principle, Blurry Box cryptography uses published methods that greatly increase the complexity and time required for an attack to be successful.
The contenders were delivered a game application protected with Blurry Box cryptography that came with its license stored in a CmDongle. Between May 15th and June 2nd, they were requested to hack the protected game and prove they could run it without the provided dongle and without any Internet connection to a jury consisting of IT security scientists and independent from the challenge partners (Wibu-Systems, Karlsruhe Institute of Technology, and FZI ResearchCenter for Information Technology).
None of the 315 international contendants managed to send in a full crack of the encryption scheme. The only two exploits that were received were found to be incomplete: They simulated a record playback attack that did not lead to any valid result or playable game. The two participants who submitted their partial solution received a volunteer award of €1,000 each. The remaining €48,000 of the original prize at stake will go towards further research and development.
Hackers' Contest 2011 in Russia
Between November 23rd to December 8th, 2011, we challenged Russian hackers. We offered 20,000 Euro, which would be rewarded to anyone who could crack CodeMeter's protection system. Access to the application needed to be obtained without the use of a debugger. If a debugger was detected, the CmStick would lock the licensed software and stop it from being accessed any longer.
CodeMeter once again proved its comprehensive abilities for protecting software. Not one of the 144 participants was able to crack the CodeMeter protected sample application. Our distribution partner in Russia – Rainbow Security – was thoroughly excited by the results, especially when considering the number of encryption experts native to Russia.
The bottom line: CodeMeter was successful again.
CodeMeter was not cracked and not even partial solutions were attained.
Hackers' Contest 2010 in China
All China-based contestants registered for the hackers' contest 2010 had a chance of winning the prize of 100,000 RMB. The Chinese competition started on October 20, 2010 and ended on November 19, 2010. The challenge was to crack the protected contest application to run without the CmStick protecting it. Operating a contest under real-world conditions meant that the hackers would have access to the protection hardware. For this reason, each contestant received a CmStick.
The bottom line: CodeMeter was successful again.
CodeMeter was not cracked and not even partial solutions were attained.
Hackers' Contest 2007
Unbeaten for the fourth time
No protection system can be 100% secure, but we will not stop fighting back. In the past, we have organized competitions at Wibu-Systems to test the security of our products. These competitions put a protected program up for cracking and revealed that the protection could not be cracked and the application could not be made to run without the matching license in the WibuBox. This practical test is serious and relevant for software manufacturers who want to publish protected software for free download from their websites.
In our hackers' contest 2007, we went one step further. Not only did the participants receive the protected application, but also a CmDongle with the corresponding license. Over a thousand contestants entered the competition with a prize money worth US$ 40,000.
The Challenge
To win the contest the participants had to manipulate the software protected by CodeMeter to run without the CmDongle.
The two functions of the competition:
- A program only executable with CmDongle
- Function 1: Feature bit set in the CmDongle -> run
- Function 2: Feature bit not set in the CmDongle
- Both functions revealed a password
Challenge:
- To find out the two passwords
- To make the program completely executable without the CmDongle
- To email the solution and the cracked program to Wibu-Systems
Contestants
1092 contestants from 27 countries entered the contest and had up to six weeks to remove the copy protection and claim the attractive reward. Most contestants came from Germany, followed by China, USA, the Netherlands, Poland, Hungary, France, Great Britain, and the Ukraine.
Results
Although the challenge was theoretically solvable, none of the contestants could fully remove the protection. Most of the contestants fell into the trap of trying to by-pass intruder detection and had their license locked on the CmStick. The only remaining option was to use brute force attacks to decrypt the code. The chance of breaking the 128-bit AES encryption was practically zero.
- No one succeeded completely
- No attack against the encryption was recorded
- No attack against the hardware or manipulation of the Feature Map was recorded
Other contestants stumbled at other hurdles. The contest did produce some excellent partial solutions, which won the contestants prizes worth between 500 and 2,000 Euro. Hackers or crackers follow different paths to developers, and the partial solutions represented important input for Wibu-Systems. The partial winners discovered some previously undetected weaknesses in the system. Discovering these vulnerabilities allowed Wibu-Systems to strengthen its security capabilities.
- Partial solutions
- Partial memory dump
- Partial record/playback approach
- Partial solutions awarded with prizes worth 16,000 Euro
The Bottom Line
No security system is 100% secure, but a high level of security can be achieved with:
- Secure Hardware: CmDongles provide secure key storage and strong encryption in a smart card chip. The CodeMeter system includes crack detection to lock the license key.
- Secure Integration Technology: The code and resources of the protected application are never fully decrypted in the main memory of the PC. Variable encryption, anti-debugging, and obfuscation technologies as well as tools to individually integrate the source code are used to further increase security.