Solving the 2016 NSA Codebreaker Challenge – Overview

2016 was the 4th year the NSA ran its Codebreaker Challenge. It’s targeted at US college students, but anyone with a .edu email address at their disposal can join in the fun. Each year they have a series of challenges based on a unique scenario. This year the challenges revolved around remotely controlled IEDs.

Terrorists have recently developed a new type of remotely controlled Improvised Explosive Device (IED), making it harder for the U.S. Armed Forces to detect and ultimately prevent roadside bomb attacks against troops deployed overseas. The National Security Agency (NSA), in accordance with its support to military operations mission, has been asked to develop capabilities for use against this new threat. This will consist of six tasks of increasing difficulty, with the ultimate goals of being able to disarm the IEDs remotely and permanently render them inoperable without the risk of civilian casualties.

To accomplish this, there were six different tasks to be completed. The tasks were progressively harder and built upon the techniques discovered in the previous tasks:

This was the first year I competed in this challenge and was able to work through five of the six tasks. The sixth task was quite difficult, with only 15 people successfully completing it. I think I came close on it, but ran out of time at the end.

NSA Codebreaker Challenge 2016 Results

The above items will go to breakdowns of each task once they’re live, including what worked and, just as importantly, what didn’t. For Task 6, I’ll detail what I had discovered thus far and will update that with an explanation of the solution once they post it in the coming weeks.

This entry was posted in Crypto, Infosec, Puzzles and tagged , , , , . Bookmark the permalink.

2 Responses to Solving the 2016 NSA Codebreaker Challenge – Overview

  1. Fred says:

    Really nice writeup. Any thoughts on the sixth task?

    • Eric Brandel says:

      My first thought: it was really tough! 🙂

      I have some notes on it that I’ll probably write up late tonight. I discovered a couple things that I think were steps on solving it. One of them was the raw command values that you could use with the client instead of the plaintext commands (disarm, arm, etc), which allowed you the additional ability of passing in some hex values to the server. Using that I found a buffer overflow, but exploiting those is really outside of my wheelhouse. I could have also been chasing a ghost, I’m really curious how the 15 people were able to solve it, but no one has posted anything that I’ve seen.

      The raw commands. They move through the code as hex, but the client wants them as ints:

      getserial
      0BE35C05 – 199449605
      raw 199449605

      getstate
      0BE35C04 – 199449604
      raw 199449604

      trigger
      0BE35C03 – 199449603
      raw 199449603

      arm
      0BE35C02 – 199449602
      raw 199449602

      disarm
      0BE35C01 – 199449601
      raw 199449601

Leave a Reply to Eric Brandel Cancel reply

Your email address will not be published. Required fields are marked *