The Automotive Capture the Flag 2024 is a competition that gathers a diverse pool of cybersecurity professionals, security researchers, ethical hackers, and learners; all focused on a singular mission of building skills and capability in automotive cybersecurity. The competition is a unique CTF experience putting players face-to-face on the same challenges with various automotive security professionals.
Block Harbor, a trusted automotive cybersecurity engineering company, is the originator of the Automotive Capture the Flag (CTF) competition. They are responsible for designing, conducting, and executing the competition through their Vehicle Security Engineering Cloud (VSEC) platform. Block Harbor’s expertise ensures the CTF challenges are robust and innovative, delivering an experience relative to the skills and competencies of the automotive security domain.
VicOne, a leading provider of automotive cybersecurity solutions, sponsors the event and offers valuable guidance for the competition’s automotive edition. Their sponsorship and insights help enhance the event's quality and ensure it aligns with the latest industry standards and practices.
Together, Block Harbor and VicOne create a compelling and innovative CTF challenge that fosters learning in automotive cybersecurity and a stage for motivated and talented security practitioners to prove their value and ability to contribute to the automotive security industry.
The VicOne x Block Harbor Automotive CTF 2024 is set to engage and educate cybersecurity enthusiasts of all skill levels. Newcomers with no experience or security practitioners from other industries are encouraged to play.
The qualification rounds will feature over 40 challenges of varying difficulty in a Jeopardy format. For those new to automotive hacking, it is recommended to visit vsec.blockharbor.io for free training on prior CTF events through the courses in VSEC: Learn called Block Harbor Hackathon 101 and CTF Proving Grounds. Walk-throughs of previous challenges are available in these training modules. Previous year’s retired challenges are available in the CTF Proving Grounds which you can find at ctf.blockharbor.io.
During the qualification rounds, each challenge will provide the necessary files to solve it or instructions on where to access remote hardware or simulation environments hosted on vsec.blockharbor.io. Access to hardware and simulations, which have limited availability, will be managed through a reservation system allowing 30-minute slots for individual users. Participants are reminded not to disrupt the hardware or software environments for others and to clean up their environment of files after their session, as leftover files may be accessible to other players.
Teams of up to five (5) players will be able to register. Participation in the qualification rounds is entirely remote. All systems required to play are hosted at vsec.blockharbor.io. Players from around the world of all skill levels are encouraged to join. All participants need is their own laptop or computer with internet access to compete. The top 6 teams (2 from Japan and 4 from US/Global) will be invited to travel to the Automotive CTF 2024 Finals Competition.
Six top teams (2 from Japan and 4 from US/Global) will be invited to travel to the USA for a final set of challenges, which will be hosted in person for one day. Qualifying teams will receive a travel stipend. * For Japan participants, please go here for details: https://vicone.com/jp/automotive-ctf
Registration for the Japan and Global Qualifications Automotive CTF competition will open on August 17, 2024. Participants must register on vsec.blockharbor.io and link their account to their CTF user account. Teams can be formed on the CTFd platform, allowing users to collaborate and compete together. (See 8.1 Participants Eligibility)
The top 4 qualifying teams from the US/Global and the top 2 qualifying teams from Japan will be awarded vouchers to travel to Detroit, Michigan, where the grand finals will take place on October 21st. These top teams will also be invited to attend and speak at the Auto-ISAC Summit 2024, scheduled from October 22-23, where they will be awarded their prizes on stage on the 23rd. A team representative from the top six teams must be present at the Auto-ISAC summit to receive prize awards. (See 8.1 Participants Eligibility)
More consolation prizes for the Qualifying and Finals Round.
For community support, CTF staff assistance, questions, or general discussion, join the Block Harbor Discord community at this link: https://discord.gg/2fUzpD75. This event not only promises an engaging competition but also offers ample support and resources for participants. Free training is available on vsec.blockharbor.io, and practice challenges can be accessed at ctf.blockharbor.io. This ensures that all participants, regardless of skill level, have the opportunity to prepare and perform their best.
Participate in any post-competition debriefing sessions or surveys as requested by the organizers. This helps improve future events.
While collaboration between teams during the competition is prohibited, sharing knowledge and experiences after the event is encouraged.
If you discover any vulnerabilities during the competition, follow responsible disclosure practices to report them to the appropriate entities.
As the event approaches, participants are encouraged to familiarize themselves with the technical requirements, which include having a personal laptop or computer with secure internet access. They should also be aware of the rules and regulations, emphasizing fair play and the importance of cleaning up their competition environment after use.
Participants must be 18* years old or older to play. One member of the team will be designated as the team lead. The team lead must be an adult, 21 years or older, to represent the team. The team lead will receive any prize awarded to the team. Teams that place in the top six and attend the Finals event must attend the Auto-ISAC summit in the US to receive their prize.
*Due to US legal age requirements (21 years old), participants younger than 21 may not travel to the US for the Finals. However, they may participate remotely during the competition.
Participants can be individuals or teams. They can represent a company or can also be an independent team. The number of team members must not exceed five (5).
For Japan - Japan residents only. For the US/Global - From any country/region.
Participants must have their own laptop or desktop with secure Internet connection.
Online using vsec.blockharbor.io
All actions must be within the bounds of the law. Any illegal activities will result in immediate disqualification and possible legal consequences.
Only interact with systems, services, and data explicitly stated as in-scope by the event organizers. Any out-of-scope activity is prohibited.
Work independently or within your team. Do not sabotage other teams, use any form of unfair advantage, or engage in any behavior that could be considered cheating.
Do not attempt to gain access to systems or data through social engineering tactics such as phishing or impersonation.
If you are caught sharing CTF confidential knowledge publicly, you may be disqualified by the discretion of CTF organizers. Challenge creators must not share the challenges with the participants. Doing so may result in both the challenge creator and the participant being disqualified and blacklisted in future competitions.
Do not perform any actions that could lead to a denial of service for other participants or competition infrastructure.
Do not tamper with or alter the flags. Flags must be submitted exactly as found or specified in the challenge text. Typical flag format is BH{FLAG}.
Do not tamper with the competition infrastructure, including servers, networks, or other participants' work environments. Do not cause any damage to Block Harbor, VicOne, or CTF-related environments that may impact the usage of systems by other CTF members. Doing so may result in disqualification.
Respect the privacy of any data you encounter during the competition. Do not exfiltrate or share any data unless specifically required by the challenge.
Collaborate only with your team members. Sharing flags, solutions, or hints with other teams is not allowed.
Maintain professionalism and respect towards all participants, organizers, and systems involved. Harassment or inappropriate behavior will not be tolerated.
Use only the tools and techniques allowed by the competition rules. If unsure, seek clarification from the organizers.
Immediately report any issues, bugs, or vulnerabilities that could impact the integrity of the competition, to the organizers.
IMPORTANT: Teams or individuals can only join and represent one team and one entry. Multiple entries using multiple representations will not be allowed, resulting in disqualification in the competition and future challenges. CTF organizers may disqualify participants for reasons not stated in the rules above at their discretion to ensure fair play.
Or read our rules in Japanese!