The Cyber Security Challenge has had its latest Face 2 Face (F2F) competition in Manchester. The event was sponsored by NCC Group and saw attendees challenged to break into a number of IoT devices.
There were 24 players in all who were split across five teams. The winning team, Tommy Flowers, and the star hacker of the day, Aaron Thompson, all received Arduino Starter Kits. In addition, seven attendees received invitations to attend the Masterclass Final later this year.
What IoT devices were they attacking?
There were several tests for these would-be cybersecurity stars. Each tested specific problem solving skills as well as the attendees’ knowledge of IoT security. The tests were also setup so as to provide alternative ways of breaking into the devices.
The five groups worked their way through the challenges. Most groups completed all of them. Nevertheless, analysis suggests that groups did not follow the script set out by the organisers.
The list of ‘targets’ for attack included:
- IP Cameras: this turned out to be fairly straightforward for all groups.
- My Friend Cayla talking doll: Before the event got underway there was a warning that, with the press present, inappropriate language should be avoided; having behaved themselves the groups set about the attack. Surprisingly, from watching many of them, they didn’t seem to be able to locate any of the places where the known hacks against the doll were listed.
- Remote controlled Car: This proved to be very interesting. The solution was to attack one library and then remap the codes for the car. In the end, the groups found the password for the car on multiple review sites.
- Computer Network: Rather than use the expected known exploit of the Windows Workstation the group hammered the Domain Controller. In a real world scenario it is much more likely that they would have failed as multiple attempts were detected.
- Home Controller: The gap between expectations and reality diverged quickly here. The groups solved this by using the same attack as for the IP camera. This may be due to a lack of knowledge but it did demonstrate there are multiple ways to attack a device.
An opportunity for employers
One of the challenges for employers looking for staff in their cyber security teams is cost. By the time employers have placed ads, filtered CVs and undertaken several rounds of interviews , they may have spent in excess of £10,000 for each new hire. On top of this, agencies can demand as much as a six months salary to headhunt staff. These are significant costs.
Employers should learn. Competitions offer an opportunity to sponsor the F2F competitions. They then have the chance to meet and look over 25 highly motivated and skilled potential employees. At the same time candidates challenge their skills in a visible environment which require them to demonstrate those skills. This removes the risk of hiring a paper cybersecurity expert, one with lots of qualifications and no practical experience.
What does this mean
There were three big standouts from this latest F2F competition. The standard was so high that selecting the seven candidates for the Masterclass was difficult. The gap between those selected and those rejected was really small. This is good news as it shows those applying for the F2F competitions really do have practical skills and can be employed quickly.
The second success was the quality bar. Having attended several F2F events it was notable that the assessors deemed this one of the toughest groups they had seen. The breadth of skills also meant that they found alternative solutions to the challenges. This ability to think differently is critical for cybersecurity teams.
The third was the relative ease with which the attendees broke into the IoT devices. There is an increasing security risk from poorly protected devices. This has to be adressed by manufacturers
While there is a lot of focus on the cybersecurity security skills gap, attention should also be paid to attempts to close that gap. The Cyber Security Challenge UK does not just address those already in work. It has a number of competitions that are aimed at students, schools and youth groups. It is also using online games to reach out to those those with the aptitudes to solve problems. This is arguably the most important aspect in this field.
Boiled down, more employers must engage with F2F, and other orginisations, which seek to fill this skills gap. There is no point in employers complaining about the lack of available staff while doing nothing to help.
For those not already in employment, F2F should provide them with a chance to meet potential employers,preferably ones who will offer to support them through training, college and even university. It is approaches like this which will deliver access to skilled and trained employees.
Thanks Ian – I was at this challenge, I thoroughly enjoyed it. You are correct – the state of IoT security is terrible. Default credentials (so they are free to view on the internet to all) combined with low cost software development has allowed bot nets such as Mirai to become prevalent in no time. We need these competitions to get skilled people into Cyber to help defend the modern world.