The security conference LayerOne 2018 took place this past weekend in Pasadena, California. A schedule conflict meant most of our crew was at Hackaday Belgrade but I went to LayerOne to check it out as a first-time attendee. It was a weekend full of deciphering an enigmatic badge, hands-on learning about physical security, admiring impressive demos, and building a crappy robot.
This year’s LayerOne conference is May 25-27 in Los Angeles and Hackaday will be there! Hurry and get your ticket now as today is the last day for pre-registration.
As the InfoSec community takes over the Pasadena Hilton next weekend you’ll wish you had a week instead of just three days to take part in all that is offered. There are organized talks and workshops on pen testing, being the bad guy, and DevOps Security. Learn or improve on your lockpicking skills in the Lockpicking Village. The conference hardware badge will be hacking in every direction in the Hardware Village, and new this year is an Internet of Things Village.
If you ask us, the L1 Demo Party is where it’s at. We love seeing what kind of audio and video demos can be squeezed out of a microcontroller board. If you want one of your own, LayerOne is selling the L1 Demoscene Board on Tindie, and you can dig into the hardware on the Hackaday.io page. Take a look back at the results of the 2015 Demo Party for some of the highlights.
This con has an incredible community supporting it, many of the people you’ll meet have been at every LayerOne since it started back in 2004. Supplyframe, Hackaday’s parent company, has been a sponsor since 2015 and is once again proud to support the event and sponsor the hardware badge. Members of the Hackaday and Tindie crew will be on site so come say hello and don’t be afraid to bring a hack to show off!
The LayerOne conference is over, and that means this last weekend saw one of the biggest demoscene parties in the USA. Who won? A European team. We should have seen this coming.
There were two categories for the LayerOne demo compo, the first using only the LayerOne Demoscene Board. It’s a board with a PIC24F microcontroller, VGA out, and a 1/8″ mono audio out. That’s it; everything that comes out of this board is hand coded on the PIC. A few months ago, [JKing] wrote a demo to demonstrate what this demoboard can do. According to him, it’s the only reason Hackaday sold a single Demoboard in the Hackaday store:
First place for the Demoscene Board competition went to a remote entry – a team called COINE. The video and initial reactions of everyone in the room:
No one in the idea had any idea how this was possible. The hardware should not be able to do that. The resolution and number of colors are too high. It was, by far, the most impressive demo at LayerOne. That doesn’t mean the other submissions to the Demoscene board competition were overlooked. [jamisnemo]’s entry was well received, even though he ran out of time writing it:
The second category for the LayerOne demo competition was the ‘Secret’ Board. There were only 10 or 12 of these boards ever made , but there were still some impressive entries. The board itself is built around an ATMega88 – 8k of Flash, 1K of RAM, and 512 Bytes of EEPROM. If using an ATMega88 as a demo platform sounds familiar, you’d be right. [lft] built the Craft demo way back in 2008 around this chip. The Secret Board is designed to run this demo, and serve as a platform for a demo that implemented a framebuffer on the ‘Mega88:
In all, an excellent competition. It was well received by all attendees, and next year’s compo is sure to be even bigger. If anyone has any idea on how the big European capture these demos to video, please leave a note in the comments. No one at LayerOne could figure it out.
Go to DEFCON and you’ll stand in line for five hours to get a fancy electronic badge you’ll be showing to your grandchildren some day. Yes, at DEFCON, you buy your hacker cred. LayerOne is not so kind to the technically inept. At LayerOne, you are given a PCB, bag of parts, and are told to earn your hacker cred by soldering tiny QFP and SOT-23 chips by hand. The Hardware Hacking Village at LayerOne was packed with people eagerly assembling their badge, or badges depending on how cool they are.
The badges are designed by [charlie x] of null space labs, one of the many local hackerspaces around the area. The design and construction of these badges were documented on the LayerOne Badge project on hackaday.io, and they’re probably best con badges we’ve ever seen.
There are two badges being distributed around LayerOne. The first is an extremely blinkey badge with a Cypress PSoC4 controlling 22 individually addressable RGB LEDs. Most conference attendees received a bare PCB and a bag of parts – the PCB will get you in the door, but if you want your nerd cred, you’ll have to assemble your own badge.
There are still a few interesting features for this badge, including an ESP8266 module that will listen to UDP packets and drive the LEDs. Yes, a random person on the same WiFi AP can control the LEDs of the entire conference event. The badges can also be chained together with just three wires, but so far no one has done this.
The second badge – for speakers and staff – is exceptionally more powerful. It’s a Linux box on a badge with two Ethernet connectors running OpenWRT. For a con badge, it’s incredibly powerful, but this isn’t the most computationally complex badge that has ever been at a LayerOne conference. For last year’s badge, [charlie] put together a badge with an FPGA, SAM7 microcontroller, SD card, and OLED display. They were mining Bitcons on these badges.
The Hardware Hacking Village was loaded up with a dozen or so Metcal soldering irons, binocular microscopes, and enough solder, wick, and flux to allow everyone to solder their badge together. Everyone who attempted it actually completed their badge, and stories of badge hacking competitions at other cons were filled with tales of people sprinkling components on random solder pads. Imagine: a conference where people are technically adept. Amazing.
We’re at LayerOne this weekend and one of the talks we were excited about didn’t disappoint. [Jos Weyers] presented Showing Keys in Public — What Could Possibly Go Wrong? The premise is that pictures of keys, in most cases, are as good as the keys themselves. And that pictures of keys keep getting published.
[Jos] spoke a bit about new services that offer things like 3D scanning and storage of your key for printing when you get locked out, or apps that ask you to take a picture of your key and they’ll mail you a duplicate. Obviously this isn’t the best of ideas; you’re giving away your passwords. And finding a locksmith is easier than findind a 3D printer. But it’s the media gaffs with important keys that intrigues us.
We’ve already seen the proof of concept for taking covert images to perfectly duplicate a key. But these examples are not so covert. One example is a police officer carrying around handcuff keys on a belt clip. Pose for a picture and that key design is now available to all. But news stories about compromised keys are the biggest offenders.
A master key for the NYC Subway was compromised and available for sale. The news coverage not only shows a picture at the top of the story of a man holding up the key straight on, but this image of it on a subway map which can be used to determine scale. This key, which is still published openly on the news story linked above, opens 468 doors to the subway system and these are more than just the ones that get you onto the platform for free. We were unable to determine if these locks have been changed, but the sheer number of them has us thinking that it’s unlikely.
Worse, was the availability of fire-department
master keys which open lock boxes outside of every building. (Correction: these are fire department keys but not the actual lock-box keys) A locksmith used to cut the original keys went out of business and sold off all their stock. These keys were being sold for $150, which is bad enough. But the news coverage showed each key on a white background, straight on, with annotations of where each type of key will work.
Other examples include video news stories about credit card skimmers installed in gas pumps — that coverage showed the key used to open the pump housing. There was also an example of speed camera control cabinet keys being shown by a reporter.
[Jos’] example of doing the right thing is to use a “prop” key for news stories. Here he is posing with a key after the talk. Unfortunately this is my own house key, but I’m the one taking pictures and I have blurred the teeth for my own security. However, I was shocked during image editing at the quality of the outline in the image — taken at 6000×4000 with no intent to make something that would serve as a source for a copy. It still came out remarkably clear.
Some locks are stronger than others, but they’re all meaningless if we’re giving away the keys.
LayerOne, the first level of security. [Brian Benchoff] and I are excited to take part in our first LayerOne conference this Saturday and Sunday in Monrovia California.
Anyone in the Los Angeles area this weekend needs to get out of whatever they have planned and try out this conference that has a soul. Get the idea of a mega-con out of your head and envision a concord of highly skilled and fascinating hackers gathering to talk all things computer security. Speakers will cover topics like researching 0day exploits, copying keys from pictures taken in public, ddos attacks, social engineering, and more.
It’s not just talks, there is a ton of hands-on at LayerOne as well. I plan to finally try my hand at lock picking. Yep, I’ve covered it multiple times and we’ve even had a session led by [Datagram] at the Hackaday 10th Anniversary but I’ve never found time to give it a roll. Of course electronics are my game and [Brian] and I will both be spending a fair amount of time in the hardware hacking village. We’ll have a bunch of dev boards along with us if you want to try out an architecture with which you’re unfamiliar. This year’s LayerOne badges are sponsored by Supplyframe; we’ll have something in store for the best badge hacks we see during the weekend.
See you there!
We are doing a lot this spring to get people elbow-deep in hardware hacking. We have so many live events coming up that we’re going to be doing Saturday morning recaps to keep you informed. Here are the upcoming events should be planning to attend if you’re nearby.
Today! NYC Hardware Hackathon
We hope you didn’t miss our announcements about the Hardware Hackathon we’re putting on in New York. It starts this afternoon and runs all night and into Sunday. If you really want to get in on the hacking we might be able to help you out (hit us up on Twitter). But you can also show up on Sunday to see the results live. Tickets for that are available here.
May 9 & 10 Hackaday Prize Worldwide: Los Angeles
Next weekend we open up the Hackaday Design Lab of Pasadena, California for a workshop, talks, and a day of hacking. This is the Hackaday Prize Worldwide: Los Angeles. Start out on Saturday with the Zero to Product workshop which will discuss getting from design to production. Interspersed with this are a set of talks from amazing presenters before a bit of social time at night. On Sunday we open our doors for Free Build and hope to see a ton of people working on their Hackaday Prize entries. RSVP now!
Saturday, May 16 BAMF Meetup
Seeing everything at Bay Area Maker Faire means a lot of time on your feet. By the end of the day the Hackaday Crew is ready to take a load off and toss back a tasty beverage. We invite you to join us on Saturday, May 16th starting at 7pm. All the cool kids will be there so please RSVP now.
It’s not compulsory, but a lot of people bring hardware they’ve been working on to show off at this meetup and you should too!
May 23 & 24 LayerOne Conference
Every year our friends from NullSpace Labs organize the LayerOne Conference in Los Angeles. This is LA’s premier hardware security conference. This year Supplyframe is sponsoring the badges and Hackaday will be camped out at the Hackaday Hardware Villiage.
[Brian Benchoff] and [Mike Szczys] will be hacking their own badges while looking for awesome hacks other people are pulling off. We’ll bring plenty of swag and want to get everyone there to try at least some level of badge hack.