Cisco Systems : Two days of fun, one RHme+ Challenge pwned!

Cisco Blog >SP360: Service Provider

By Oded Ashkenazi, Group Leader, STARE, Service Provider Video Software and Solutions, Cisco

Few would argue that data security has become one of the most pressing technology issues facing the world today. Nonetheless, despite the seriousness of our business, our STARE (Security Threat Analysis and Reverse Engineering Center) team in the Cisco Service Provider Video Software and Solutions group does enjoy having a bit of fun now and again.

So when, back in November last year, one of our team members noticed a tweet mentioning the Riscure Rhme+ challenge, we were naturally intrigued. It was time to start digging for more information.

Riscure is a global security test lab and market leader in side channel and fault injection test equipment. Through their RHme+ challenge they were tasking engineers to hack an Arduino board and extract the flags that were inside. In other words, a Capture the Flag (CTF) challenge. Given that this was a 'black-box' challenge, there was no source code nor any inside information.

Now contrary to popular belief, our STARE team was not named as such because we like to spend all day gawking at black boxes. But we do, indeed, handle black box evaluations for a variety of embedded devices and systems. A challenge such as this provided a fun way for us to keep our skills sharp. As the saying goes 'Use it or lose it.' And so we decided to go for it.

I contacted the folks at Riscure, and they immediately agreed to send us two challenge boards to our office. This challenge was unique in the way it combined both hardware and software attacks. To attempt it, we organized a two-day 'hackathon' during which we were all solely focused on this challenge. By the end of the first day, we had found the flag using just software-based attack methods. Since we had some time to spare, we decided to split in two groups.

The first group, concentrating on hardware attacks, successfully extracted the flag using an electro-magnetic glitch at just the right time. The second group, focused on improving the software exploit we had created the previous day, successfully extracted the EEPROM from the device. While it turned out to be mostly empty, it required us to create a sophisticated return-oriented programming (ROP) chain exploit, which was great fun.

On January 18th, 2016, Riscure announced the winners of the RHme+ challenge.

'From a total of 140 boards that were distributed during Blackhat Amsterdam, at universities in the Netherlands and [to] several teams that personally requested a board, we received two submissions that were successful in getting the flag.'

Our Cisco STARE team was one of the two winners, specifically called out for our technically-sophisticated solution.

This challenge is now open-source and anyone interested can have a go at resolving it.

Learn more about Cisco Video Security Solutions.

And if you have another product or challenge that you wish us to have a go at resolving… well you know we are always up for a bit of fun.