A prototype of any software or technology will have vulnerabilities, however companies try to make them as secure as possible before their new product is distributed. The unfortunate reality is that there are still many products on the market or in use that have vulnerabilities, large or small, sometimes putting user information or safety at risk. These vulnerabilities that developers or vendors are unaware of after release are called Zero Days (0days).
A team of students from BYU recently presented at DEF CON, a large hacking and security conference, about a project they started in January. This project exposed vulnerabilities in an affordable wireless router. By hacking into the device, they discovered critical issues that anyone using the device could be vulnerable to, which were then reported to the company who made the routers. Their presentation at the conference detailed the process of hacking into the device, including what information they could find, and how to communicate 0day vulnerabilities to the company. The team members included Justin Applegate, Ava Petersen, Justin Mott and Wyatt Pangerl, who did not attend the conference. More information about their research can be found here.
For the rest of the three day conference, the students teamed up with some students from University of Illinois Urbana-Champaign (UIUC) to compete in the Embedded Systems Village Capture the Flag Competition. This particular CTF included hacking into embedded devices such as routers, security cameras, smart doorbells, and even bluetooth locks using known or discovered vulnerabilities. Students also hacked into custom hardware using low-level exploits. The competition was extremely close, with the BYU-UIUC team initially tying for 1st place, but ending in 2nd after a sudden death tie breaker match.
In his own words, Justin Applegate is “a sucker for competitions.” He says, “There's something about the thrill of solving a challenge or going up on the leaderboard that is unmatched for me. The competition was very well done and required us to learn a lot, so I was ecstatic to compete. You never really know what to expect when you go into one of these CTFs as every single one is different and has different types of challenges, and that builds up to the suspense. To be able to see us compete at such a prestigious convention in one of their competitions and place second was a huge confidence booster; it shows we do actually know what we're doing, even as college students.”
When asked about her favorite part of DEF CON, Ava Petersen shared that she loved presenting the team’s 0day project. "For me, one of the best parts was seeing the application of everything we've learned and how we as students perform among an extremely technical audience,” she replied. “ It was very cool to present to other skilled cybersecurity students and professionals about our research and see how the experience we gained from that project and from other CTF competitions earned us the technical prowess to compete neck and neck for a 1st place title in the Embedded Village CTF."
The research of our cybersecurity students makes real world impacts, and helps make the technology we use safer. Competitions like the CTF at DEF CON allow our students to test their skills in ethical, exciting ways. If you are interested in participating in cybersecurity competitions, check out BYU’s CTF training group, or get involved in the end of the semester CTF’s.