The 'Olympics of hacking'

In the world of competitive hacking, to be the best, you need to compete against the best. One annual event organized by a team led by Arizona State University faculty brings the most proficient hackers from around the world together to sharpen their skills by solving a series of complex cybersecurity problems.

DEF CON is the premier hacking conference in the world, and one of its signature events is its capture the flag tournament that features teams of the world's top hackers. For the third year in a row, faculty with the Global Security Initiative’s Center for Cybersecurity and Digital Forensics are designing the obstacles competitors will need to overcome in order to win this "Olympics of hacking."

“Software is everywhere and has vulnerabilities,” said Adam Doupé, competition "hackulty" member and a leader of the Center for Cybersecurity and Digital Forensics. “Hackers can demonstrate the flaws in systems so we can ultimately make things more secure. As we rely more and more on digital technologies to work, to live and to socialize in the age of COVID-19, the security of these services is paramount.”

The skills honed at this competition can be serious business. Apple will offer up to $2,000,000 to anyone who identifies a vulnerability that allows an attacker to take over an iPhone with no interaction.

As a grassroots effort hosted by hackers for hackers, the DEF CON capture the flag competition is an important training ground and skills-building opportunity for the next generation of cybersecurity professionals.

The competition challenges hackers with a series of intricate security problems. Each challenge is like a puzzle — a Rubik's Cube or sudoku. The participants need to identify vulnerabilities in software and then figure out how to exploit them in order to move on to the next stage of the competition.

Launching on Aug. 7 and running through Aug. 9, the DEF CON capture the flag accommodates players in varying time zones — this year, it will be conducted in shifts across the three days. The game has different challenges made available to teams at set times, and the goal is to identify a vulnerability and develop an exploit. Upon accomplishing both, the team has "captured the flag" for that challenge, winning the game.

“Throughout this competition, we are training the next generation of cybersecurity experts to have an ‘adversarial mindset’ so they can identify vulnerabilities and secure systems before a malicious attack can compromise them,” said Doupé, an associate professor in the School of Computing, Informatics and Decision Systems Engineering, one of the six Fulton Schools of Engineering.

ASU is a national leader in competitive hacking, helping current and future cybersecurity professionals build core skills such as vulnerability detection, cryptographic analysis, reverse engineering, and program repair. In addition to leading the design of the DEF CON competition, multiple ASU student clubs — including the PwnDevils and DevilSec — compete nationally and internationally in competitive hacking.

Celebrating its 28th year, DEF CON is an annual event traditionally hosted in Las Vegas with a wide range of attendees from different institutions and communities. Due to COVID-19, the event has migrated entirely to a virtual platform — everything and everyone is online. While this pivot to an online arena presented some initial challenges, the Cybersecurity and Digital Forensics team has noticed some benefits from the shift.

DEF CON 27 capture the flag competition participants.

“The move online increases the accessibility of the competition to an enormous audience,” said Yan Shoshitaishvili, resident "hackademic" and an assistant professor in the school. “Since everything is done over video streams and online connections, it introduces unique opportunities in archiving the events of the contest to allow others to study it both during and after the conference itself.”

In previous years, the competition scoreboard would be displayed on a screen — this year's spectators will have real-time viewing of the game and the hackers participating.

“This is the world championship of capture the flag competitions and is a great way to look at different aspects of security,” said Giovanni Vigna, capture the flag competitor and professor of computer science at the University of California in Santa Barbara.

“Anticipating what the organizers had cooked up each year, finding out what the problem was, and whether I could get it solved before the end … was a challenge,” said previous DEF CON capture the flag organizer Chris Eagle, senior lecturer at Naval Postgraduate School.

Learn more about ASU's commitment to cybersecurity education.