top of page
  • Writer's pictureInfosec In the City (IIC)

SINCON 2020 — Car Security CTF

Updated: Dec 28, 2020

Prizes by Infosec In the City, SINCON

This CTF will be online on:

  • 2 Jan 2021 — 3pm-8pm (SGT, GMT+8)

  • 3 Jan 2021 — 10am-3pm (SGT, GMT+8)


  • 1st place: $70 SGD prize voucher

  • 2nd place: $40 SGD prize voucher

  • 3rd place: $30 SGD prize voucher


The CTF competition is open to all SINCON 2020 Conference ticket holders to play, enjoy and compete. To participate, you'll need the following:

  1. Get your SINCON 2020 Conference ticket:

  2. Join the Virtual Conference Platform:

  3. Follow the "car-security-kampung" channel on the Virtual Conference Platform.

  4. Register for a CSQ CTF account:

You will also need a Twitch account to join the CTF queue.


There are 3 categories, each with its own set of challenges and scores.

  • Category 1: Virtual simulated vehicle environments

  • Category 2: Physical test bench with real car components

  • Category 3: Physical cluster

The challenges will help beginners get started on car hacking and the basics of vehicle communications.

  1. You can form a team with up to 3 persons.

  2. There are 4 actual vehicle environments — 2 virtual simulated vehicle environments, 1 physical test bench and 1 physical cluster (

  3. To play, teams will remote access the 4 environments via ZeroTier VPN and SSH.

  4. Because you are accessing actual vehicle environments, there can only be 1 team working on 1 environment at any time. Hence, teams need to queue to get their hands on the environments. Teams are only allowed to queue for 1 of the 4 environments at a time (to allow everybody to have a chance to play).

  5. Each team will be allowed a duration of 30min per virtual environment/bench/cluster. Teams are allowed to re-queue even if they did not solve any challenge/question.

  6. To join the queue, you need to be connected to the environments' network. Network information will be sent to your registered CSQ CTF account. Once you are connected, ping the CSQ Crew on the "car-security-kampung" channel on the SINCON 2020 Virtual Conference Platform with the following information to get authenticated: (1) Specific network name you've joined (only 1 network at a time); (2) Team Name; (3); No. of players in the team; (4) Player(s)' handler; (5) Player(s)' device address shown in the ZeroTier network; and (5) Twitch account associated with the team (each team just need 1 Twitch account).

For more information, visit


  • Flag structure: flag{xxx}

  • For CAN bus flags, it will be ID#xxxxx (data) without any space or dots (.) in between.

Some of the challenges require the teams to demonstrate that you can recreate the scenario and display it to the CSQ Crew to get your points awarded.

Please ping the "car-security-kampung" channel on the SINCON 2020 Virtual Conference Platform and inform the CSQ Crew about the challenge you are working on to get points.


  • Denial-of-service or any malicious attacks against other competitors or CSQ's environments hosting the CTF is strictly prohibited and will result in a permanent ban

  • Do not attempt to brute force the server-logins or privilege escalate your way out of the given shell

  • No sharing of answers with other teams — we want to make this as fun as possible

  • Any vulnerability discovered in physical car components must be made known to the contest organisers

  • Any act of tampering, misuse, attacks on the infrastructure, equipment, software without the consent of the contest organisers will result in a permanent ban


Just ping the "car-security-kampung" channel on the SINCON 2020 Virtual Conference Platform. CSQ Crew will be online to provide support if needed.


Before the CTF starts, CSQ will be providing a short live hands-on introduction/demonstration to get you started on playing the car hacking CTF — From Zero to Hero(-ish): Your Journey to Car Hacking Begins.

Access to the Workshop Room will be broadcasted in the SINCON 2020 Virtual Conference Platform.

547 views0 comments

Recent Posts

See All


Post: Blog2_Post
bottom of page