Embedded Security Challenge: Cyber Security Contests in the Embedded Computing Domain

Recently, we held a cyber security contest as part of a world-wide cyber security awareness week competitions spearheaded by the Tandon School of Engineering at the New York University (NYU). Nick named CSAW (Cyber Security Awareness Week), the team at the NYU initiated this event back in 2003 in the United States. Over the years, it evolved into concurrent regional events across the world – in India, in Europe, in Israel, in the middle east, and in Africa. This happens usually during the last 3 days of the second week of November. Most regions hold final rounds of the events for the participants in their jurisdiction. In India, the event is being organized by the Indian Institute of Technology, Kanpur (IITK) – for the last 3 years. One of those events is the ‘Embedded Security Challenge (ESC)’ – which is of interest to the readership of this journal.  Every year, the challenge is released several months ahead of the November finals, and students from various universities are invited to participate. An international team led by the NYU designs the challenge along with the regional ESC leaders. Once the problem is released, in the first phase – participants must analyze the problem and the challenge specific hardware/software system and write a report on the kind of security vulnerabilities they expect to see in the system, the attack surfaces, the threat models, and submit it for the first phase of selection. If selected, the competing teams receive the embedded system artefact on which the challenge is designed – in the form of boards – such as FPGA board, Raspberry pi board, or smart IoT devices. In the second phase, they must actually carry out the attacks and demonstrate the exploits. After they submit their second report, the international committee selects the finalists – who are then invited to the regional centers (for example, US and Canadian finalists go to NYU, whereas Indian participants go for finals to IIT Kanpur, the European participants go to Grenoble, France etc.).

At the finals, expert regional panels of judges listen to short presentations by the finalist teams where the attack models are discussed, and upcoming demonstration expectations are set. Finally, the teams practically demonstrate the attacks to the judges and the finalists are selected.  

This year, the problem was chosen from the domain of IoT security. Currently, we are starting to see wide deployment of IoT devices in industrial setting, in home and office automation, in agriculture, critical infrastructure, and many other domains. Therefore, it is quite relevant to  pose  a question about the enhanced security attack surface exposed by such deployments and bring awareness about cyber security threats created by them. Teams worked on showing how side channels such as chromatic variety of the light emitted by the smart bulbs can be analyzed to exfiltrate information.

Last year, the contestants were given raspberry pi boards to implement openPLC – an open source programmable logic controller – and then find various ways of compromising security in a PLC – such as malicious inputs to mis-operate the PLC. In 2016, the problem given to the competitors was implementation of openRISC on an FPGA board, finding control flow integrity and memory corruption vulnerabilities and counter measures.

NYU has been holding this particular ‘capture the chip’ competition for a while, where as in India, we have been organizing this since 2016..

One might be curious as to why such competitions are important and is worth an article on this platform. Watching the enthusiastic students (albeit small in number) actually working on these problems at the nitty gritty level of controllers,  embedded processors, or smart devices and finding minute details in which   hidden are the seeds of attacks – I felt that this is an important exercise for future workforce to gain knowledge in embedded security, and also to understand the subtle attack paths that might not be obvious at all.

Notwithstanding that embedded security researchers have been working on these for a long time now, it has not been mainstreamed as much as ‘capture the flag’ (CTF) type of contests where many young minds feel excited to find vulnerabilities in servers, databases, web services, and network stacks.  Routinely, we have seen almost 50 teams participating in the CTF contests from India itself, whereas only 8 teams participated in the embedded systems challenge. However, what is encouraging is that the numbers are increasing year to year, and not only teams from top institutions participating, this time, we have had participation from state universities. In fact, this year, in Indian regional CSAW, the best ESC award went to a state university – Cochin University of Science and Technology.  This gives us hope that the mainstreaming of the embedded systems hacking, and protection is starting to happen.

I am therefore using this article to bring attention to the need for these kinds of events around the world, or may be as parts of conferences, workshops etc, so more and more people get involved in security attack surface and vulnerability finding of embedded systems, IoTs, and critical infrastructure test beds. Surely, we will need the workforce development along this line, and we surely need more research in embedded security.