Skip to content
CSAW Embedded Security Challenge 2019
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE Initial commit Jul 7, 2019 Initial commit Jul 7, 2019 Update Aug 1, 2019
qualification.out Initial commit Jul 7, 2019

CSAW 2019 Embedded Security Challenge (ESC)

Teams are encouraged to start investigating the challenge as early as possible.

It is also recommended to periodically visit this repository on GitHub, as the details may be updated.


The Embedded Security Challenge (ESC) returns in 2019 for the 12th time, and we are proud to announce another exciting and educational global competition! ESC is part of CSAW, which is founded by the department of Computer Science and Engineering at NYU Tandon School of Engineering, and is the largest student-run cyber security event in the world, featuring international competitions, workshops, and industry events.

ESC 2019 will be a world-wide event held simultaneously in four regions: US-Canada, Europe, Middle East & North Africa, and India, with the finals taking place on November 6-9, 2019. The venues for each region are:

  • CSAW US-Canada: NYU Tandon School of Engineering, Brooklyn, USA.
  • CSAW Europe: Grenoble Institute of Technology - ESISAR, Grenoble, France.
  • CSAW MENA: NYU Abu Dhabi, Abu Dhabi, UAE.
  • CSAW India: Indian Institute of Technology Kanpur, Kanpur, India.

The competition is organized in all regions under the supervision of Professor Nektarios Tsoutsos (University of Delaware), and the global challenge leads are Patrick Cronin and Charles Gouert, who are also the US-Canada region challenge leads. In Europe, the competition is organized by Professor Vincent Beroulle. In the MENA region, the competition is coordinated by Professor Michail Maniatakos, with Esha Sarkar and Heba Ibrahim as the regional challenge leads. In India, ESC is supervised by Professor Sandeep Shukla, with Rohit Negi as the regional challenge lead.

Challenge Summary

This year's ESC focuses on the security of radio frequency identification (RFID) readers, which are utilized broadly from access control in buildings to user authentication in computing systems. This challenge will task contestants with hacking the firmware of a custom RFID card reader using reverse engineering tools developed by the United States National Security Agency (NSA).

Motivational scenario: A new tech startup Secure and Formidable Enterprises (SAFE) has tasked contestants with the physical penetration testing of their new RFID security system. To enhance security, each office in the building is protected with a different locking algorithm. Low security offices have simple security measures, while the company president's office and research & developement areas utilize advanced security techniques. Contestants must utilize reverse engineering tools developed by the United States National Security Agency as well as their knowledge of firmware reverse engineering to break through a number of increasingly difficult security measures protecting each office. More details and specifics can be found on the challenge description page.


Students of all university levels are invited to compete. Each team must have a team leader and up to 3 additional team members (a total of 4 participants per team). Each team leader is responsible for coordinating with other members of their team and will be the point of contact for the entire team. Each team must also have a university faculty advisor.

The team leaders need to register their team members and faculty advisor electronically at, using their team name as the 'Submission Title'. ESC uses a HotCRP-based registration and submission system for both the qualification and final rounds, and teams must register before finalizing their report and computer file submissions by the posted deadlines. In addition, CSAW requires all participating individuals (i.e., each team member separately) to complete a questionnaire.

Each team is eligible to register for only one region based on university affiliation: Europe, India, MENA, or US-Canada, as defined below. While team members do not need to attend the same university, all team members must be a part of the same region.

  • Europe: Hosting students from universities located in the European Union, Switzerland, Norway, or Armenia.
  • India: Hosting students from universities located in India.
  • MENA: Hosting students from universities located in Algeria, Azerbaijan, Bahrain, Chad, Djibouti, Egypt, Eritrea, Georgia, Jordan, Iraq, Iran, Kuwait, Lebanon, Libya, Mauritania, Morocco, Oman, Pakistan, Palestine, Qatar, Saudi Arabia, South Sudan, Sudan, Syria, Tunisia, Turkey, United Arab Emirates, or Yemen.
  • US-Canada: Hosting students from universities located within the United States or Canada.

To be able to qualify to the final round, each team must register for the correct region based on the university affiliations of its members.

After registration closes, making changes to the existing members of a team (e.g., replacing a team member) or adding new team members, requires explicit permission from the organizers. This is also necessary for teams replacing team members or adding new team members during the final round of the competition.

For more registration information, policies, deadlines, deliverable details, and for information for contacting CSAW organizers, visit the logistics page.

You can’t perform that action at this time.