WPI Takes Top Honors at MITRE Embedded Capture the Flag Competition
It's said in police work that the best detectives are the ones who can think like criminals. And by extension, the best computer security professionals would make great hackers.
"It's a very desirable skill set," said MITRE's Erin Wirch, a senior software systems engineer. As technology takes a deeper hold in our lives, it's critical that we know how to harden everyday items—such as cell phones, computers, baby monitors, and automobiles—against these efforts.
Wirch was part of the team that organized an Embedded Capture the Flag (eCTF) competition at MITRE's Bedford, Mass., campus. The event pitted security designers against hackers among teams from Worcester Polytechnic Institute (WPI), Northeastern University, Tufts University, and the University of Massachusetts Amherst.
The semester-long competition required each team to assume the role of defender and attacker. It began with each team documenting its effort to design and program a secure electronic lock. Then MITRE staff collected the locks and redistributed them among the teams. Each team had to hack the others' locks and keep track of what they learned. Judges scored the teams based on predefined accomplishments.
Team "We're Probably Insecure" from WPI claimed the trophy. Prof. Thomas Eisenbarth led the team as their faculty adviser and team members included Christopher Byrne, Mert Erad, Abraham Fernandez, Nilesh Patel, Andrew Weiler, Benjamin Chaney, Michael Giancola, Tanuj Sane, Tony (Tuan) Vu, and senior Caleb Stepanian, who is also a MITRE intern.
Byrne said the team gained an important advantage in the "attack" segment of the competition. The competing team had left its SSL (secure socket layer) certificate on the device, which provided key information to the hackers.
At the April 15 awards ceremony, keynote speaker Jay Schnitzer, MITRE's Chief Technology Officer, thanked the competitors "for donating your brain power to the competition. We learn so much from how you approach these problems, plus we get inspired by your enthusiasm and innovative ideas."
Dan Walters, embedded security engineer and leader of MITRE's eCTF initiative, said events like Capture the Flag competitions support MITRE's outreach effort to area colleges and universities. Most Capture the Flag competitions are web-based. This makes them scalable to include global participants, if the organizers wish. MITRE's recent event was small by comparison. But it was also unique, because it involved physical devices and embedded technology. That drastically expands the scope of the competition to include a wide array of embedded-specific security threats.
"This was an experiment to see where the bottlenecks are, so we can tweak it and open it up to more participants in the future," he said. "I'd love to see more embedded-focused CTF competitions to help teach these important skills, and I think MITRE can lead the way."