Ural Federal University arranged the IT security competition "ruCTF" on April 17. It started at 9am in the Yeltsin center of the industrial city in the Ural federal district. 21 teams from Russia, Italy, Hungary and Germany had only nine hours to check services and devices of a fully networked household for vulnerabilities. They had to close them for their own smart homes, but also exploit them to attack the smart homes of the other teams. For this purpose, they all received their own "smart home" in the form of a laptop on the morning of the competition. It was connected to a network on which everybody had access and could use it to spy and attack.
"Basically, it's like a sport. The challenge is to find a solution faster than others - for an attack and the corresponding defensive measure," explains Oliver Schranz, PhD student at the Center for IT Security, Privacy and Accountability (CISPA).
The fun factor was increased because students could apply their knowledge from the lecture, Schranz says. The team is called "saarsec". The smaller task force for Russia consisted of Schranz, Jonas Bushart, Pascal Berrang, John Krupp, Markus Bauer, Frederik Moller and Jonas Cirotzki. Nevertheless, in the seven-member crew all education levels were represented, from third-semester computer science to four PhD students. "In this way we had specialists from different areas, ranging from home automation to attack programs to the art of encryption and decryption," Schranz says.
During the competition, he and his teammates had to attack and defend devices and services such as a cleaning robot, a networked refrigerator and a smart safe. Often, they could remotely read data sent while the devices were working. Thus, the students were able to infer shortcomings in IT security and verify them as vulnerabilities.
"You always have to think outside the box," explains Pascal Berrang, also a doctoral student at CISPA, "but to try out programs and functions in a new context is an essential requirement for working in IT security."
If the students discovered a security flaw, they fired their attack code against the services of the smart homes of the other groups. If they could hack the other system, they stole digital code snippets - so-called flags - similar to the capture-the-flag game played at camps. The more flags they stole, the higher they climbed in the ranking. Despite the fact that they are new to such tournaments, they made it to second place.
Schranz explains this unexpected success as follows: "Our equipment was very good. The software we developed found many vulnerabilities. That gave us a strong advantage."
Pascal Berrang identifies another success factor: "We are drilled to recognize simple vulnerabilities even in our sleep. And we all have a broad knowledge of IT security. There is no one who, for example, is not familiar with encryption."
###
Background: IT security at Saarland University
IT security is a core area of the computer science institutes on the campus of Saarland University. In 2011 the Federal Ministry of Education and Research (BMBF) appointed three competence centers for IT security. One of them is the Center for IT Security, Privacy and Accountability (CISPA) at the University of Saarland. After a first phase of funding with a total of around 5.6 million euros, CISPA is supported by the BMBF in the second phase with 16 million euros by 2019. Meanwhile, CISPA has become a research center with international visibility. 33 groups with 210 researchers are working there. Their biggest success so far: Together with the Max Planck Institute for Computer Science and the Max Planck Institute for Software Systems, CISPA won an "ERC Synergy Grant" from the European Research Council (ERC). This gave Michael Backes and three computer science professors about ten million euros to explore new ways to protect users against espionage and fraud on the Internet and expose perpetrators without restricting trade, the freedom of expression or access to information on the Internet.
Press photos: http://www.uni-saarland.de/pressefotos
Further information:
Questions can be directed to:
Oliver Schranz
Information Security and Cryptography
Center for IT Security, Privacy and Accountability
Phone: 681 302 57368 +49
Email: schranz@cs.uni-saarland.de
Pascal Berrang
Information Security and Cryptography
Center for IT Security, Privacy and Accountability
Phone: 681 302 57376 +49
Email: berrang@cs.uni-saarland.de
Editor:
Gordon Bolduan
Computer Science Competence Center Saarland
Phone: +49 681302-70741
Email: bolduan@mmci.uni-saarland.de