30. May 2016

Cleaning robot hacked, fridge defended: Saarland University makes second place in international hacking competitions

saarsec_ructf_pokal


Several times a year, computer science students from all over the world meet online or in real life to team up and, in a several hours long competition, determine the team that is not only fastest in finding and exploiting security vulnerabilities but also in fixing them. During the IT-security competition “ruCTF” in Yekaterinburg, Russia, Saarland University Computer Science students impressively defended their smart home while attacking their competitors’ homes. From 150 competitors only a Russian student team was better than the computer scientists from Saarland University who not only left their German competition behind, but were also the best European team.

Several times a year, computer science students from all over the world meet online or in real life to team up and, in a several hours long competition, determine the team that is not only fastest in finding and exploiting security vulnerabilities but also in fixing them. During the IT-security competition “ruCTF” in Yekaterinburg, Russia, Saarland University Computer Science students impressively defended their smart home while attacking their competitors’ homes. From 150 competitors only a Russian student team was better than the computer scientists from Saarland University who not only left their German competition behind, but were also the best European team.

This year, the Ural Federal University held the IT-security competition “ruCTF” on April 17th. The competition began at 9 a.m. in the Yeltsin center in the industrial city of Yekaterinburg in the Ural Mountains. There, the 21 teams from Russia, Italy, Hungary and Germany had only 9 hours to test several services and devices of a completely interconnected home for security vulnerabilities. To do this, each team got their own virtual “smart home” on a laptop connected to a network that could be used by all teams for attacks. To defend their own “smart home”, the teams had to fix the vulnerabilities they found while at the same time using them to attack other teams.

The compuer science students from Saarbrücken gained the admission to the competition in Russia already in November last year, when they made third place in an international tournament held online.

“It is basically a kind of sport. The challenge is to more quickly find a solution – for an attack as well as for the corresponding defense”, Oliver Schranz, PhD student at the Center for IT-Security, Privacy and Accountability (CISPA) in Saarbrücken explains. According to Schranz, part of the appeal of such a competition lies in the fact that it gives students an opportunity to use in practice the knowledge they gained from lectures. The students’ team is called “saarsec” . The part of the team that made up the squad for Russia consisted of Oliver Schranz, Jonas Bushart, Pascal Berrang, Johannes Krupp, Markus Bauer, Frederik Möllers and Jonas Cirotzki. Despite the smaller number of team members, all educational levels were represented, starting from a third semester computer science student up to four PhD students. “This way, we have specialists for different areas in our team, beginning with home automation over attacks up to the art of en- and decryption”, Schranz explains.

During the competition, the computer science students hat to attack as well as defend devices and services like a cleaning robot, an interconnected fridge or an intelligent safe. It was often possible to remotely read out data that were sent during operation. From these data, the students could infer and check potential security vulnerabilites. It also turned out that the encryption mechanisms used in the smart home were often flawed so that the encryption could be broken. In some rare cases, the websites belonging to the offered services were also completely unencrypted.

“You have to think outside the box”, Pascal Berrang, another PhD student at CISPA explains, “without this mentality and without testing programs and functions in a context that they were not intended for, you will not get far in IT-security.”

As soon as the computer science students found security vulnerability, they used it to permanently attack the services of other teams. If they managed to remain unnoticed while hacking into a system this way, they stole a digital code snippet called a flag. The more flags they had, the higher they were ranked. This way, the computer scientists from Saarbrücken managed to make second place, despite the fact that they only started participating in such tournaments 18 months ago. Schranz explains their success as follows: “Our equipment was very good. The programs we developed found many security vulnerabilities and gave us a great advantage over other teams.” Pascal Berrang thinks that the education at Saarland University was fundamental for their success, as well: “We are trained to be able to find simple errors blindfolded. Also, we have a very wide range of knowledge. For example, everybody here is well versed in encryption mechanisms.” The saarsec team plans to participate in the next competition at the end of the year. The trophy from Russia, meanwhile, already has a place of honor in the foyer of the CISPA building that was officially opened in April.

Background: IT-Security at Saarland University

IT-Security is one of the key research ares of the computer ccience institutes located at Saarland University as shown by the “Consolidator Grants” of the European Research Council (ERC) that were recently awared to the researchers Derek Dreyer (Max-Planck-Institute for Software Systems) and Professor Bernd Finkbeiner (department of Computer Science at Saarland University). For four years and 8.4 million Euro, the German research foundation also sponsors a special research field called “Methods and Tools for Understanding and Controlling Privacy” at Saarland University. In 2011, the German Federal Ministry of Education and Research founded three competence centers for IT-Security for 17 million euros.
The Center for IT-Security, Privacy, and Accountability (short: CISPA) at Saarland University is one of them. As of today, CISPA has become one of Europe’s leading research sites for IT-security with more than 200 researchers working in IT-security and related fields.
The biggest success to date was the “ERC Synergy Grant” that has been awarded to the CISPA together with the Max-Planck-Institute for Informatics and the Max-Planck-Institute for Software Systems. The three institutes received ten million Euro to research how to protect users against eavesdropping and fraud and how to identify suspects without restricting trades, freedom of speech and access to information on the internet.

Further Information: saarSec

Press Photos: uni-saarland.de/pressefotos

Questions are answered by:

Oliver Schranz
Saarland University
Center for IT-Security, Privacy and Accountability (CISPA)
Tel.: +49(0)681 / 302-57368
E-Mail: schranz (ät) cs.uni-saarland.de

Pascal Berrang
Saarland University
Center for IT-Security, Privacy and Accountability (CISPA)
Tel.: +49(0)681 / 302-57376
E-Mail: berrang (ät) cs.uni-saarland.de

Press Contact:

Gordon Bolduan
Kompetenzzentrum Informatik Saarland
Telefon: +49 681 302-70741
E-Mail: bolduan (ät) mmci.uni-saarland.de