Bitdefender Matter CTF

Matter is the emerging standard for secure and interoperable communication across Internet of Things (IoT) devices. Developed by a consortium of industry leaders within the Connectivity Standards Alliance (CSA), Matter aims to unify smart home connectivity. The CSA maintains a reference implementation available as the connectedhomeip project (formerly known as project CHIP): https://github.com/project-chip/connectedhomeip

This repository provides comprehensive building blocks for creating customized Capture the Flag (CTF) competitions focused on IoT security. Designed to deliver a fully virtualizable CTF environment, it hosts realistic IoT scenarios built directly from connectedhomeip sources. The framework includes instructions to:

• Build and configure a Matter controller based on a Python Matter server: https://github.com/matter-js/python-matter-server
• Build and configure three simulated Matter devices by leveraging the Connected Home over IP (connectedhomeip) example applications: https://github.com/project-chip/connectedhomeip/tree/master/examples
• Build and configure the CTF management platform by leveraging CTFd: https://github.com/CTFd/CTFd

While not included in this repository, the framework can be used to integrate Matter-specific challenges, where individuals gain practical experience in discovering and interacting with these devices on a network, deepening their understanding of how modern IoT ecosystems operate. Participants can explore the protocols and mechanisms that underpin Matter, such as device onboarding, service discovery (including mDNS), and secure communication.

The CTF setting allows for safe experimentation with real-world attack scenarios. Learners can investigate the potential impact of vulnerabilities in Matter controllers and devices. This hands-on approach not only reinforces theoretical knowledge but also builds practical skills in network analysis, protocol reverse engineering, and IoT security assessment.

Important note: This readme contains the steps for building Docker images of components that can be injected with CTF-specific challenges. To get a full set of challenges, that is, a fully configured setup with instructions to integrate challenges in a real CTF, send an email to bgenge@bitdefender.com or ipadurean@bitdefender.com.

The final setup shall constitute of the following components:

Target platform

This CTF framework was developed and tested on Linux. The framework's architecture requires Docker's host network mode to enable proper device discovery and communication between Matter devices and the controller. On other operating systems (e.g., Windows and macOS), Docker's host network mode behaves differently (or is unavailable), which prevents the framework from functioning correctly. Therefore, this framework is only compatible with Linux environments.

Bitdefender CTF extra files

The Bitdefender CTF extra files provide a fully configured setup, including a fully configured Matter fabric, as well as CTF-specific challenges. As mentioned previously, these can be requested by email.

If the Bitdefender Matter CTF extra files are available, do the following:

1. Extract the files from bitdefender-matter-ctf-extra.tar.gz to the project root directory.

2. After building and running the CTFd docker image (see below), access http://127.0.0.1:8000, create a mock setup, then go to Admin panel -> Config -> Import & Export -> Import, click on Choose File, select the What's the Matter with my smart home_.<timestamp>.zip and click Import. Wait for a couple of minutes, then reload the page. The challenges should now appear in the CTFd platform.

Build the Docker images

CTFd

The steps to generate a Docker image from the sources are documented on the CTFd project's official repository: CTFd Install

Nevertheless, since the framework was tested with a particular version of CTFd, the following steps document the building process for the CTFd version used (and successfully evaluated) by this framework.

1. Clone the repository:

   $ git clone --recurse-submodules https://github.com/CTFd/CTFd.git
   $ cd CTFd
   $ git checkout 15e2d7db67a8077e8586eca085a464d83e89535f
   

2. Run docker compose up -d to build the container and start it.

3. After running the previous command, check with docker ps and docker images that the Docker image has been built and it is running. The ctfd-ctfd image should appear to be running. Also check that you can connect to the CTFd platform by accessing http://127.0.0.1:8000 in the preferred browser. Use the proper IP address/hostname if CTFd is deployed on a different host.

Matter server

The Docker image is based on the Open Home Foundation Matter Server version 8.1. The docker-compose.yml file is inspired from the Docker compose example of the project.

1. User provided patch files may be added to matter-server/patches directory with .patch extension. They will be automatically applied in the matter_server Python site package directory.

2. Perform the following commands in the Matter CTF project root directory in order to build and start the container:

   $ docker compose -f matter-server/docker-compose.yml build
   $ docker compose -f matter-server/docker-compose.yml up -d
   

   Important note: The state of the matter-server is mapped to host matter-server/data directory in order to be persistent across container restarts. Deleting this data directory will reset to a new, clean version.

Simulated Matter devices

The steps to build the Matter example devices can be found in the official project documentation.

Nevertheless, since the present CTF was built with a particular version of the Matter sources, and considering certain simulated devices, instructions are provided to build and run the particular devices that are then integrated as Docker images into this framework.

1. User provided patch files may be added to devices-app/patches directory with .patch extension. They will be automatically applied in the connectedhomeip directory before building the project.

2. If already having KVS files from commissioned devices (e.g., from Bitdefender's extra files), copy them to devices-app/keys directory and the release target will add them to the image.

3. Build the Docker image with the virtual Matter device applications:

   $ cd devices-app
   $ docker build -t devices-app:ctf --target release .
   

   This process takes several minutes to complete.

   Important note: The default build process utilizes all available CPU cores, which may consume too much memory resources resulting in failure. To reduce memory consumption, pass the JOBS argument to docker build, which limits the number of concurrent build jobs to the specified value. This will ensure a successful build at the expense of a significantly increased build time.

   $ docker build --build-arg JOBS=1 -t devices-app:ctf --target release .
   

4. Run the virtual Matter devices in separate interactive shells:

   $ docker run --name dishwasher-app --network host -it devices-app:ctf \
       ./chip-dishwasher-app --KVS dishwasher-app.kvs
   $ docker run --name lock-app --network host -it devices-app:ctf \
       ./chip-lock-app --KVS lock-app.kvs \
       --secured-device-port 5541 --unsecured-commissioner-port 5541
   $ docker run --name lighting-app --network host -it devices-app:ctf \
       ./chip-lighting-app --KVS lighting-app.kvs \
       --secured-device-port 5542 --unsecured-commissioner-port 5542
   

   If the devices are not already added to a fabric, follow the steps documented in the next section.

   The chip-dishwasher-app does not have the secured-device-port and unsecured-commissioner-port options and it runs on the port 5540 (default Matter port).

Add devices to a fabric

1. Stop the Matter device containers:

   $ docker stop dishwasher-app lock-app lighting-app
   

2. If the matter-server container is not running, start it.

3. Access http://127.0.0.1:5580 from a Web browser then select Commission node -> Commission existing device

4. Start a single device:

   $ docker start -a lock-app
   

5. The logs should display a similar content to the following:

   [1762157487.804] [1:1] [SVR] Server initialization complete
   [1762157487.804] [1:1] [SVR] Server Listening...
   [1762157487.804] [1:1] [DL] Device Configuration:
   [1762157487.804] [1:1] [DL]   Serial Number: 1AH123B23HX2
   [1762157487.804] [1:1] [DL]   Vendor Id: 65521 (0xFFF1)
   [1762157487.804] [1:1] [DL]   Product Id: 32769 (0x8001)
   [1762157487.804] [1:1] [DL]   Product Name: Midea Built-In Dishwasher
   [1762157487.804] [1:1] [DL]   Hardware Version: 0
   [1762157487.804] [1:1] [DL]   Setup Pin Code (0 for UNKNOWN/ERROR): 20202021
   [1762157487.804] [1:1] [DL]   Setup Discriminator (0xFFFF for UNKNOWN/ERROR): 3840 (0xF00)
   [1762157487.804] [1:1] [DL]   Manufacturing Date: (not set)
   [1762157487.804] [1:1] [DL]   Device Type: 114 (0x72)
   [1762157487.804] [1:1] [SVR] SetupQRCode: [MT:-24J042C00KA0648G00]
   [1762157487.804] [1:1] [SVR] Copy/paste the below URL in a browser to see the QR Code:
   [1762157487.804] [1:1] [SVR] https://project-chip.github.io/connectedhomeip/qrcode.html?data=MT%3A-24J042C00KA0648G00
   [1762157487.804] [1:1] [SVR] Manual pairing code: [34970112332]
   

6. Insert the Manual pairing code (34970112332 is the default code for CHIP devices) in the Web interface and select Commission. After this, the device should be added to the matter-server's fabric.

7. Repeat the steps 4-6 for each of the remaining devices.

Important note: During commissioning, only one uncommissioned device should run at a time. Otherwise, because all devices use the same pairing code, the controller will not be able to distinguish between them.