Embedded Capture the Flag Competition
The Embedded Capture the Flag (eCTF) Competition is an attack-and-defend exercise for designing secure embedded systems
The Embedded Capture the Flag (eCTF) is an embedded security competition run by MITRE that puts participants through the experience of trying to create a secure system and then learning from their mistakes. The main target is a real physical embedded device, which opens the scope of the challenge to include physical/proximal access attacks. The eCTF is a two-phase competition with attack and defense components. In the first phase, competitors design and implement a secure system based on a set of challenge requirements. The second phase involves analyzing and attacking the other teams’ designs.
The 2024 eCTF is underway! Teams will design and implement a supply chain security solution for microcontrollers on a medical device. The system must securely verify the device integrity while keeping sensitive data confidential.
Countdown to Handoff
See our NICE K-12 Conference Talk
We presented at the 2022 NICE K-12 Conference about the eCTF and how the first and most successful high school team Delaware Area Career Center used the eCTF in their program.
How is the eCTF different from other competitions?
The eCTF is unique in three major ways. First, the focus is on securing embedded systems, which presents a new set of challenges and security issues that are not currently covered by traditional “online” CTFs. Second, unlike the standard attack-only CTF, the eCTF balances offense and defense by including design, build, and attack components. Finally, the eCTF runs over the majority of the spring semester through three phases, allowing time for development and for advanced attacks during the Attack Phase.
Focus on Embedded
Attack / Defend
Past eCTF Competitions
Teams designed and implemented a secure key fob system for a car door lock. The system had to protect the car from unauthorized entry and prevent attacks like replays and key fob cloning.
Teams designed a secure communications system for an unmanned aerial vehicle (UAV) package delivery system. The system had to be secure to prevent attackers from gaining access to the network to spy on and disrupt the UAV system.
Teams designed a secure audio digital rights management (DRM) module for a next-generation multimedia player on the Digilent Cora Z7. The system had to be secure to prevent users from playing pirated music, support region locking, and prevent the creation of cloned bootleg players.
Teams designed a secure video game console on the Digilent Arty Z7. The system had to attempt to protect the intellectual property of game designers, prevent users from loading their own software, and allow verified users to install and play games that they have purchased.
Teams were tasked with designing a modern chip-and-PIN ATM system. Teams had to design and implement the firmware, software, and protocols for the ATM card, the ATM, and the Bank Server to support secure cash withdrawals.
Amrita Vishwa Vidyapeetham University • Baldwin Wallace University • Boston University • Carnegie Mellon University • Cornell University • Dakota State University • Delaware Area Career Center • Florida International University • Florida State University • George Mason University • Indiana Institute of Technology • Massachusetts Institute of Technology • Michigan State University • Morgan State University • Norfolk State University • Northeastern University • Nova Southeastern University • Purdue University • Rensselaer Polytechnic Institute • Rochester Institute of Technology • Singapore Management University • Syracuse University • Texas A&M University • The Ohio State University • Tufts University • University at Buffalo • University of Alabama in Huntsville • University of California Irvine • University of Cincinnati • University of Colorado Boulder • University of Connecticut • University of Dayton • University of Florida • University of Illinois at Urbana-Champaign • University of Maryland College Park • University of Massachusetts Amherst • University of Massachusetts Lowell • University of Nebraska Omaha • University of New Hampshire • University of Pennsylvania • University of Texas at Dallas • University of Wyoming • Virginia State University • Virginia Tech • Worcester Polytechnic Institute
Interested in getting involved as a sponsor?
For the first time, the eCTF is accepting commercial sponsorships through MITRE Engenuity. See the MITRE Engenuity site below or email us at email@example.com for more information.
This CTF, although really hard, was extremely fun… [It] motivated me to dive in deeper and work that much harder to get better as an engineer. The MITRE staff was AMAZING! Thank you for this opportunity
-2021 eCTF Competitor
Navigating the intricacies of securing an embedded device was a fun and new experience. Overall, my experience with the eCTF has led me to consider pursuing embedded system security as a focus area / career.
-2022 eCTF Competitor
I had no security experience prior to this competition. The learning curve was HUGE and I LOVED that! I was forced to learn so much. I loved doing the research, designing and implementing the secure system, and reviewing and attacking other teams’ designs. It was a blast!
-2021 eCTF Competitor
Its a really fun challenge to think about, and putting it in a competition really gave me motivation to learn the skills I needed to learn, even if our team didn’t win, I ended up learning a lot of things that will be useful in the future.
I thought it was a great learning experience for practical applications especially embedded CTF. It was a great CTF topic this year since I really enjoy learning about bootloaders and boot secure devices and development.
-2022 eCTF Competitor
[I enjoyed] learning about how Embedded Security works and how to analyze secure systems vs unsecure systems and learning about the basics of bootloader management and designing a secure bootloader for a secure firmware/application management.
-2022 eCTF Competitor
Thanks so much for the time spent to host an awesome competition, and especially one that works as a capstone opportunity. Making the timeline roughly match the university semester meant I was able to use this for class and engage with it more thoroughly than I would have been able to if it was just a time-intensive extracurricular activity.
-2022 eCTF Competitor
This competition exposed an entirely new side of cybersecurity to me as a Computer Science major… [It] was a great learning experience and got me interested in lower-level security
-2021 eCTF Competitor
Frequently Asked Questions
Who can participate?
Anyone! The eCTF is open to all US citizens 13 or older and most non-US citizens 18 or older (see the participant agreement for all eligiblilty information and exceptions). Students at all academic levels are welcome to participate. Team sizes are unlimited (although a minimum of 3 students is recommended). Sponsorship of a teacher or faculty member to act as a team advisor is required.
However, to be eligible for prizes, students must be US Citizens as of the start of the competition.
Please see the 2024 eCTF Participant Agreement for full terms and conditions.
What does MITRE provide to help?
MITRE provides teams with a reference implementation, embedded hardware (and/or hardware emulator), and technical guidance.
Does the eCTF cost anything?
Participation in the eCTF is entirely free. MITRE will provide the resources to complete the competition including one set of development boards per team, however teams may choose to purchase additional resources to aid with development or attacking.
Are there awards?
Winning teams receive a cash prize, publicity from MITRE, and typically earn accolades from their university as well. The prize amount for 2023 will be announced at the kickoff, though the 2022 eCTF awarded $5,000 in prizes. Students have used their participation in eCTF to build resumes, present at conferences, and open the door to valuable internship and career opportunities, including engineering positions at MITRE and Riverside Research.
Can I earn college credits?
Most students can earn college credit. Work with your professor(s) / faculty advisor to determine how to earn credit at your institution. Remember that this is a significant time commitment, typically commensurate with the credit hours you may receive. An example syllabus is available from the eCTF organizers upon request.
What level of experience is required to compete?
We encourage teams of all levels of experience to compete in the eCTF and aim to make the eCTF accessible to students new to security and embedded systems. We do recommend an understanding of development in C and Python, as the reference design will be implmented in those languages.
However, while the competition may be approachable, the depth of embedded systems enables teams with more experience to attempt more advanced countermeasures and attacks, providing an engaging experience for students of all levels of experience.
How do I sign up?
When team registration opens in September, work with your faculty advisor to fill out this form.
Individual competitor regitration will open in December.
Do I need to travel for the competition?
The competition can be done 100% remotely. MITRE will provide teams with hardware and/or servers to develop and compete on. Once teams have a completed design, they submit the code to MITRE for testing and MITRE will ensure that all challenge requirements are met. Once this verification process is completed, your implementation (source code and protected binaries) will be provided to all of the attacking teams.
After the competition concludes, MITRE hosts an award ceremony in April where teams are invited to share in their accomplishments, meet participants from other schools, interact with MITRE staff, and see the final standings revealed! Prior to COVID, this award ceremony was in-person at MITRE in Bedford, MA, but has been a virtual event for the past 3 years. Plans for the 2023 award ceremony will be announced at kick-off in January 2023.
Can students who are MITRE employees compete?
Yes! Current and former MITRE employees frequently compete in the eCTF. To ensure fairness, competitors who are MITRE employees will have no additional access to the organizers or any internal eCTF resources and will be treated the same as any other competitor.
Can international students or teams compete?
We welcome international students and teams to compete except for students under 18 and students and institutions from Quebec, Russia, Crimea, Cuba, Iran, Syria, North Korea, and Sudan. However, prize money can only be distributed to US citizens atending US-based institutions.
Can high school teams compete?
Please contact the eCTF team at firstname.lastname@example.org
MITRE is a not-for-profit organization that operates research and development centers sponsored by the federal government. MITRE works with industry and academia to apply science, technology, and systems engineering that enables the government and the private sector to make better decisions. Learn more at www.mitre.org