A team of students from the Department of Computer Science and Engineering at Texas A&M University recently placed fifth in the MITRE Corporation’s 2020 Embedded Capture the Flag (eCTF) competition.
They competed against 19 universities from across the nation and were the first to represent Texas A&M at an eCTF competition. The members of the team included Justin Metzinger (senior), Andrew Chin (senior) and Jonathan Saenz (junior). Dr. Martin Carlisle, professor of practice in the department, served as the team’s faculty advisor.
Beginning in January, the semester-long competition was designed to help students develop practical skills that can be applied to securing critical systems, such as medical devices, internet of things devices, smart grids and mobile devices. Unlike traditional capture the flag competitions, it focused on securing embedded devices, which are special purpose computers like iPods, Alexa and smart locks, and included a design and build phase in addition to the attack (hacking) phase, which made it a unique experience.
This year, participants were challenged to design a secure audio rights management module for a next-generation multimedia player on the Digital Cora z7, which is a small, low-powered computing device. During the attack phase, the system had to be able to prevent the other teams from using the player to play pirated music, creating a clone of the player for use in another region, playing audio files that have been tampered with, playing illegally acquired music and stealing the user’s credentials from the device.
In their design, the team came up with a scheme for encrypting the data that would run fast enough to meet the timing constraints of the device, and also protect the songs on the player from being played by unauthorized users. To ensure that the songs could not be maliciously tampered with, they used a cryptographic hash function, which is an algorithm used to verify if a piece of data has been changed. The team stored a cryptographic function of the password of the device, instead of the password itself, to protect it from being extracted.
During the attack phase, the Texas A&M team had the greatest success in creating corrupted songs that would still play on the other teams’ devices.
"I will cherish and remember this competition for years to come because of the knowledge and security-minded perspective gained,” said Saenz. “Although it was challenging, it was one of the most rewarding experiences that allowed me to see how the different skills gained from my courses at Texas A&M can play a major role in the security field."
The competition ended with a virtual awards ceremony in May.