Automotive CTF 2024 recently concluded, with the winners crossing the finish line in style during the award ceremony at the 8th Annual Auto-ISAC Cybersecurity Summit on Oct. 23 at the MGM Grand Detroit, Michigan.
Figure 1. The finalists, along with executives from VicOne and Block Harbor, during the awarding ceremony in Detroit
Organized by VicOne, an automotive cybersecurity solutions leader, and Block Harbor, a trusted cybersecurity engineering company, this year’s high-stakes global CTF (capture the flag) competition aimed to hone the skills of cybersecurity professionals at all experience levels while also providing an entry point for beginners into the automotive cybersecurity field.
Automotive CTF 2024 winners
Out of the 546 teams from around the world that competed in the qualifying round since August, six teams — including the winners from the inaugural Automotive CTF Japan — advanced to the global finals, held on Oct. 21 at Newlab, Detroit’s premier technology and cultural hub. These elite groups are the crème de la crème, the best of the best in the world at solving real-world cybersecurity attacks. It was a final showdown like no other.
With 8,000 points and 15 out of 20 challenges solved, Team greaterthan was crowned the Automotive CTF 2024 champions. The winning duo, Greg Hogan from the US and Robbe Derks from Belgium, walked away with US$35,000 and priceless bragging rights.
| Rank | Team | Score |
|---|---|---|
| 1 | greaterthan | 8,000 |
| 2 | ierae | 5,400 |
| 3 | JJJJJ | 3,400 |
| 4 | TeamONE | 2,800 |
| 5 | NRC_0x33 | 2,600 |
| 6 | notAlone | 200 |
Table 1. The final ranking of the global finalists of Automotive CTF 2024
Team ierae, the winners from Automotive CTF Japan, secured second place with 5,400 points and a US$15,000 cash prize. Team JJJJJ from South Korea rounded out the podium in third place with 3,400 points, earning US$7,500.
More complex challenges
Of the 20 challenges in the global finals, two remained unsolved within the given 8-hour window: “the NFCed” and “I Sniff Clusters.” The latter was one of the four challenges that required the CTF finalists to tinker with the cluster hardware provided on-site.
While a handful of challenges used the Resistant Automotive Miniature Network (RAMN), Toyota’s credit card–sized electronic control unit (ECU) testbed, there were also categories on NFC, RFID, and open-source intelligence (OSINT).
Figure 2. One of the RAMN setups provided by Toyota
Figure 3. Some of the cluster hardware on-site, with the RFID setup on the far right
The contest finalists also faced a couple of “Blue Team” challenges, in which they simulated the role of a vehicle security operations center (VSOC) analyst for the day. These challenges were based on xNexus, VicOne’s next-gen VSOC platform.
Bridging the cybersecurity talent gap, fueling innovation
Beyond merely capturing flags or identifying weaknesses in simulated vehicle systems, Automotive CTF serves as a platform for potentially uncovering automotive zero-day vulnerabilities and equipping the automotive industry with a capable talent pool to protect connected vehicles against an ever-evolving threat landscape.
The global Automotive CTF winners and finalists, and even those who took part in the qualifying rounds, undoubtedly gained valuable hands-on experience in real-world attack scenarios. They are now a step closer to becoming part of the growing automotive cybersecurity community.
We’ll be back next year with tougher challenges and a wider audience. Stay tuned!
With contributions from Jay Turla, Principal Security Researcher at VicOne
