U-M claims third in MITRE Embedded Capture the Flag Competition

The University of Michigan won third place in the 2025 Embedded Capture the Flag (eCTF) competition. Organized annually by MITRE, eCTF is a semester-long embedded security challenge that tasks participants with creating a secure embedded device that is resilient to physical and proximal attacks.
This was U-M’s first time competing in eCTF, a competition known for its rigorous focus on real-world embedded system security. The 10th iteration of the event included over 1,200 students on 29 teams, representing 123 schools and 17 countries around the world. Participants and winners were honored at an award ceremony held at Tufts University in late April.
The seed for U-M’s participation in eCTF was planted by team member and rising junior majoring in electrical engineering Tanay Sharma, who had been actively involved with U-M’s computer security club, WolvSec.
“I had previous experience with the competition,” Tanay explained, “and after discussing it with the club, we decided to try to make it an official course.” Tanay and a group of other WolvSec members approached Paul Grubbs, assistant professor of computer science and engineering at U-M, who agreed to advise them. With his support, they were able to turn the semester-long competition into a credited course, which allowed the team to attract more participants and dedicate the necessary time and resources to the project.
Composed of more than 25 students from computer science, data science, and electrical engineering, the U-M team was one of the largest in the competition. They worked collaboratively throughout the two-phase contest, which is divided into a design/build phase and an attack/defend stage.
In the first stage, teams were tasked with devising a secure system for a satellite TV decoder, with strict security and functional requirements. Building such a system required more than just academic knowledge—it was a test of ingenuity and teamwork for the U-M team.
“Our approach was based on a tree-based key distribution system,” explained team member and rising senior majoring in computer science Ethan McKean. “We used a hierarchical method to derive unique encryption keys for each timestamp, ensuring that only valid subscribers could decrypt the broadcast data.”

This innovative scheme of deriving unique keys for each timestamp was pivotal in protecting the system from potential attacks, even in cases of physical device compromise. It ensured that the encryption remained intact even if some parts of the system were exposed to potential breaches.
Switching to the attack phase, the team’s focus shifted dramatically. “It was a big transition from building something secure to trying to break other teams’ designs,” said Charlie Herz, team member and a rising senior majoring in computer science.

This phase introduced the competitive element of capturing “flags,” specific vulnerabilities in opponents’ systems that teams discover and exploit to earn points. Teams focus on identifying and attacking other designs while ensuring their own system remains secure.
The shift to this stage required a more adaptive strategy, blending cryptography, hardware, and creative problem-solving. The team excelled, successfully defending all flags—an achievement only nine teams in the competition accomplished.
“Our approach allowed us to build a robust, cryptographically secure design,” affirmed Charlie. “Ours was one of just a few designs in the competition that no other team was able to compromise.”
As the competition drew to a close, the U-M team was in fierce contention for a top spot. “We were neck-and-neck with a couple other teams,” Ethan recounted. “Right up until the last few hours, we weren’t sure of our standing.” It wasn’t until the awards ceremony at Tufts University that they learned about their final third-place finish, buoyed by the strong score awarded to their design.
Reflecting on the experience, team members emphasized the value of interdisciplinary collaboration and real-world problem-solving as key takeaways. “This competition was incredibly multidisciplinary,” said Tanay. “We used skills from across computer science, from cryptographic theory to hardware security, and learned new ones along the way.”
With the accomplishment of a top-three finish in their debut appearance, the U-M eCTF team is already looking ahead to next year’s competition. “This was such a great learning experience, and there are definitely things we can improve on,” said Charlie. “For next year, we hope to streamline our processes and enhance our infrastructure for even stronger performance.”
For the eCTF team, their success in this year’s competition marks only the beginning of their journey in the embedded systems space. Through subsequent competitions and their future careers, the team members aspire to influence the cybersecurity field and contribute to a more secure technological landscape.
“Competing in eCTF has prepared us in ways traditional coursework can’t,” said Ethan. “This experience has not only helped shape our career paths but also inspired us to tackle more challenges in embedded systems security.”