BMW Car IT Security Challenge

Are you as enthusiastic about IT security as we are?

Our security team at BMW Car IT works hard to build secure Linux-based electronic control units (ECUs) to protect BMW's fleet and customers. In our daily life, we develop security software components, harden the system of our ECUs and help other teams to develop secure solutions for BMW's innovative new customer features. In order to do so, our team consists of people with a versatile skill set including software engineering, cryptography, embedded systems's engineering, security analysis & architecture as well as reverse engineering or digital forensics.

Gamification has a longstanding tradition in IT security. So called Capture the flag (CTF) contests have a long standing tradition in IT security. In our challenge, we want to share this passion with you. The challenge consists of small puzzles. For the beginning, we provide three such puzzles and are working on getting more in place. Each of the puzzles requires knowledge in different areas related to IT security to be solved. We hope that there is something to everyone's liking. All the puzzles are designed for the purpose of this challenge. They are sometimes a bit artificial but with a real-world background. The problems or methods showcased in the puzzles can be observed also in the real world. However, the puzzles are not one to one copies of this. So, vulnerability scanners or tools such as metasploit are not suited to solve them. All you need is your mind, knowledge of IT security and some common scripting language for automatization.

How does the challenge work?

You can imagine the challenge as a simplified version of a jeopardy-style CTF. All of the puzzles can be accessed via our Challenge Area - the website of a fictional mobility service provider called company Fabulous Mobility, Inc. Only the sites of Fabulous Mobility or serviced that are specifically referenced there are part of the game.

Each of the puzzles has a small teaser text and/or description (depending on the nature of the challenge) below. Your goal is always to retrieve the secret flags. All flags are strings of the format CIT-[0-9a-f]{64}. All of the puzzles contain at least one of these flags as solutions. Some of the puzzles may feature multiple flags. Some that are easy to get and others that require additional insight or work.

All the challenges have a strategic solution that is better than full brute force. Sometimes they may require you to probe something or algorithmically test possibilities. However, if you think you need to test all available values one by one, you probably have missed something and should reconsider.

You may solve the puzzles just for fun or can use the opportunity to recommend yourself to us as a security expert to join our team. We fast track the application process for anyone that solved some of the puzzles. For this, please send us the flags you acquired together with a brief write up how you solved the puzzle via email. Including scripts you used would also be very helpful.

The puzzles

Directly the Challenge Area

The currently available puzzles are described below. We intend to extend this list over time and provide more puzzles. So, it is worth coming back at a later point in time and check for updates.

If something is unclear please just drop us an email. We will answer you as soon as possible.

Puzzle 1 - Crypto with Oracles

You may have heard that it is important to employ cryptographic primitives correctly as small information leaks may lead to critical failure. Our friends at Fabulous Mobility employ AES to secure their customer data and company secrets. Take a look at their Technology page what they use and inspect the cookies they set. Are you aware of any problems with what they use? Can you get their secret customer token for you? Maybe you can also access some of their restricted information in a similar way.

Puzzle 2 - Challenge-Response Authentication

Fabulous Mobility, Inc offers a special challenge-response authentication service for partners to obtain collaboration tokens. The mechanism is described on their Collaboration page. Can you obtain a collaboration token even though you don't have any of the private keys required for authentication?

Puzzle 3 - Hidden in plain sight

Fabulous Mobility, Inc produces the best performing and most beautiful looking cars on the planet and even in virtual worlds! Look at our latest Offerings and get our your new ride today! Ignore the rumours that Fabulous Mobility, Inc also has a shady side business... We hide nothing from our beloved customers, not even in pictures... ok!? Creating cars is our passion!

Puzzle 4 - Reversing the Crypto

At Fabulous Mobility, we care deeply about advertising, so much so, that we invested a lot of effort in developing a program that outputs our wonderful slogan! Of course, the binary is intended for nothing else, so don't bother digging deeper into it!!

Jobs @ BMW Group

Independent of the puzzles, we would like you to take a look at our current opening as Security Engineer for Linux and Android-based platforms.

If you're interested in other areas of IT Security, take a look at our full list of offerings of IT-security related jobs at BMW Group. We offer positions in many different areas of specialization.