From Garage to Glory: The Rise of a $100K Automotive Capture the Flag Challenge

Season 1: The Humble Beginnings 

Our dream when we began crafting our initial Capture the Flag (CTF) challenges were simply to have fun while educating others about automotive cybersecurity. We had a 2021 Mustang Mach-e and we wanted to teach others how to sniff the CAN bus and send messages to control simple functions like radio volume, lights, and moving the windows. 

We demonstrated these techniques to a few customers, who thoroughly enjoyed the experience. Encouraged by their enthusiasm, we continued to create more fun challenges. Soon, we were hosting small hack-a-thon events and exclusive learning sessions for intimate audiences. One of our first events was enormously successful with the turnout from both the MSU cybersecurity club and half dozen of the MSU police. It was clear that there was a hunger to learn about vehicle cybersecurity from a variety of demographics!

We kept hosting similar local hack-a-thon events, like our Toy Drive Hack-a-thon, and we developed more and more challenges, combining them into small and intimate events with homemade pizza, automotive talks, and a car show of course. We ended up raising over $9,000 in donations to Alternatives for Girls (AFG) , a local Detroit non-profit.  

Within a year and a half, our small team developed a collection of 50 unique automotive challenges. 

This collection was eventually made public through Block Harbor’s platform, VSEC, we made some simple car hacking videos, and then we promoted the challenges as a public CTF, committing $5,000 in prizes. The response was hyped!! Word of mouth spread, and soon we had over 900 participants from around the globe—Asia, the Middle East, Europe, and North America—ending with more than 3,000 solutions. The excitement and engagement were overwhelming. 

This marked the beginning of Block Harbor’s Automotive CTF Season 1. 

Why We Do It 

Automotive cybersecurity is a challenging field to enter due to its relatively new existence, ambiguous pathways, and lack of formal entry points. Our mission with the CTF is to create a clear technical pathway into this industry, welcoming both seasoned veterans and newcomers alike. 

Watching participants engage with the challenges, displaying their competitive spirit, and learning through our tutorials and walkthroughs has been immensely rewarding and motivated, skilled, & knowledgeable individuals are essential for keeping vehicles safe and secure in this new era of mobility. 

Transforming the Narrative 

Beyond education, our initiative seeks to transform the often-negative narrative surrounding public researchers in the automotive industry. The industry today relies heavily on pentesting to ensure product security, but this method is constrained by budget and time. Embracing independent researchers and offering bug bounties can lead to more extensive and cost-effective testing. 

Engaging independent researchers, however, is a newer concept to automotive than cybersecurity itself. Our CTF aims to change that by showcasing the value these researchers can bring and driving interest in the community to realize fair compensation for their efforts. 

Closing Out Season 1 

As we wrapped up Season 1, we celebrated the achievements of our top participants. Congratulations to pwnalone for winning the $2,000 cash prize! With 855 participants and 3170 challenges solved, the competition was a resounding success and made Season 2 possible! The top ten winners received a range of exciting prizes, from cash awards to innovative tech gadgets.

Season 2: The Big League 

Building on the success of Season 1, Block Harbor’s CTF Season 2, in partnership with VicOne, is set to offer $100K (one-hundred-thousand dollars) in prizes! This significant prize pool is designed to attract both independent talent and industry professionals, providing a strong incentive to participate. 

The upcoming Season 2 will run from August 24 to September 8, 2024, shortly after the DEFCON Car Hacking Village. This season promises to be the largest and most accessible automotive CTF competition ever, drawing in new learners and seasoned hackers alike. 

Expanding Horizons: Blue Team Challenges 

While traditional CTFs often focus on offensive (red team) activities, we aim to broaden our audience by including blue team challenges as well. These defensive tasks will utilize tools like VicOne’s Vehicle Security Operation Center, providing a more comprehensive cybersecurity training experience. 

Preparing for the Challenge 

For those looking to sharpen their skills before Season 2, Block Harbor is hosting the Season 1 challenges in the Proving Grounds on our free platform, VSEC, which–alongside these challenges–offers walkthroughs to guide participants through previous tasks. Each week, we will be adding new Proving Grounds content in VSEC Learn, ensuring continuous learning and preparation. Proving Grounds challenges are available now!

Getting Involved

Right now, the Call For Challenges (CFC) is live! We are inviting the community to submit their creative ideas for future challenges.

Community and Feedback 

The feedback from Season 1 was incredible. Participants shared their experiences and solutions on social media, fostering a vibrant community of automotive cybersecurity enthusiasts. This engagement is a testament to the competition’s impact and the growing interest in this field. With over $100K in prize money, Season 2 is sure to be a blast so please feel free to continue sharing your experiences with the proving grounds challenges & walkthroughs and join us on our Discord channel for support!

Looking Forward to Season 2 

https://ctf.blockharbor.io/

Season 2 promises to be even more thrilling, with a prize pool twenty times larger than Season 1 and is the largest Automotive CTF prize pool to date. We are excited to see the best and brightest in the finals round, where team representatives will compete in Michigan for the ultimate challenge. With Season 2 confirmed, the countdown timer is live! 

 

Join us in making the future of mobility secure. Keep hacking, and we look forward to an epic competition in Season 2!