MSP430-Based CTF Hardware Hacking Challenge

Hardware 'Flag'

Hacking conferences often feature a Capture the Flag, or CTF event. Typically, this is a software hacking challenge that involves breaking into targets which have been set up for the event, and capturing them. It’s good, legal, hacking fun.

However, some people are starting to build CTFs that involve hardware hacking as well. [Balda]’s most recent hardware hacking challenge was built for the Insomni’hack 2014 CTF. It uses an MSP430 as the target device, and users are allowed to enter commands to the device over UART via a Bus Pirate. Pull off the exploit, and the wheel rotates to display a flag.

For the first challenge, contestants had to decompile the firmware and find an obfuscated password. The second challenge was a bit more complicated. The password check function used memcpy, which made it vulnerable to a buffer overflow attack. By overwriting the program counter, it was possible to take over control of the program and make the flag turn.

The risk of memcpy reminds us of this set of posters. Only abstaining from memcpy can 100% protect you from overflows and memory disclosures!

 

6 thoughts on “MSP430-Based CTF Hardware Hacking Challenge

  1. I think this article misinterprets the goal of http://natashenka.ca/posters which IMHO is to warn against C functions that write into a string (or an array) without explicitly passing the size of the memory buffer together with the pointer, because that creates too many ways for the buffer to be overflowed. For example, the site says strlcpy() is safe.
    Now, memcpy() is safe in this respect, while strcpy() is not.

  2. I’ll admit, that second link made me laugh. However, wouldn’t this still be considered software hacking? You are still using some form of code to access the program counter.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.