Attack Phase Flags and Scenarios

Tip

Understanding the contents of this page is critical to properly securing your design. If something is unclear, please reach out to the organizers on Slack to clarify.

Attack Phase MISC

In the Attack Phase, the MISC will be deployed as an insulin pump. The system will have two Components – a blood glucose sensor and an actuator dispensing insulin – controlled by the AP.

Attack Phase Scenarios

Attackers will have access to a number of different combinations of Application Processors, Components, and other information. Each setup represents a realistic scenario that willl test a design’s success at meeting one or more Security Requirements by embedding Attack Phase Flags into different parts of the setup.

The Attack Phase scenarios use multiple deployments between scenarios and flags to ensure information an attacker validly has in one scenario doesn’t undermine another. The table below summarizes the flags, scenarios, relevant security requirements, and deployments.

Flag Scenario Mapping

Flag

Scenario

Security Requirement

Deployment

Operational Pin Extract

AP1

SR3

D1

Operational Pump Swap

AP1

SR5

D1

Damaged Boot

AP2

SR1

D1

Supply Chain Boot

AP3

SR1

D3

Supply Chain Extract

AP3

SR4

D3

Black Box Boot

AP4

SR2

D2

Black Box Extract

AP4

SR4

D2

Attack Phase 1: Operational Device

The attacking team is provided with:

  • AP provisioned for Component A & Component B

  • Component A

  • Component B

The attacker has access to a fully working medical system but does not have access to the PIN, or Replacement Token. This scenario represents an attacker in physical proximity of a provisioned medical device. This scenario is provisioned from deployment 1.

This scenario features the devices provisioned as the Post Boot Insulin Pump.

Attack Phase 2: Damaged Device

The attacking team is provided with:

  • AP provisioned for Component C & Component D

  • Component C

The attacker has access to a system, but one component has been damaged and removed. In this scenario, an attacker could have gained access to a device while it was being serviced. This scenario is provisioned from deployment 1.

Attack Phase 3: Supply Chain Poisoning

The attacking team is provided with:

  • AP provisioned for Component A & Component B

  • Component A

  • No physical access to system

Replace Token and Attestation Pin are used by the technician repairing the system:

The attacker has managed to infiltrate the supply chain of medical device components and sell counterfeit replacement components in hopes that they are installed onto medical devices. A medical device with a damaged component has been taking to a facility for repair, but the counterfeit component is replaced instead of a valid component. The attacker cannot receive the result of the repair, but can exfiltrate data through a C2 link built into the counterfeit. This scenario is provisioned from deployment 3.

Note

Attack Phase 3: Supply Chain Poisoning will be set up in a similar way to the testing service, where teams will submit a request to be run over Slack by MITRE infrastructure.

In this scenario, teams will submit a fully built binary counterfeit to be tested and installed by the technician. The technician will run through installing the counterfeit in the system as well as running all of the MISC system’s pre-boot functionality.

In this scenario you can only see the result of the boot operation! You can make use of the C2 link through the USB-Serial interface on your counterfeit component.

Attack Phase 4: Black Box

The attacking team is provided with:

  • Component X

The attacker has access to a legitimate individual component that was received by an insider at the component manufacturer. The attacker is attempting to reverse-engineer the Component’s functionality by booting the component and/or extracting sensitive data. This scenario is provisioned from deployment 2.

Flags are available from completing functional tasks on other teams designs during the attack phase of the competition. Each flag tests a specific Security Requirements.

Attack Phase Resources

The diagram below shows what attackers are given during each of the scenarios described in detail above.

../../_images/attack_phase_resources.png

Attack Phase Flags

During the Attack Phase, teams will test the security of other teams’ designs by attempting to capture Attack Phase Flags. Each flag represents proof on an attacker’s ability to compromise one or more security requirements of a design.

Flag

Format

Description

Operational Pin Extract

ectf{pinextract_*}

Return confidential attestation data from the operational device

Operational Pump Swap

ectf{pumpswap_*}

Cause the operational insulin pump to dispense a dangerous level of insulin.

Damaged Boot

ectf{damagedboot_*}

Cause a damaged board missing a component to boot

Supply Chain Boot

ectf{supplychainboot_*}

Cause a board missing a component, with a known PIN, and no physical access to boot

Supply Chain Extract

ectf{supplychainextract_*}

Extract confidential data from a valid component connected to an AP with a known PIN and no physical access

Black Box Boot

ectf{blackboxboot_*}

Cause a black box component to boot

Black Box Extract

ectf{blackboxextract_*}

Extract confidential data from a black box component