We are happy to announce the conclusion of RHme3, the world's first global hardware security CTF. We would like to congratulate the winners:
- Team flagsofthewild scored 5353 points and solved 18 challenges
- Team SOS1 scored 4853 points and solved 17 challenges
- Team cloakware scored 4353 points and solved 16 challenges
Here's the Top 10 scoreboard:
Out of 19 challenges published during the main phase of the CTF, 18 were solved by at least one team. The Lockdown from the Fault Injection category, which was not the most 'valuable' (in points) challenge was not solved by anyone. The 'easiest' challenge was Ransom from Reverse Engineering category, solved by 76 teams or individuals. The most 'expensive' challenge, the Climate Controller Catastrophe, was solved by 13 teams. The 'easiest' hardware challenge from the Side Channel Analysis category, known as 'It's a kind of magic' was solved only by 14 teams. 96 individuals or teams solved at least one challenge in the main phase, out of ~500 people who passed the qualifications.
RHme3 lives on! We will soon reopen the challenge descriptions and binaries so you can continue playing with the challenges. Feel free to post write-ups. Please share them with us via Telegram or by mentioning @Riscure on Twitter. Stay tuned for one extra announcement soon, and, who knows, maybe in the future we will drop a new challenge or two (but not guaranteed). See you at RHme4!
We have recently discovered an inconsistency in our internal build of a Car Key Fob challenge. Looks like we have tested one build, and released another publicly. While the tested version did not have any issues, the released version contained a subtle bug which prevented the flag from being displayed. We have identified the issue and fixed it in the latest version of the challenge. We would like to thank all the teams who provided us feedback over Telegram and IRC, and who helped us identify the bug. We apologize for the inconvenience. Please re-download and install the challenge binary and good luck with the fixed version!
We recently discovered an inconsistency in our internal build and testing system. We tested a version of the Car Key Fob challenge, and released a different version for the RHme3 CTF. While the tested version did not have any issues, the released version contained a subtle bug which prevented the flag from being displayed. We have identified the issue and fixed it in the latest version of the challenge. We would like to thank all the teams who provided us with feedback over Telegram and IRC, and who helped us identify the bug. We apologize for the inconvenience.
This was not unexpected. We have decided to extend the RHme3 CTF for 15 days. The new deadline is now April 30. In a few days we also plan to open the two remaining challenges. Take your time solving them. Please do not post your write-ups before May 1. We now see 95 teams and individuals with at least one challenge solved, and we would like to see more. Good luck!
The Riscure Hack Me 3 challenge has officially started. You can view the challenges here. Please note that some challenges are disabled. We're still optimizing these to make sure they are not too easy or too hard to solve. Once we figure this out, we will let you know.
Important! For those who downloaded personalization binaries from the website before 3PM CET Jan 15. Please re-download the binary from the website, to make sure you have the correct one. Instructions here.
Yes, this is true. We were expecting some extra challenges due to the complexity of our new CAN-enabled target, but in reality we had to spend hundreds of extra hours to develop and test the boards to make sure they are reliable and fun to crack.
Now here's the latest update. The boards are currently in production and should arrive in our office soon. We will start sending them in late November. The tricky part is the delivery time: some of you will get your board in just a few days after we send it, for others it may take up to a month. To make sure no one gets an unfair advantage of accessing the challenges earlier than the rest, we decided to delay the launch for everyone. One more reason for the extra time is that we will have to manually test each board to make sure you get a working one. We will let everyone know when we start deliveries.
Facts: RHME3 main challenge opens January 15. The closing date now extends to April 15. We are also finalizing the challenges themselves, to make sure you still have a lot of fun, but at a later time. Stay tuned for updates!
If you are attending RADARE2 #r2con conference in Barcelona on September 6-9, you have a chance to get an RHME3 board and participate in the main challenge. In total there will be five boards available, and in order to get them, you will have to win at a competition. Details will be shared during a presentation by Eduardo Novella and Dana Geist from Riscure, scheduled at 10am Friday, September 8. More details and conference agenda can be found at RADARE2 website.
To keep things fair, winners of this competition will not get extra points obtained by those who passed the official welcome challenge.
Thank you all who registered and participated in the RHME3 qualifications. The registration is now closed, unfortunately you will not be able to submit flags for the three welcome challenges anymore. Please stay tuned for updates here and in our Twitter account. The real fun starts on November 1. Before that we will to contact all winners and send the boards needed to run the main challenge.
Thanks to @HexDump for posting the first, and very detailed, write-up: https://github.com/ResultsMayVary/ctf/tree/master/RHME3
The registration for RHME3 is now open! Click here to register and access challenges.
Join the discussion at the IRC channel #rhme on the Freenode server.
We would like to welcome teams and individuals to register and try their skills at solving the welcome challenge for RHME3. This year it’s not one but three challenges in total.
Here’s how RHME3 registration works:
• The registration is open from August 7 12:00 CET.
• The registration closes on August 28 at 12:00 CET.
• We only need your [nick]name and e-mail.
• Feel free to register, download and solve challenges in any order.
• Submit flags when you capture them. Do not share the flags with others, don’t spoil the fun.
• After August 28 we will announce the winners and contact them to ask for a physical address to ship the board.
• Every welcome challenge gives you one point. The score counts towards your overall RHME3 progress.
• Even if you plan to participate in the main challenge as a team, please solve the welcome challenges individually.
• We rank the results based on the number of challenges solved and dates of flags submission:
o Those who solved all three challenges and were the first to submit the flags.
o (If boards are still available) Those who solved at least two challenges and were the first to submit the flags.
o (Very unlikely to get a free board, but who knows) Those who solved at least one challenge and were the first to submit.
• In total there will be 500 participants with the best results to get the RHME3 board for free. You will need the board to solve the main challenges starting from November 1.
Register and view the challenges.
Riscure and Argus Cyber Security are happy to announce the third episode of Riscure Hack Me CTF, now with an automotive flavor. Read our official announcement here.
Registration for RHme3 opens on August 7th at 12:00 Central European Time. At that time the welcome challenge will be posted on this website. Once you get the flag of the initial challenge, you may be able to register. Please provide your physical address – we will need it to send out the board. The first 500 registered participants will get the board for free. The main RHme3 challenge starts November 1.
• Embedded systems CTF created by Riscure in partnership with Argus Cyber Security.
• Allows participants and interested parties to enhance their knowledge of embedded systems security in general, and hardware security in particular.
• For the first time participants are provided with challenges that simulate real-life scenarios relevant to automotive cybersecurity: a group of challenges co-developed by Argus and Riscure utilizes CAN protocol commonly used in modern cars.
• A special Arduino-compatible custom board has been developed for the RHme3 challenge.
• The core of the board is an Atmel XMEGA that has four times the more memory and is twice as fast than the previous RHme boards.
• The RHme3 board also has a crypto-hardware accelerator and two CAN controllers, which allow a whole new range of challenges.
The RHme3 team
Riscure and Argus