One of the more fun flags from the S4x17 CTF was the Very Secure Cabinet challenge, known officially as Implants ‘R Us:
This challenge represents an atypical threat that some geographically-dispersed control systems may face: physical access to a remote cabinet can sometimes offer a way into an operator’s network.
In this challenge, we wanted players to break into the cabinet by picking a lock, without triggering the cabinet’s anti-tamper alarm. We wanted the flag to be highly automated, which is to say that we wanted players to attempt to break in, and if they did so without triggering the alarm, have the cabinet give them the flag. If they accidentally triggered the alarm, we wanted to make sure that they didn’t get the flag.
This presented a kind of interesting design challenge. We had to build an enclosure that would know when it was opened, but would also know whether it was opened without setting off an ‘open door’ contact.
In the end, we settled on a pretty convoluted system using a camera. The cabinet has a magnetic reed switch to serve as an alarm contact that the players have to defeat, and performs differential analysis of the current camera state with a baseline image state, to tell if the door was really open.
Operation and Play
The magnetic reed switch, camera, and a thermal receipt printer were all connected to a Raspberry Pi inside the cabinet. When the system is powered up, the Raspberry Pi performs its baseline check by making sure that the door is closed (magnetic reed switch is closed). It would then take an image with the camera to serve as a baseline, and blip the alarm buzzer twice to notify us that the cabinet is armed and ready for players.
Players then pick the lock, and open the door without setting off the reed switch. This can be achieved with any medium-powered refrigerator magnet, by holding the magnet near the reed switch on the outside of the cabinet housing. Once the camera notices that the door is opened, and the alarm hasn’t gone off, it begins blinking a red button inside. Players press the button and a receipt prints with the flag encoded on the paper.
We originally thought that it would be fun to give players a single chance at the flag. If they failed to open the door without setting off the alarm, a robot would ‘shoot’ the player with a Nerf gun or similar, and the player could no longer attempt to break into the cabinet. We decided against this draconian measure for two reasons: 1) it would discourage anyone from ‘trying it first’, and 2) we would have to keep an eye on the cabinet all of the time, and keep track of who tried the cabinet.
Solving it Another Way
Since we didn’t supply any magnets to players, people had to find their own. One team snagged a magnet a cabinet at their hotel and succeeded in opening the door without setting off the alarm. Another team found a clever solution: open the door (setting off the alarm), holding a magnet to the switch once the door was opened, and then holding a flashlight up to the camera. This tricked the software into believing that the cabinet was truly closed. When they took the light away, the cabinet then believed (as if cabinets, let alone Raspberry Pis, are sentient) that the player successfully opened the door without setting off the reed switch.
Cheat To Win, indeed.
If you want to build your own cabinet challenge, we put the code and build files here: https://github.com/reidmefirst/S4x17-Implant-Cabinet . This could be built a lot smaller (our cabinet was much larger than it needed to be), and could use a few ideas to help make it more fun. One idea for incorporation into a contest would be to add back the requirement for ‘one player, one try’ but to give players an inspection camera. Our cabinet had a few small openings where an inspection camera could easily be inserted.
A final note on this build: we positioned our Raspberry Pi so that it was hidden way inside of the cabinet. This was so that no player was tempted to swipe the SD card (or the Pi itself!) if they got fed up trying to defeat the security mechanism. Prior to locking away the Pi, it is a good idea to set it up as a wireless access point and to enable SSH. This lets you remote into the Pi in the event that something strange happens,