Microcorruption Security CTF

Matasano Security, who are world-renowned experts in information security and vulnerability analysis, recently released a Capture the Flag contest, where you assume the role of a hacker and attempt to break a series of physical warehouse locks controlled by microcontrollers, all by using reverse engineering.

I’m a sucker for reverse engineering games (for my own enjoyment only!) I recently got so frustrated with a “real-life treasure hunt” tablet game on iOS and Android that I spent countless hours breaking it with IDA Pro — which was a lot more fun than actually playing the game.

The Matasano Security CTF game, called microcorruption.com, is more than just fun, though. It serves as a reminder that the embedded devices that surround us, from office key cards to smart toys, wearable electronics and of course the ever-present smartphones, may have vulnerabilities that can lead to some pretty serious problems.

Here’s how the game works: You get access to a lock device, the disassembly of its code, and a low-level debugger and assembler. It’s all virtual of course, and you interact with it all via a simple web interface:

MicrocorruptionLiveDebugger

At each level, you’ll get a simple input that, owing to some C software bug, can be used to break the lock. You’ll use the debugger to reverse the target, find the input, and then deliver it to a “production” instance to beat the level.

You’ll face a series of revisions of the target, starting from “comically broken” and proceeding vendor-fix by vendor-fix through basic memory corruption, stack overflows, randomization, memory protection schemes, allocator vulnerabilities, and DRM-style software protection.

The game of course keeps track of your progress on a hacker-esque world map:

MicrocorruptionMap

So far, I have broken 10 locks and have had to resort to many different kinds of buffer overflow tactics, injected hand-written assembly code and exploited undocumented features that I discovered simply by trying to anticipate how the device was designed. I’ve felt an immense sense of accomplishment as I own each lock. In one sense, it gets harder for each lock because the difficulty level is ramped up (it’s a game after all). But in another sense, it gets easier because you begin to know what to look for and your brain automatically starts devising evil plans for world domination.

But it’s not just fun and games. The code in each of the locks looks exactly like I would expect code in a “smart lock” to look like and the vulnerabilities are obscure. And that’s of course because this kind of code is written by people like you and me. We try to use appropriate patterns and cover all the bases but sometimes we inevitably leave unintended cracks in the code, under pressure from tight deadlines and budget constraints. And so the last line of defense becomes security through obscurity, and that never ever works in real life — because real-life hackers have more free time on their hands than you can even begin to imagine (especially if you have three kids).

In a web application, a bug is usually that a user can’t sign in or maybe get an occasional wrong price quoted. It’s typically not that big of a big deal, and it’s usually easy to investigate and fix. But in embedded systems, the consequences can be far more serious and much harder to remedy.

Imagine other people being easily able to not just circumvent your office key card locks by simply entering a series of digits on a keypad but also record employees’ data. Or take control of hospital devices that dispenses medicine. Or continuously send your biometric wrist bracelet GPS coordinates to China. And so on.

The devices that surround us are prone to vulnerabilities that can have serious consequences. The more developers know how devices work and how they can be exploited, the further down the road to implementing better and more secure code we are. So sign up on microcorruption.com and capture the flag!