Hundreds of Students Dig into Embedded Security Competition

By Kay M. Upham

MITRE Cybersecurity Interns

Looking for a stealthy way to penetrate a system. Lurking behind an innocent function waiting for an opportunity. Using a decoy to distract defenders while teammates snag a flag.

Those sound like moves in a hot new video game. But they're actually educational—part of MITRE's embedded security Capture the Flag (eCTF) competitions that took place this past spring and summer.

"It's a great way for students to improve their skills in this field," says Drew Monroe, the lead organizer of the spring competition. "Not many colleges offer courses in embedded security. " Embedded security is a field of cybersecurity that protects embedded systems—the special-purpose electronic devices that are embedded in almost everything around us today.

He adds, "We run competitions to expose more students to, and excite students about, embedded security, but also to encourage schools to develop embedded security curriculum."

Keeping Your Tunes Safe

Now in its fifth year with a record high of 20 colleges and over 200 students participating, MITRE and Riverside Research designed the spring eCTF to give students hands-on experience in designing and penetrating embedded security systems in everyday devices.

The event—which took place entirely online with teams and individuals working remotely—lasted 14 weeks. This year's contest: design a music player that could play, pause, and stop audio output, with an option to add rewind and fast forward.

Besides the required functionality, teams had to develop security mechanisms to protect five "flags":

  • Region Lock: Prevent a song from playing on a player from a different region.
  • Custom Music: Prevent "illegally" acquired music from being played on the player.
  • Music Tamper: Prevent playing of tampered audio files.
  • Unauthorized Play: Prevent users who do not own songs from playing them.
  • Pin Extraction: Prevent the theft of user credentials.

During the design phase, teams could also capture "design flags" by meeting certain deadlines, including getting the reference design working, submitting design documents, and providing proof-of-concept support tools.

Ten teams submitted designs by the end of the competition including the Delaware Area Career Center, the first high school team to ever participate in a MITRE eCTF event.

The returning champions, Northeastern University, successfully defended its title, but there was a hotly contested battle for second and third. Cornell University, University of Cincinnati (UC), and University of Florida (UF), traded places several times during the attack phase. Cornell and UC ultimately edged out UF for second and third place.

The Drone Has My Package

An eight-week, smaller-scale summer eCTF began on June 17 and ended August 13. Four teams competed, which included 20 MITRE interns—ranging from high schoolers to graduate students—and another six Riverside Research interns.

The summer contest centered on designing and implementing a secure communications protocol for a fleet of delivery drones. The interns were tasked with adding security to a dynamic system, with drones entering and exiting the network and sending secure messages to one another in real time.

Like the spring competition, the designs also had to include several security mechanisms to protect the "flags":

  • Prevent attackers from recovering the content of the messages
  • Prevent manipulation of the content of messages
  • Prevent registering attackers' fake devices to the network
  • Prevent gaining code execution that could take over control of a drone

To pass into the attack phase, the teams had to meet all functionality requirements. Once in the attack

phase, teams could win attack points for compromising the security requirements of other teams’ designs and earn defensive points for having their own design’s secure requirements uncompromised.

Ben Janis, the lead organizer of the summer eCTF, noted that the pandemic forced MITRE to innovate in order to run the competition with interns working remotely. The competition framework was redesigned to enable "the use of hardware emulators for the first time—software that mimics hardware—on MITRE servers that teams could remotely access." This allowed the full participation of interns across the country to collaborate and compete.

Half the teams submitted designs and proceeded to the attack phase. "It was an impressive feat given the much shorter timeframe in the summer," he says. "It was great to see that both teams were able to pull off several successful attacks."

—by Kay M. Upham