The current draft of the rules we’ll use for this year’s Car Hacking Village (CHV) Capture the Flag (CTF). This year, we need to include verbiage to allow companies or employees of sponsors to play in the CTF.

This Year’s Rules v0.9


  • No persons or employees of companies who are currently sponsoring can score on flags created by that company's employees.

  • Challenge creators will be awarded a point value for challenges submitted that have had successful scoring. Please see

  • Must be 18 or older to be designated as Team Leader.

  • Team Leader is awarded any prizes.

  • Void where prohibited.

  • No purchase necessary to win

  • Must be present after the Def Con Closing Ceremonies 2019 in the Paris, Bally’s, Flamingo, & Planet Hollywood, Las Vegas, NV area to win.

  • Grand Prize Winner is Responsible for all Taxes of the Grand Prize

CTF Tables in CHV:

  • Table are open to anyone wishing to play in the CTF.

  • Must be registered or part of a team competing in the CTF to use the area designated as CTF.

  • Please do not save seats, those who are keeping seats open for long periods of time will be asked to vacate the table area.

CTF Contact:

  • (Primary)

  • (Last-Ditch)


  • A “Team” is defined as a collaborative group of up to six (6) individuals competing under a single team name

  • Teams must designate a Team Leader.

  • Only the Team Leader is eligible to win prizes.

  • A Team is not allowed to give themselves or another team an unfair advantage. If deemed in violation of these rules, potential the violating team will see a deduction in points or disqualification from the CHV CTF.

  • All Team Leaders will be required to be present after Def Con closing to win prize

  • Individuals on one team may not share answers with those on another Team.

  • Individuals may only be a member of ONE Team.

  • If caught switching teams, the team may be penalized or potentially disqualified.

  • All members of a Team MUST be physically present at the Car Hacking Village or in Bally’s, Las Vegas, NV area on August 11th at noon in order to qualify for prizes

  • Teams Leads must give REAL names, email, and phone numbers to collect prizes.  See our privacy statement below for more information.

Flags (Points):

Flags are awarded upon successful completion of individual challenges. Each challenge will be accessible via After successfully logging into the CTF website, teams will be presented with the list of categories and associated challenges. Each challenge will be identified with a point value.  Teams should click on the point value to view the challenge. The challenge will have a question, an answer box, and a value. Teams should work to solve the question and put the answer to the challenge in the answer box.  After hitting submit, the team will be notified if the flag was accepted. If yes, the team will be awarded points equivalent to the value of the challenge as stated in the main landing screen. If the response was incorrect, then no points will be awarded nor will any points be deducted. There is no penalty for wrong answers.

This year, the CTF is open to everyone, including those who may have assisted with developing or designing challenges.  This is done because many people who assist are also interested in competing. However, this poses a challenge as they would know the answers to their own challenges. For this reason, people who submit challenges to the CTF are not allowed to score points on their own challenges. Hey, Speaking of Flags we really want to make sure you’re reading the rules.  So here’s flag question (1/2): What’s the name of this village? Please don’t forget to enter flags in the standard CTF Format: flag{FlagValueHere}. But please read EVERYTHING before submitting the flag.

Not being able to score on challenges, however discourages created challenges.  To encourage more quality challenges from CHV challenge makers, those who submitted challenges are able to score up to 15% of the total value of the challenge value. This is based on the amount of solves and the value of the challenge itself.  Where Point Value of Flag = pv, Number of Solves by CTFers = ns, Challenge Submitter Earned Points = cs =pv*(pv*(ns-1))/17,331. Where cs does not exceed 15% of pv. All Fractional points are Rounded Up.

Hardware Contention:

Due to the nature of this CTF, Hardware Contention will likely become an issue. To help mitigate this, we propose a hardware signup sheet.  The top teams leading up to the main CTF at Def Con will be given an extra 10 minutes of time on hardware in the village.

Final Judgement:

Complaints must be formally requested by visiting the CTF table in the CHV and speaking with the CTF personnel.  Complaints deemed non-frivolous will be brought to Trial.

Rules for Trials:

There are issues that will arise from hardware contention, to points valuation, to unforeseen challenges with the CTF infrastructure.  In the event that these issues arise and there is no rule that adequately describes the resolution of the problem, a 3 judge panel will be convened.  The judges will hear the case brought forth by the complantants. The judges be two members of the CHV CTF or members who have no state in the outcome of the CHV plus one random member of the audience that has no affiliation with the complantant’s team members, the CHV or the CHV CTF or the DEFCON Organization.  If another CTF team is involved with the dispute, then only they may also add a random member of the audience that has no affiliation with the complantant’s team members, the CHV or the CHV CTF or the DEFCON Organization as a fourth judge. In the event of a tie of the judges decision, teams leads must complete an additional CTF challenge and the team that completes the highest value challenge in 30 minutes will have a fifth vote in the argument. A simple majority of votes wins the argument.

In order to prevent multiple complaints, a lost complaint will result in a 100 point deduction from team scores.  If teams do not yet have 100 points then they must earn 100 points.

Denial of Service:

As we are sharing hardware and only have limited supply, physically disabling hardware is discouraged. So discouraged that the outcome of this transgression could lead to disqualification of your team or a deduction in your teams flags.  Please let others use the hardware.


Coercion is bad, do not force others to do anything that they do not want to do. Including forcing others to give your team answered challenges, forcing others to participate in challenges, and generally being mean and rude.

Unauthorized or After-Hours use of CHV Hardware:

The CHV is open from 10:00 AM 6:00 PM August 9 & 10.  It is open, 10:00 AM to 12:00 PM on August 11. Use of CHV supplied challenge hardware is off limits to teams. Any team caught violating this may be penalized up to 2000 points or disqualification of this CHV CTF and future CHV CTFs. Please attempt to stop using tools Promptly at the close of the village so as not to give your team an unfair advantage.


For the Stuff We Didn’t Think of:

It’s likely not possible that we can think of all the ways in which teams can gain an obvious unfair advantage.  If evidence is brought to the CTF Admin’s attention that a team is attempting to game the system in a way that obviously unfair then this team should be discouraged.  First infractions will result in the team being penalized by the CTF Admin. This penalization may include a deduction in points (up to 2000 points) or potential disqualification from the current and future CHV CTFs. Please do not create a situation where other teams do not want to compete.


  • Grand Prize - Broken-In* NEW 2019 Tesla Model 3 (NOT Supplied by Tesla)

  • No other prizes are awarded (Sorry)

How to Win Grand Prize:

The top three (3) teams that compete in the CTF after the CTF closes on Sunday August 11th, 2019 at Noon (Pacific Time) will qualify to win the Grand Prize.  We will host a run-off challenge to find out which team will win the Grand Prize

Must be present to accept prize.  If not available by 1:00 PM PST then team forfeits place and the next place team will be considered as Third Place and other Teams will move up one rank.

Taxes or Alternative Prize:

Grand Prize winner MUST PAY ALL TAXES and FEES or choose a cash substitute for the Grand Prize. (Estimated at around $3500). Guess you read this part too. Second Fla_g (two/two): What is the full name of the protocol invented by Bosch in the 1980s that is standard on modern vehicles.  Remember full name. DON’T Stop reading now that you have both fla__gs. This is important.

If the Taxes are too much or the Team Lead does not wish to accept the Grand Prize, then the team lead may opt for a Cash Prize of $15,000. The Grand Prize will remain as property of, Inc.

Tie Breaker:

In the event of a Tie, the team who scored first will be awarded the higher rank. In the event that this is too close to call, the team who scored the highest value flag first will be given the higher rank. And if still it, is too close to call, then a game of best of 3 Rock, Paper, Scissors.

Black Badge:

If selected as a Black Badge competition by Def Con, the team with the highest points at the close of the standard time CHV CTF (12:00 PM PST August 11, 2019) will be awarded Black Badge winner.

* Broken-In Tesla Model 3:

So this is Def Con and nice shiny cars are nice, but you know what’s better: Cars with a history, a past, a sorted past. So this year we will be collaborating with the Def Con D(estruction)20 CTF [@d20ctf]. Unlike their CTF, we won’t be hurting laptops, but rather cars.  Specifically the Grand Prize Vehicle. So why are we allowing this to happen? Why not?

So here is how we propose to Break-In the Tesla:

Cards will be distributed to teams by various individuals from the CHV.  The method for earning the cards will be entirely up to the holder of the cards as long as they are not asking for anything of value in exchange for the card itself.  Each team will fill out the required information on the back of the card and submit it to the CTF at the CHV CTF table in the Village.

Every Hour at the top of the hour we will draw a card.  The winner must be immediately present during the drawing. No Money will be given for your card being drawn, however you will get the opportunity to roll the D20.  The value of the roll corresponds to a value on the board (see table 1). The roller of the die can choose from any option on the table value 2 through the value of the die roll.  For example, if the roller of the die rolls a 12, the roller of the die can choose one thing from the Table 1 that has a value of 2 through 12 (the value that they rolled). Choosing 1 is only available if a 1 is rolled.

If there die lands in a way that a value cannot be determined by the CTF Judge, then a re-roll of the die is possible.

The D20 will be supplied by the CHV Judge.

Glass, Tail Lights, and Headlights will NOT be targeted for damage. They will be taped so as to help shield against breaking or cracking.


A Note to Tesla Fans (Like Myself) from @carfucar:

I realize hurting a car with hammers and bowling balls seems silly, juvenile, scary and maybe a bit dumb, but I guess that’s the point. Here we have an opportunity to do something we would NEVER do. We would never intentionally key a car nor drop a bowling ball on a beautify new car. Why? I think it’s because we don’t do the things, because we shouldn’t do them that we must do it when given the chance.

Here is a new Tesla. Less than 100 miles. Amazing line, beautify open cab, minimalistic in its design, but an absolute beast on the road.  It’s as perfect as a car can get. So why would the winner take this car home and even try to hack it? Why would they consider disrupting the glorious curves of a perfect driving machine? Simple, because it has been hit more than one with a bowling ball, painted on by strangers, stickered by def con hordes.  This car will not be its once perfect embodiment of a car, but now a perfect test platform where the winner can go out and collect security bug bounties. 

This car will have the cuts and bruises that will make it unique. It will not be compared to other nicer looking cars, but have it’s own style, its own patina, its own story. When the winner of the car is approached at Tesla Supercharging Stations, other Tesla owners will strike up conversations about the vehicle’s history, why the frunk has a couple of dents, why there are “interesting” paintings on the side of the doors, where did they get the stickers on the trunk.  And the winner can simply go to or go to @CarHackVillage and show the lewd photos or the Sentry Mode Videos to give the history of the car.

In short, this is an exciting event, the winner will have an AMAZING car with an AMAZING story.  Yeah the car won’t be pretty, but it will still be pretty cool.

Bonus Points:

CTF’s are hard to put together, mistakes will be made.  We will do our best to solve these issues in a quick and timely manner.  However if you do find an issue with a challenge, the web server, or any other infrastructure of the CTF, please bring this issue to the CHV staff. CTF Staff will be at the table marked CTF Staff in the CHV.  As a reward, bonus points ranging from 1-100 will be awarded to the team that notified staff first and state the issue clearly so that it can be resolved. Please Contact for assistance. So you probably submitted the f_lags without reading everything, huh? Want to get those points back.  Simply combine both fl__ags into “F1agOneValue” “Fla9TwoValue”. Sorry but we need you to know that the grand prize may be a little dinged up and the winner has to pay the taxes. Also, we may have hidden another ffllaagg in the rules.

Privacy Statement:

We will only use your email to contact you during the CTF or after the CTF has closed to verify if you are among the finalist. After Def Con we will not contact you, but may maintain your contact details.

Feel free to use a burner email account or fake contact details, but if we will only notify the finalists via the email address you’ve given.  If no one responds within 15 minutes of the request being sent out at the email address given by the team then we will notify the next rank team and disqualify non-responsive team. In other words, please don’t use an email address that you don’t have access to and you cannot respond to emails on.

This privacy policy has been compiled to better serve those who are concerned with how their ‘Personally Identifiable Information’ (PII) is being used online. PII, as described in US privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. Please read our privacy policy carefully to get a clear understanding of how we collect, use, protect or otherwise handle your Personally Identifiable Information in accordance with our website.

What personal information do we collect from the people that visit our blog, website or app?

When ordering or registering on our site, as appropriate, you may be asked to enter your name, email address, mailing address, phone number, or other details to help you with your experience.

When do we collect information?

We collect information from you when you register on our site, fill out a form, Open a Support Ticket or enter information on our site.

How do we use your information?

We may use the information we collect from you when you register, make a purchase, sign up for our newsletter, respond to a survey or marketing communication, surf the website, or use certain other site features in the following ways:

      To allow us to better service you in responding to your customer service requests.
      To administer a contest, promotion, survey or other site feature.
      To quickly process your transactions.
      To follow up with them after correspondence (live chat, email or phone inquiries)

How do we protect your information?

We do not use vulnerability scanning and/or scanning to PCI standards.
We only provide articles and information. We never ask for credit card numbers.
We do not use Malware Scanning.

Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. In addition, all sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology.

We implement a variety of security measures when a user places an order enters, submits, or accesses their information to maintain the safety of your personal information.

All transactions are processed through a gateway provider and are not stored or processed on our servers.

Do we use ‘cookies’?

Yes. Cookies are small files that a site or its service provider transfers to your computer’s hard drive through your Web browser (if you allow) that enables the site’s or service provider’s systems to recognize your browser and capture and remember certain information. For instance, we use cookies to help us remember and process the items in your shopping cart. They are also used to help us understand your preferences based on previous or current site activity, which enables us to provide you with improved services. We also use cookies to help us compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools in the future.

We use cookies to:

      Help remember and process the items in the shopping cart.
      Understand and save user’s preferences for future visits.
      Compile aggregate data about site traffic and site interactions in order to offer better site experiences and tools in the future. We may also use trusted third-party services that track this information on our behalf.

You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser settings. Since browser is a little different, look at your browser’s Help Menu to learn the correct way to modify your cookies.

If you turn cookies off, some features will be disabled. It won’t affect the user’s experience that make your site experience more efficient and may not function properly.

However, you will still be able to place orders.

Third-party disclosure

We do not sell, trade, or otherwise transfer to outside parties your Personally Identifiable Information.

Third-party links

We do not include or offer third-party products or services on our website.

California Online Privacy Protection Act

CalOPPA is the first state law in the nation to require commercial websites and online services to post a privacy policy. The law’s reach stretches well beyond California to require any person or company in the United States (and conceivably the world) that operates websites collecting Personally Identifiable Information from California consumers to post a conspicuous privacy policy on its website stating exactly the information being collected and those individuals or companies with whom it is being shared. – See more at:

According to CalOPPA, we agree to the following:

Users can visit our site anonymously.

Once this privacy policy is created, we will add a link to it on our home page or as a minimum, on the first significant page after entering our website.

Our Privacy Policy link includes the word ‘Privacy’ and can easily be found on the page specified above.

You will be notified of any Privacy Policy changes:

      On our Privacy Policy Page

Can change your personal information:

      By logging in to your account

How does our site handle Do Not Track signals?

We honor Do Not Track signals and Do Not Track, plant cookies, or use advertising when a Do Not Track (DNT) browser mechanism is in place.

Does our site allow third-party behavioral tracking?

It’s also important to note that we do not allow third-party behavioral tracking

COPPA (Children Online Privacy Protection Act)

When it comes to the collection of personal information from children under the age of 13 years old, the Children’s Online Privacy Protection Act (COPPA) puts parents in control. The Federal Trade Commission, United States’ consumer protection agency, enforces the COPPA Rule, which spells out what operators of websites and online services must do to protect children’s privacy and safety online.

We do not specifically market to children under the age of 13 years old.

Just Kidding about having put a third fl@g in the rules.  Just wanted to trick the people who didn’t read everything.

Fair Information Practices

The Fair Information Practices Principles form the backbone of privacy law in the United States and the concepts they include have played a significant role in the development of data protection laws around the globe. Understanding the Fair Information Practice Principles and how they should be implemented is critical to comply with the various privacy laws that protect personal information.

In order to be in line with Fair Information Practices we will take the following responsive action, should a data breach occur:

We will notify you via email within 20 business days.

We also agree to the Individual Redress Principle which requires that individuals have the right to legally pursue enforceable rights against data collectors and processors who fail to adhere to the law. This principle requires not only that individuals have enforceable rights against data users, but also that individuals have recourse to courts or government agencies to investigate and/or prosecute non-compliance by data processors.


The CAN-SPAM Act is a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have emails stopped from being sent to them, and spells out tough penalties for violations.

We collect your email address in order to:

      Send information, respond to inquiries, and/or other requests or questions

To be in accordance with CANSPAM, we agree to the following:

      Not use false or misleading subjects or email addresses.
      Identify the message as an advertisement in some reasonable way.
      Include the physical address of our business or site headquarters.
      Monitor third-party email marketing services for compliance, if one is used.
      Honor opt-out/unsubscribe requests quickly.

Allow users to unsubscribe by using the link at the bottom of each email.