Hundreds of Students Dig into Embedded Security Competition

Jan 25, 2021

By Kay M. Upham

MITRE Cybersecurity Interns

Looking for a stealthy way to penetrate a system. Lurking behind an innocent function waiting for an opportunity. Using a decoy to distract defenders while teammates snag a flag.

Those sound like moves in a hot new video game. But they're actually educational—part of MITRE's embedded security Capture the Flag (eCTF) competitions that took place this past spring and summer.

"It's a great way for students to improve their skills in this field," says Drew Monroe, the lead organizer of the spring competition. "Not many colleges offer courses in embedded security. " Embedded security is a field of cybersecurity that protects embedded systems—the special-purpose electronic devices that are embedded in almost everything around us today.

He adds, "We run competitions to expose more students to, and excite students about, embedded security, but also to encourage schools to develop embedded security curriculum."

Keeping Your Tunes Safe

Now in its fifth year with a record high of 20 colleges and over 200 students participating, MITRE and Riverside Research designed the spring eCTF to give students hands-on experience in designing and penetrating embedded security systems in everyday devices.

The event—which took place entirely online with teams and individuals working remotely—lasted 14 weeks. This year's contest: design a music player that could play, pause, and stop audio output, with an option to add rewind and fast forward.

Besides the required functionality, teams had to develop security mechanisms to protect five "flags":

Region Lock: Prevent a song from playing on a player from a different region.
Custom Music: Prevent "illegally" acquired music from being played on the player.
Music Tamper: Prevent playing of tampered audio files.
Unauthorized Play: Prevent users who do not own songs from playing them.
Pin Extraction: Prevent the theft of user credentials.

During the design phase, teams could also capture "design flags" by meeting certain deadlines, including getting the reference design working, submitting design documents, and providing proof-of-concept support tools.

Ten teams submitted designs by the end of the competition including the Delaware Area Career Center, the first high school team to ever participate in a MITRE eCTF event.

The returning champions, Northeastern University, successfully defended its title, but there was a hotly contested battle for second and third. Cornell University, University of Cincinnati (UC), and University of Florida (UF), traded places several times during the attack phase. Cornell and UC ultimately edged out UF for second and third place.

The Drone Has My Package

An eight-week, smaller-scale summer eCTF began on June 17 and ended August 13. Four teams competed, which included 20 MITRE interns—ranging from high schoolers to graduate students—and another six Riverside Research interns.

The summer contest centered on designing and implementing a secure communications protocol for a fleet of delivery drones. The interns were tasked with adding security to a dynamic system, with drones entering and exiting the network and sending secure messages to one another in real time.

Like the spring competition, the designs also had to include several security mechanisms to protect the "flags":

Prevent attackers from recovering the content of the messages
Prevent manipulation of the content of messages
Prevent registering attackers' fake devices to the network
Prevent gaining code execution that could take over control of a drone

To pass into the attack phase, the teams had to meet all functionality requirements. Once in the attack

phase, teams could win attack points for compromising the security requirements of other teams’ designs and earn defensive points for having their own design’s secure requirements uncompromised.

Ben Janis, the lead organizer of the summer eCTF, noted that the pandemic forced MITRE to innovate in order to run the competition with interns working remotely. The competition framework was redesigned to enable "the use of hardware emulators for the first time—software that mimics hardware—on MITRE servers that teams could remotely access." This allowed the full participation of interns across the country to collaborate and compete.

Half the teams submitted designs and proceeded to the attack phase. "It was an impressive feat given the much shorter timeframe in the summer," he says. "It was great to see that both teams were able to pull off several successful attacks."

—by Kay M. Upham

Giving Students Exposure to a New Side of Cybersecurity

Feedback in the anonymous post-event surveys was overwhelmingly positive.

"This eCTF, although really hard, was extremely fun. The whole competition felt as if I was way in over my head, but it’s motivated me to dive in deeper and work that much harder to get better as an engineer. The MITRE staff was AMAZING! Thank you for this opportunity."

"This competition exposed an entirely new side of cybersecurity to me as a computer science major. Before this competition, I had absolutely no experience with programmable logic. The design phase of this competition was a great learning experience and got me interested in lower-level security, especially since I had never considered hardware attacks in our design."

"This eCTF was my first experience with embedded security—I'm really glad I got to participate! It definitely made me interested in pursuing embedded security as a career path."

Interested in becoming a MITRE intern? View our job openings or learn about our student programs.