[Ryan] a.k.a. [1o57] comes from an age before anyone could ask a question, pull out their smartphone, and instantly receive an answer from the great Google mind. He thinks there’s something we have lost with our new portable cybernetic brains – the opportunity to ask a question, think about it, review what we already know, and reason out a solution. There’s a lot to be said about solving a problem all by yourself, and there’s nothing to compare to the ‘ah-ha’ moment that comes with it.
[1o57] started his Mystery Challenges at DEFCON purely by accident; he had won the TCP/IP embedded device competition one year, and the next year was looking to claim his title again. The head of the TCP/IP embedded competition had resigned from his role, and through a few emails, [1o57] took on the role himself. There was a miscommunication, though, and [1o57] was scheduled to run the TCP/IP drinking competition. This eventually morphed into a not-totally-official ‘Mystery Challenge’ that caught fire in email threads and IRC channels. Everyone wanted to beat the mystery challenge, and it was up to [1o57] to pull something out of his bag of tricks.
The first Mystery Challenge was a mechanical device with three locks ready to be picked (one was already unlocked), magnets to grab ferrous picks, and only slightly bomb-like in appearance. The next few years featured similar devices with more locks, better puzzles, and were heavy enough to make a few security officials believe [1o57] was going to blow up the Hoover dam.
With a few years of practice, [1o57] is turning crypto puzzles into an art. His DEFCON 22 badge had different lanyards that needed to be arranged to spell out a code. To solve the puzzle, you’ll need to talk to other people, a great way to meet one of [1o57]’s goals of getting all the natural introverts working together.
Oh. This talk has its own crypto challenge, something [1o57] just can’t get out of his blood:
So far nobody has solved the @hackaday 10 year anniversary in-talk-mini-crypto-puzzle-of-doom…("it's only a model")
DEFCON is known for its unique badge designs, which have featured displays, radios, and tons of LEDs in the past. This year, there was another digital badge at DEFCON. The Queercon 11 badge featured an MSP430, a LED display, an IR interface, and an ISM band radio.
Queercon started off as a DEFCON party for LGBT hackers. Over the past eleven years they’ve run events at DEFCON including parties, mixers, and networking events. Over time the group has grown, become a non-profit, and provided a social network for LGBT people in tech. We must admit that they throw quite a good pool party.
This badge gave you points for meeting other people. When held near another QC11 badge, the IR link sends the identifier for each person. Both badges light up and display the other person’s name, and store the event. This process became known by a variety of colloquialisms, and “badginal intercourse” was a common occurrence at events.
The RF radio, implemented using a HopeRF RF69 module, shows how many people with QC11 badges are near you. A base station at events sends out data to give badges points for attendance. As points are accumulated, the rainbow LEDs on either side of the display light up.
At Queercon parties, a reader connected to a dumb terminal read data off the badges. It then shows who the badge has paired with, and what events its been to.
The hardware design and source code have all been released on the Queercon website. The full functionality is discussed in the README.
You probably remember that for DEFCON I built a hat that was turned into a game. In addition to scrolling messages on an LED marquee there was a WiFi router hidden inside the hat. Get on the AP, load any webpage, and you would be confronted with a scoreboard, as well as a list of usernames and their accompanying password hashes. Crack a hash and you can put yourself on the scoreboard as well as push custom messages to the hat itself.
Choosing the complexity of these password hashes was quite a challenge. How do you make them hackable without being so simple that they would be immediately cracked? I suppose I did okay with this because one hacker (who prefers not to be named) caught me literally on my way out of the conference for the last time. He had snagged the hashes earlier in the weekend and worked feverishly to crack the code. More details on the process are available after the jump.
If you go to DEFCON next year (and you should), prepare for extreme sleep deprivation. If you’re not sleep deprived you’re doing it wrong. This was the state in which we ran into [LosT] and [J0nnyM@c], the brains behind the DEFCON 22 badge and all of the twisted tricks that torture people trying to solve the badge throughout the weekend. They were popular guys but wait around until late into the night and the throngs of hint-seekers subside just a bit.
Plans, within plans, within plans are included in the “crypto” which [LosT] talks about in the interview above. We were wondering how hard it is to produce a badge that is not only electrically perfect, but follows the planned challenge to a ‘T’. This includes things like holding off soldering mask from some pads, and different ones on a different version of the badge. Turns out that you just do as well as you can and then alter the puzzle to match the hardware.
Speaking of hardware. A late snafu in the production threw the two into a frenzy of redesign. Unable to use the planned chip architecture, [J0nnyM@c] stepped up to transition the badges over to Propeller P8X32a chips, leveraging a relationship with Parallax to ensure they hardware could be manufactured in time for the conference.
This morning I went to a fantastic talk called Hack All the Things. It was presented by GTVHacker. If you don’t recognize the name, this is the group that hacked the GoogleTV. They haven’t stopped hacking since that success, and this talk is all about 20+ devices that they’ve recently pwned and are making the info public (that link still had oath when I checked but should soon be public).
The attacks they presented come in three flavors: UART, eMMC, and command injection bugs. I’m going to add the break now, but I’ll give a rundown of most of the device exploits they showed off. I found all amusing, and often comical.
I got a great seat on the main floor for the first big DEFCON 22 talk which is a welcome to the con and discussion of the badge hardware. [LosT], the creator of this year’s badge, started the discussion with a teaser about the badge… there’s a phone number hidden as part of the challenge. [LosT] took a call from someone chasing the puzzles. The guy was in the audience which was pretty fun.
The process of building a puzzle that can be solved at DEFCON is really tough. How do you make it just hard enough that it won’t get pwned right away but easy enough that a large number of attendees will be able to figure it out during the weekend? The answer is to build a secure system and introduce strategic flaws which will be the attack vectors for the attendees solving the badge challenge.
Of course the badge can be used as a development platform. The populated electronics on the board all have these nice little footprints which can be cut to disconnect them from the chip. The breakout headers on either side of the board allow you to connect headers for your own uses. Great idea!
The back of the lanyards have special characters on them too. This encourages community at the conference. To solve the puzzle you need to find others with different lanyards. Compare the glyphs and crack the code (so far I have no clue!!).
Know what I’m doing wrong? Have suggestions on where to go from here? I’ll be checking the comments!
It took a measly 2-hours in line to score myself entry to DEFCON and this nifty badge. I spent the rest of the afternoon running into people, and I took in the RFIDler talk. But now I’m back in my room with a USB cord to see what might be done with this badge.
First the hardware; I need a magnifying glass but I’ll tell you what I can. Tere are huge images available after the break.
Crystal marked A050D4C
Looks like an EEPROM to the upper right of the processor? (412W8 K411)
Something interesting to the left. It’s a 4-pin package with a shiny black top that has a slightly smaller iridesent square to it. Light sensor?
Tiny dfn8 package next to that has numbers (3336 412)
Bottom left there is an FTDI chip (can’t read numbers)
The DEFCON letters are capacitive touch. They affect the four LEDs above the central letters.
I fired up minicom and played around with the settings. When I hit on 57600 8N1 I get “COME AND PLAY A GAME WITH ME”.
Not sure where I’m going from here. I don’t have a programmer with me so not sure how I can make a firmware dump. If you have suggestions please let me know in the comments!