A golden opportunity: the bank we’re about to rob is moving to new premises today. To our luck, they’re also testing alarms until 4 PM, so it won’t be suspicious if we accidentally set one off. There is an open window on the first floor protected by a single sensor. Our inside man among the staff has placed an IP camera into the sensor cabinet, so we can see if the sensor we are trying to break has the ‘status OK’ or the alarm is screaming. The IP camera is streaming to YouTube — alas with a delay. The problem is that the sensor communicates via radio waves: every 15 to 30 seconds the diode beeps and the device sends a signal. We’re listening, trying to imitate it, and when we’re sure, we’re gonna shut down the sensor and turn on our little imitation that we built. What is left is just to arrange the tin foil between the antennas, like this… the sensor alarm’s blaring! We are holding our ears and will try again in half a minute.
The Czech table
…That’s a rough summary of the first hardware task to be solved by the Czech delegates, who took part in the finale of the European Cyber Security Challenge for the first time. This year the finale, which has been held since 2014, was hosted by Malaga in Spain. The Czech team consisted of seven boys over 18, two 17-year-olds and one fifteen-year-old, who was the tallest of us all. These were the ten winners of the first year of the Cybercompetition among secondary schools, which was sponsored, among others, by the CZ.NIC Association and attended by 1,100 students from 162 schools. Now, they pitted their skills against 14 other nations from Norway to Cyprus under the sun of the seaside town in several disciplines, the first of which was the already mentioned hardware task, which we really enjoyed (or did it enjoy us?). Let’s give one story to illustrate: the configuration of our antenna caused the interference with all of other teams’ signals… a technician came out in a few moments and skillfully triangulated the source — our table. Fortunately, the players managed to disconnect the antenna at that very moment and told the technician on their own that they had a problem.
The available tasks, however, were exciting and clever. For example, in the encryption task, the participants obtained a single file full of the word ‘Pikachu’. They wondered what kind of cipher this might be, tried to get a password from the file’s metadata… until they eventually found out it was a source code in the esoteric programming language called Pikalang; then they extracted a source code in the Brainfuck language from 1993, which is a programming joke probably more familiar to you. After performing Brainfuck, they got a line similar to one in /etc/shadow… and all that was left was to crack sha512 to get the password.
The competition in full swing
Another task trained the players in abusing SQL injection — with one twist. The login form contained a proprietary Captcha that was not easy to fool. However, they found a comment in the HTML code of the page, and it was enough to guess the URL of the mobile version that did not support Captcha.
We should also thank the organizers for their care for us during the free time. Accommodation and the level of meals really made us feel like the final itself was a reward: the contestants were accommodated near a cathedral, in a hotel from which the whole city spread before our eyes, and every evening they took us for dinner, where we could talk our fill with colleagues from other teams.
Everyone took home Dell keyboards, while the winners were also rewarded with also 3D printers, drones, or an Arduino. Certain troubles arose during the transport — when we packed our luggage, it occurred to us that few things can be less suspicious at an airport than a piece of hardware with a tangle of wires attached to a safe keypad and a buzzer. Should we put this fishy stuff in our hand luggage or with the checked baggage? But the lady at the scanner just laughed. Only later we realized that dozens of teams of other nationalities must have carried same machines in the last couple of hours, so the airport staff seemed to have gotten used to it.
Arduino and a keyboard
I am about to end this blogpost with one of the honest testimonies I’ve heard on the bus: “Even though it was the first time in my life with Arduino, I want to buy it and fiddle with it at home. I found out that the C is not such a hard-core language in which they only write game engines, as I had always thought.”
By the way, the second Cyber Competition has already begun, with as many as 3,061 students having signed up — including some of this year’s finalists. Whether they win and go represent the Czech Republic for the second time (from which the team would benefit, as the boys will be able to contribute their experience), we will find out in the spring. I keep my fingers crossed for all the girls who participate in the second year; the fairer sex has been so far represented among the hackers by a Dane, a Briton and a Romanian; they were honored with proper applause during the introduction. That’s right, that’s how it should be!
In conclusion, I must not leave out that I also owe this experience also to the Safer Internet project co-funded by the European Commission.