A group of WPI students has helped move the world one step closer to making the "Internet of Things" safer, combining talents in cyber- and embedded security to win a semester-long electronic Capture the Flag contest sponsored by MITRE Corp. The team was part of a competition that included Northeastern, Tufts, and UMass Amherst.
Graduate and undergraduate students from the Electrical and Computer Engineering, and Computer Science departments composed the WPI team, named “We’re Probably Insecure.” Christopher Byrne, Benjamin Chaney, Mert Erad, Abraham Fernandez, Michael Giancola, Nilesh Patel, Tanuj Sane, Caleb Stepanian, Tony (Tuan) Vu, and Andrew Weiler participated, with Vernam group member Thomas Eisenbarth as their faculty advisor.
The mix of technological backgrounds helped the team succeed in a challenge that required expertise in security and system design from low-level microcontrollers all the way to interaction with cloud servers, says Eisenbarth, who is also assistant professor in WPI’s ECE Department.
Cybersecurity is a rapidly growing market as computational power now goes into just about everything, from cars and running shoes to road signs and traffic signals, says Dan Walters, Digital/Micro HW engineer at MITRE Corp.
“When you’re putting the infrastructure online, it changes how we do security. Hackers are able to attack over the network and get physical access to the device,” he says.
Companies like MITRE develop ways to keep these devices secure, but have trouble finding the right talent, says Walters. Security is usually rooted in the computer science department while devices require hardware skills.
“We have a problem recruiting for entry level positions, because kids tend to come out of school either with skills in embedded development or cyber security, but not both. We’re looking for people who have skills on both sides and then training them to become stars in that area,” he says.
MITRE organized the eCTF competition for select area colleges and was pilot program to help find and nurture such talent, says Walters. Because of the way they structured the event, students with both types of skills had to work together to problem-solve.
The main target was a real physical embedded device, opening up the challenge to include physical/proximal access attacks. MITRE provided the requirements for the device: a scenario in which landlords renting out an apartment give their tenants a piece of equipment that lets them open a door electronically without a key. The device had to be encrypted so that the tenants couldn’t make copies or otherwise tamper with it to get back into the apartment after they moved out.
“At MITRE, we have to learn how to deal with these kinds of issues,” Walters says.
Unlike typical CTF events that last a day or two and just focus on cybersecurity, this one had two parts. First, the teams had to design a secure system lock system over a period of weeks. Then the teams had to attack and defend each other’s systems, learning from their experiences and making adjustments.
The competition was scored on three parts: offensive (breaking into the device), defensive (making your device secure), and creative (what improvements you would make).
“Our team did not build the most secure solution, but we were pretty good at breaking into other devices,” says Eisenbarth. “For one system, the team managed to get all the points available on the attack phase. We also got points for having creative solutions and for having a truly end-to-end encrypted system, which can be difficult on embedded devices,” he adds.
The WPI team won bragging rights for scoring highest in the competition but, more important, all the teams involved learned how important it is for CS and ECE to collaborate when it comes to embedded cybersecurity, says Walters.
With the success of this pilot competition, MITRE plans to roll out similar eCTF competitions with more colleges in the future.
- By Cate Prato