Cybersecurity students prepare for inaugural DistrictCon Hacker Conference

Students from George Mason University’s Competitive Cybersecurity (MCC) club have dominated in multiple national competitions. The team got 1st place in the 2024 VMI CyberFusion and 2nd place in the 2024 Spring National Cyber League. 

Next, the students will be competing in the inaugural DistrictCon Hacker Conference on February 21-22. 

“We'll be presenting live demos with our exploits in front of a judge and audience. So, we'll basically go from not having access to a certain device to showing that we can get access in the eight different attack vectors that we discovered,” said club president Dylan Knoff, a junior computer science major. 

This demonstration is known as the junkyard competition, and the device they’re hacking is a router. In preparation for the demo, the team is conducting multiple analyses and rehearsing talking points for verification of their research. 

“We basically ripped the firmware off of it, which is the code that runs on embedded devices like this one,” said Knoff, who participated in the International Cybersecurity Championship in Chile with the U.S. Cyber Team. 

“We utilized hardware debugging interfaces on the device to both find potential bugs by analyzing our own local copy of the firmware and confirm their existence and exploitability by trying to trigger them on the live device and utilizing the debug interface exposed,” he said. 

In addition to Knoff, his teammates Danyaal Shaozab and Ryan Murphy will also participate in the junkyard competition and other cybersecurity challenges including “capture the flag,” also called CTF, where the teams receive challenges, such as web app exploitation, binary exploitation, cryptography, reverse engineering, forensics, and a description that they must solve and then get a flag that is redeemed for points. 

In September 2023, MCC hosted its own international CTF event, attracting more than 3,000 participants and 1,600 teams as well as hosted PatriotCTF 2024 attracting over 5400 participants and 2200 teams. The club practices are offensive cybersecurity, which is a type of ethical hacking used to evaluate and determine a system’s security, Murphy explained. 

Murphy, who transferred to George Mason from Virginia Peninsula Community College as a part of the Mason Virginia Promise, has been passionate about cybersecurity since middle school and participated in CyberPatriot, a national youth cyber education program. 

“I'm still pretty new at George Mason, but it's been a really good experience so far,” said Murphy, a junior cyber security engineering major. “I got involved with the club from the get- go because they're a bunch of like-minded people and I’m really grateful for the opportunities the club and the university have offered me.”

The team will have two time slots and two presentations. They plan to do a dry run the day before the conference, as well as more analysis to solidify the information, said Murphy. 

Shaozab is currently working as an associate vulnerability researcher at TFP0 Labs, a Reston-based security research firm. Shaozab’s role entails finding and exploiting vulnerabilities of various security systems and he compares his professional responsibilities to that of his club and school assignments.  

“Working with Dylan and Ryan is great. We all have similar career goals, and it makes projects and assignments a lot easier,” said Shaozab, who is a senior cyber security engineering major. 

Shaozab credits his courses, including CYSE 465 Transportation Systems Design, for helping him prepare for the upcoming competition.  

“Dr. [Tanvir] Arafi is a very smart professor and a very talented individual in this field. His course really helped me hone my cyber techniques,” he said.  

Shaozab explained that the team is focused on exploiting the [Control Area Network] bus, which is like the nervous system of a vehicle, allowing different components like the engine, brakes, and doors to communicate with each other. “Exploiting it involves sending malicious messages in the CAN bus to manipulate the car's function, such as unlocking doors or starting the engine,” he said. 

“What made this particularly interesting to me is that I'm a huge car enthusiast, so being able to merge my passion for cars and cybersecurity was a unique experience. Getting hands-on with that in a classroom setting made it even more engaging. It’s rare to get that kind of knowledge taught in schools,” he said.