Embedded systems are an essential piece of our modern world and they show up pretty much everywhere: in electronic devices, automobiles, cameras, vending machines, farm equipment, airplanes, and even in household appliances such as refrigerators, microwaves, and ovens.
With so many embedded systems in operation, there is an urgent need to secure them from bad actors, and that need is rapidly increasing. The estimated value of the embedded security market in 2022 was $8.23 billion and, according to Fortune Business Insights, that value will more than double to $17.03 billion by 2029.
Securing all these systems will require a whole lot of highly-skilled cybersecurity experts — certainly more than are currently available.
One organization helping to create those experts is MITRE, a nonprofit operating six federally funded research and development centers for the federal government as well as more than 200 independent labs to solve problems for a safer world.
Headquartered in McLean, Va., MITRE runs an annual Embedded Capture the Flag (eCTF) competition for university and high school students. Unlike other capture the flag competitions that focus solely on security, MITRE's focuses on electronic hardware and requires participants to engage in both offense and defense while trying to create a secure system. They then learn from their mistakes.
Some of the previous competitions required teams to design secure systems for a variety of devices, including an unmanned aerial vehicle package delivery system, a secure bootloader for a self-driving car, and a video game console.
This year, the task is to design and implement a key fob system for an automobile door lock. The system must not only function, but also protect the vehicle from unauthorized entry and prevent attacks such as replays and key fob cloning.
Participation is free to students and their faculty sponsors and MITRE provides all resources needed to complete the project; however, teams are permitted to purchase additional resources to aid them.
There are five phases to the competition. The first, registration starts in September when faculty sponsors enroll their team. The official kickoff is in mid-January (this year it was on Jan. 18), when MITRE e-mails the official rules and system requirements. Teams will also receive reference implementation, embedded hardware, and technical guidance.
The design phase begins as soon as the rules arrive, as teams quickly huddle up and scrutinize the rules and requirements. Other than being able to contact MITRE for clarification, the students are entirely on their own and responsible for choosing team leads and assigning crucial roles such as developers, project managers, and scribes who will document the entire process in an engineering book.
For the next six weeks after that, high school teams will meet outside of class time to work on their devices and in the process, take great pains to ensure their creations meet MITRE's minimum requirements while simultaneously working to identify and repair vulnerabilities in their system. The goal is to create a device that is functionable and secure.
College-level teams have an advantage in that their instructors have the option to make the eCTF into a semester course for college credit.
Once the design phase ends, all embedded firmware is sent digitally to MITRE organizers for evaluation and testing. Teams whose designs meet the competition's minimum system requirements are free to enter into the attack phase. Those who fail to achieve minimum requirements must continue working on their designs until they do.
During the eight-week Attack Phase, teams have access to one another's codes and work furiously to identify and exploit system vulnerabilities. Scoring is based on how many "flags" a team is able to retrieve from other devices and for how long their own design remains unbreached. Teams who enter the Attack Phase late are at a disadvantage, since they cannot earn points for defending their design or for attacking others.
Winning teams will receive cash prizes, publicity from MITRE and everlasting glory for their alma mater at an award ceremony in April.
Participation in eCTF, even for those who do not win, can be a big step forward for a student's education and career development by exposing them to learning, collaboration, and presentations that mimic the real-world experience of a cybersecurity job. Being a participant can also be beneficial for building their résumés and can open doors to potential internship and career opportunities.
Eli Cochran, Cybersecurity instructor for the Delaware Area Career Center (DACC) in Delaware, Ohio knows firsthand how eCTF benefits students. "The competition is an awesome event for students," Cochran said. "It's a great résumé builder showing your technical knowledge and the really important soft-skills of communication, collaboration and presentations.
"These kinds of soft skills are so important since most organizations have proprietary hardware and software. New employees coming in from the outside won't know it and employers really want employees who can do research and solve problems."
Prior to DACC's entry in 2020, eCTF was an all college competition. 2020 was also Cochran's first year teaching. "One of my students had heard about it from some college friends," Cochran said. "He suggested we compete and I thought it a great idea." MITRE also liked the idea of including a high school team and were excited to see how DACC would do.
DACC's 2020 team consisted of just three students and, because of the COVID-19 outbreak, each individual worked remotely while engaging in regular online collaborations. Impressively, they finished 10th out of 20 teams. The next year they added a fourth member and placed 3rd out of 28 teams. Cochran's kids finished strong again last year, 8th place, and have high hopes for 2023. "I've got some great students and they're gonna come hard," he said.
Ben Janis, a Senior Embedded Security Engineer with MITRE also assists with the competition and credits his original participation in eCTF when in college for setting him on his career course. "Being a part of the competition as a student left me with hands-on experience in embedded security and a deep appreciation and interest in the field.
"I realized that I could be a part of a new generation of engineers developing solutions to protect the microelectronics that run our modern world."
The popularity of MITRE's eCTF competition is growing rapidly. More than 400 students on 81 teams representing 78 schools (including 20 high schools) are enrolled this year. While most teams are from the US, there are also teams from the United Kingdom, the Netherlands, India and Singapore.
Two of Cochran's former students are further proof of the increased interest in eCTF. They went on to study at Michigan State University and Purdue University and they've both formed teams for the competition. "I'm really excited to see them do that. But I really want to see DACC's new team beat both of them," he said.