The inaugural Japan edition of Automotive CTF reached an adrenaline-filled climax on Sept. 13, 2024, at the Belle Salle Roppongi events venue in Tokyo. This capture-the-flag (CTF) competition aims to sharpen the skills of cybersecurity professionals while providing a pathway for beginners to break into the automotive cybersecurity field. It is jointly organized by VicOne and Mitsubishi Research Institute (MRI) in partnership with Block Harbor, and commissioned by the Ministry of Economy, Trade and Industry (METI) of Japan. The contest is also supported by the Society of Automotive Engineers of Japan (JSAE), Japan Automotive ISAC, TIER IV, and Toyota Motor Corporation.
Automotive CTF 2024 Japan winners
Halfway through the competition, teams ierae and TeamONE were neck and neck with 18,600 points. The contest was still wide open, as other finalists — teams 藤原豆腐店, FCCPC, and Pwn4s0n1c — weren’t far behind.
Team ierae pulled away from the rest of the pack when it successfully solved the [ECU B] RAM peak challenge. With a total of 20,600 points, ierae not only became the sole team among the five finalists to solve all 15 challenges but also secured the top prize of the contest. TeamONE, finishing with 18,600 points, claimed second place.
Figure 1. The top teams of Automotive CTF Japan 2024: ierae and TeamONE winning first and second places, respectively.
Figure 2. The final team scores of Automotive CTF Japan 2024
Source: Automotive CTF Japan 2024
A mix of hardware and software challenges
The [ECU B] RAM peak challenge was one of several hardware-based challenges during the competition. These were built around Toyota’s Resistant Automotive Miniature Network (RAMN), a credit-card-sized electronic control unit (ECU) testbed used for studying and researching automotive systems.
Finalists also faced challenges based on xNexus, VicOne’s next-gen VSOC platform, where they were required to solve various CAN bus anomalies. One challenge involved a vehicle’s fuel cylinders, while the vulnerability ID of another challenge needed to be identified. Rounding out the software challenges was “I Am an EV Charger,” where participants were tasked to identify the brand of an electric vehicle (EV) charger based on firmware that was hypothetically leaked online.
Addressing the cybersecurity talent gap amid evolving threats
Although the hacking exercises at Automotive CTF target weaknesses in simulated car systems, they underscore the potential for uncovering zero-day vulnerabilities, ultimately leading to safer and more secure vehicles on the road. Beyond capturing flags, Automotive CTF serves as a platform for equipping the automotive industry with a capable talent pool to help secure vehicles against an ever-evolving threat landscape.
Figure 3. Max Cheng, CEO of VicOne, opened the inaugural Automotive CTF Japan by emphasizing the importance of Automotive CTF in honing the next generation of automotive cybersecurity professionals.
All participants, whether they advanced to the finals or not, gained practical hands-on expertise in real-world attack scenarios. They are now one step closer to joining the growing automotive cybersecurity community, dedicated to safeguarding the future of connected cars.
Up next: Automotive CTF finals in Detroit
Teams ierae and TeamONE will head to Detroit, Michigan, USA, for the Automotive CTF 2024 global finals on Oct. 21, with the awarding ceremony taking place on Oct. 23 during the 8th Annual Auto-ISAC Cybersecurity Summit at MGM Grand Detroit.
At the global finals, the two teams from Japan will battle with the best of the best in the world to see who will claim the top prize and, of course, the priceless bragging rights as this year’s ultimate winner of the world’s biggest automotive-themed CTF competition.
With contributions from Jay Turla, Principal Security Researcher at VicOne