RiscureWelcome to RHme3, the world's first automotive CTF

And one more thing: prizes!

We are happy to announce prizes for the top three teams that scored the highest number of points in Riscure Hack Me 3. Every team gets one free course from Riscure Training Academy. You can select either one online course that you will be able to access anytime or one offline course – to attend the latter you will have to travel to our HQ in the Netherlands.

The overview of courses is available on our website. You can choose the convenient date of the offline course of your choice in our course catalog. The offline training offer is valid until the end of 2018. Every team can redeem up to three seats in either online or offline training. Congratulations! Please get in touch with us via e-mail or Telegram to discuss how to redeem your prize.

25 Jun 2018

RHme3 is completed!

We are happy to announce the conclusion of RHme3, the world's first global hardware security CTF. We would like to congratulate the winners:
- Team flagsofthewild scored 5353 points and solved 18 challenges
- Team SOS1 scored 4853 points and solved 17 challenges
- Team cloakware scored 4353 points and solved 16 challenges

Here's the Top 10 scoreboard:

Fun facts
Out of 19 challenges published during the main phase of the CTF, 18 were solved by at least one team. The Lockdown from the Fault Injection category, which was not the most 'valuable' (in points) challenge was not solved by anyone. The 'easiest' challenge was Ransom from Reverse Engineering category, solved by 76 teams or individuals. The most 'expensive' challenge, the Climate Controller Catastrophe, was solved by 13 teams. The 'easiest' hardware challenge from the Side Channel Analysis category, known as 'It's a kind of magic' was solved only by 14 teams. 96 individuals or teams solved at least one challenge in the main phase, out of ~500 people who passed the qualifications.

What's next
RHme3 lives on! We will soon reopen the challenge descriptions and binaries so you can continue playing with the challenges. Feel free to post write-ups. Please share them with us via Telegram or by mentioning @Riscure on Twitter. Stay tuned for one extra announcement soon, and, who knows, maybe in the future we will drop a new challenge or two (but not guaranteed). See you at RHme4!

01 May 2018

Bugfix in Car Key Fob challenge

We have recently discovered an inconsistency in our internal build of a Car Key Fob challenge. Looks like we have tested one build, and released another publicly. While the tested version did not have any issues, the released version contained a subtle bug which prevented the flag from being displayed. We have identified the issue and fixed it in the latest version of the challenge. We would like to thank all the teams who provided us feedback over Telegram and IRC, and who helped us identify the bug. We apologize for the inconvenience. Please re-download and install the challenge binary and good luck with the fixed version!

13 Apr 2018

Car Key Fob challenge update

We recently discovered an inconsistency in our internal build and testing system. We tested a version of the Car Key Fob challenge, and released a different version for the RHme3 CTF. While the tested version did not have any issues, the released version contained a subtle bug which prevented the flag from being displayed. We have identified the issue and fixed it in the latest version of the challenge. We would like to thank all the teams who provided us with feedback over Telegram and IRC, and who helped us identify the bug. We apologize for the inconvenience.

13 Apr 2018

RHme3 is extended until April 30

This was not unexpected. We have decided to extend the RHme3 CTF for 15 days. The new deadline is now April 30. In a few days we also plan to open the two remaining challenges. Take your time solving them. Please do not post your write-ups before May 1. We now see 95 teams and individuals with at least one challenge solved, and we would like to see more. Good luck!

06 Apr 2018

RHme3 Main Challenge is on!

The Riscure Hack Me 3 challenge has officially started. You can view the challenges here. Please note that some challenges are disabled. We're still optimizing these to make sure they are not too easy or too hard to solve. Once we figure this out, we will let you know.

Important! For those who downloaded personalization binaries from the website before 3PM CET Jan 15. Please re-download the binary from the website, to make sure you have the correct one. Instructions here.

Full-size printable challenge map is available here.

The main phase of RHme3 concludes April 15. We are aware that some of you have not received their boards yet. We expect that next week almost everyone should have a board. But in case there are any extra issues with snail mail, we may consider extending the ending date. We decided to go ahead and open the challenges for everyone for two reasons. First, we are confident that three months is enough to solve all the challenges, maybe even twice. Second, we don't award extra points for those who are the first to submit a flag. So take your time and have fun.

Please feel free to discuss the challenges in the IRC channel (#rhme on the Freenode) and Telegram (https://t.me/rhmectf). These two channels are actually connected to each other and some of our team members may (or may not) be there to help. If private information needs to be shared to solve a problem, please use rhme@riscure.com.

Teams! There is one extra step you need to do to solve challenges together. Remember, we asked you to pass the qualifiers individually. Now it's time to pick one account as a team account. You have to personalize your boards using this team account. You need to submit flags using this team account as well. More details on board personalization available here.

RHme3 is developed by Riscure and Argus Cyber Security

15 Jan 2018

RHME3 main challenge postponed till January 15

Yes, this is true. We were expecting some extra challenges due to the complexity of our new CAN-enabled target, but in reality we had to spend hundreds of extra hours to develop and test the boards to make sure they are reliable and fun to crack.

Now here's the latest update. The boards are currently in production and should arrive in our office soon. We will start sending them in late November. The tricky part is the delivery time: some of you will get your board in just a few days after we send it, for others it may take up to a month. To make sure no one gets an unfair advantage of accessing the challenges earlier than the rest, we decided to delay the launch for everyone. One more reason for the extra time is that we will have to manually test each board to make sure you get a working one. We will let everyone know when we start deliveries.

Facts: RHME3 main challenge opens January 15. The closing date now extends to April 15. We are also finalizing the challenges themselves, to make sure you still have a lot of fun, but at a later time. Stay tuned for updates!

20 Oct 2017

RHME3 board giveaway at RADARE2, Barcelona

If you are attending RADARE2 #r2con conference in Barcelona on September 6-9, you have a chance to get an RHME3 board and participate in the main challenge. In total there will be five boards available, and in order to get them, you will have to win at a competition. Details will be shared during a presentation by Eduardo Novella and Dana Geist from Riscure, scheduled at 10am Friday, September 8. More details and conference agenda can be found at RADARE2 website.

To keep things fair, winners of this competition will not get extra points obtained by those who passed the official welcome challenge.

06 Sep 2017

The registration is now closed

Thank you all who registered and participated in the RHME3 qualifications. The registration is now closed, unfortunately you will not be able to submit flags for the three welcome challenges anymore. Please stay tuned for updates here and in our Twitter account. The real fun starts on November 1. Before that we will to contact all winners and send the boards needed to run the main challenge.

Thanks to @HexDump for posting the first, and very detailed, write-up: https://github.com/ResultsMayVary/ctf/tree/master/RHME3

28 Aug 2017

RHME3 registration is open. Welcome challenges posted!

The registration for RHME3 is now open! Click here to register and access challenges.

Join the discussion at the IRC channel #rhme on the Freenode server.

We would like to welcome teams and individuals to register and try their skills at solving the welcome challenge for RHME3. This year it’s not one but three challenges in total.

Here’s how RHME3 registration works:
• The registration is open from August 7 12:00 CET.
• The registration closes on August 28 at 12:00 CET.
• We only need your [nick]name and e-mail.
• Feel free to register, download and solve challenges in any order.
• Submit flags when you capture them. Do not share the flags with others, don’t spoil the fun.
• After August 28 we will announce the winners and contact them to ask for a physical address to ship the board.
• Every welcome challenge gives you one point. The score counts towards your overall RHME3 progress.
• Even if you plan to participate in the main challenge as a team, please solve the welcome challenges individually.
• We rank the results based on the number of challenges solved and dates of flags submission:
o Those who solved all three challenges and were the first to submit the flags.
o (If boards are still available) Those who solved at least two challenges and were the first to submit the flags.
o (Very unlikely to get a free board, but who knows) Those who solved at least one challenge and were the first to submit.

• In total there will be 500 participants with the best results to get the RHME3 board for free. You will need the board to solve the main challenges starting from November 1.

Register and view the challenges.

07 Aug 2017

RHme is back!

Riscure and Argus Cyber Security are happy to announce the third episode of Riscure Hack Me CTF, now with an automotive flavor. Read our official announcement here.

Registration for RHme3 opens on August 7th at 12:00 Central European Time. At that time the welcome challenge will be posted on this website. Once you get the flag of the initial challenge, you may be able to register. Please provide your physical address – we will need it to send out the board. The first 500 registered participants will get the board for free. The main RHme3 challenge starts November 1.

RHME3 highlights:
• Embedded systems CTF created by Riscure in partnership with Argus Cyber Security.
• Allows participants and interested parties to enhance their knowledge of embedded systems security in general, and hardware security in particular.
• For the first time participants are provided with challenges that simulate real-life scenarios relevant to automotive cybersecurity: a group of challenges co-developed by Argus and Riscure utilizes CAN protocol commonly used in modern cars.
• A special Arduino-compatible custom board has been developed for the RHme3 challenge.
• The core of the board is an Atmel XMEGA that has four times the more memory and is twice as fast than the previous RHme boards.
• The RHme3 board also has a crypto-hardware accelerator and two CAN controllers, which allow a whole new range of challenges.

The RHme3 team
Riscure and Argus

17 Jul 2017

Follow @Riscure
Follow @ArgusSec