Winning At DEF CON With No Time And No Tools

07 augusti 2017 by NIO


Las Vegas casinos famously don't have clocks. Combined with the blinking lights and auditory overload, it's an environment designed for hasty decisions. That's how four NIO security team members found themselves making the hazy choice to enter DEF CON's Capture the Flag competition at the Car Hacking Village.

The night before.

Capture the Flag events at DEF CON are slightly different than running through a field to grab a piece of cloth tied to a stick. They're generally comprised of a series of hacking challenges, with increasing difficulties, spread across an array of systems.

At the Car Hacking Village, that covers nearly every component of modern and future vehicles. Wi-Fi, ECUs, infotainment systems, gateways, and a host of other access points have   vulnerabilities waiting to be exploited.

With the amount of attention car-hacking has received over the past few years, the DEF CON faithful are paying attention. Of the 25,000+ attendees at this year's event, 75 teams entered the Car Hack Village Capture the Flag. Some prepared weeks ahead of time. Others, not so much.

The competition opened at 10:00AM. Team NIO (aka "robamierdas") was immediately at a disadvantage. The decision to compete--at all, not just the night before--meant they didn't have tools. The team decided to split up, with two in the queue and another two running to the vendor area to find the necessary gear.

Calling it a "vendor area" is a bit generous. Think of it as two-parts swap meet and one-part scavenger hunt. The most difficult item to secure? Somehow, a Mini-USB cable that forced Abe Chen, the director of product and information security at NIO, to offer $20 to anyone who bought one on Amazon for $1.39.

The other disadvantage: team size. Most teams had the maximum number of members--six--to NIO's four. That gave other teams an additional two members to work on other tracks and on other, more difficult levels.

Top 10 Teams

Despite that, NIO held second place behind "SecDSM" for the first half of the event. Then team "MK" leaps ahead of NIO just as "SecDSM" rockets from 3,500 to 6,300 points. NIO fights in the middle of the pack for over two hours when at 4:19PM they jump towards "SecDSM". At 6:52PM, NIO was done, leading with 6,700 points to "SecDSM" at 6,600.

Final Stats:

Total Hours of Competition: 48
Total Hours of Sleep: 5


Team Highlights:

Javier Vazquez, Principal Security Engineer, noticed something odd on the Delphi infotainment screen. There was a glitch in the video. Javier pulled out his phone, recorded the video in slow motion, and then inspected each frame to find a binary of the image for decoding.

Veysel Ozer, Product Security Engineer, managed to solve a challenge that required to do donuts with a rc car. That was fun!

Henrik Ferdinand, Product Security Engineer, somehow managed to reverse engineer a security access algorithm, a radio code and got a root shell on a head unit. Manually. In under 2 hrs.

Abe: Paying $20 for a $2 Mini USB cable and providing uninterrupted supply of Monster Ultraviolet