The BSIDES NCL 2024 Badge: An Insight Into Badgelife - Simon Gurney

cool we'll kick off so who am I uh co-founded pum security a few years ago so that's what I do day today consy um but I'm also P developer SEC guy geek uh and security you want cool so um really I guess want to start how did this all come about badge stuff and Concepts in security badge life come across that and and these sort of can you see these at the back so these sort of badges is what you'll see at um death B you black hat this big culture around

um well this is not going great I'm going to stand here so if you go to defon this is Defcon 25 someone's badge horde so these sort of badges are just really PR out there here's another set of of random flashy badges um for me in it we quite often deal with abstract Concepts and it's difficult to see what we do you know if you ever tried to explain what you do to your sort of parents then you probably feel the same way and I'm also not very creative I can't draw or play music this just doesn't come naturally to me so this is quite a good creative Outlet um whilst also being on the periphery of what we

do as an industry um and the way that these badges tend to work is really quite accessible so um as a startup of 10 we have a coin cell battery just like the ones on the back of your badges and they connect to an LED you don't to put any components in the way there's enough internal resistance in the battery to make an LED light up and not blow the LED so from the circuitry point of view they're very simple so I thought I'd have a cracket doing these a few years ago and we've got some examples of ones I've done then it starts to get a bit more complex though so if you want to

control LEDs and make different LEDs flash then we have to have slightly more complex circuits um the main driver and it's the same for your badges here today is a tiny little microcontroller called an at tiny 402 so um you end up writing quite horrible looking C code or chat GPT writes it for you but you're into this interesting space where you've got this little bit of electronics and it's very entry level starter Electronics um and then sort of star a level level C code so it comes together quite nicely um for beginner sort of stuff the only downside is when this code goes wrong you get no feedback um I've done a talk on this at bsid chel

number about exactly how you would use tools to create pcbs and create the code and all that sort of good stuff and programming microcontrollers so we're not going to cover that in this talk today but if you wanted it it's on YouTube you can go and go and grab that so what I want to do in today's talk really is say how do we get to this point right so how did I go from not doing stuff a few years ago to creating these if everyone's not aware yet these are soil sensors so you've got your flashy mode but when you get home today you can shove this in a plant at home um the little instructions on the back for

calibrating it and then when it needs watering it'll start flashing red so um bit more involved than a normal conference badge so how did we how did we get here so my first badge was the Cyberman and one of those is going around today so I wanted to do a badge around the sort of Cyberman aesthetic and that sort of the side man leans itself to badge design really because it's a it's a full metal front right and that's what we can produce on the badges really easily so this was the first attempt um I'm not sure if you can see at the back is that show a little bit so the idea was that you'd have rather than

these sort of LEDs eyes you'd have big LEDs on the front right and that's basically because I didn't know how to do anything different um so this is the the circuit I'm not be a to work this out but that that's the back of the first badge so my first ever attempt and what didn't drawn on me at the time I made it but it did as soon as I tried to plug it in is that line there that goes across that pad is the positive side of the battery and then that middle pad there is the ground of the battery so as soon as the battery goes in it creates a nice little short so that

badge never works I had to sort of cover it up with a bit of nail varnish um and then when you put the Eyes in they sort of took out the badge uh a good centimeter absolutely ridiculous so um that didn't go very far as a badge so then I thought oh how about we start playing with the neopixel LEDs right so these are the things on the the current badge um so at this point I don't know anything about badges so I start looking out on Reddit and stuff and is this stuff even possible so some person four years ago fix noodle salad um asked can we use neopixels with coin cells so coin cells run at Three

volts and these me went at 5 volts and coin cells don't have that much output compared to like an AA battery but for badges they're nice form factor so anyway can you do it of which the answer is no um I wouldn't bet on them working at all below 3 volts um it would not work on 3 volts and the coin cell would not provide enough current um so the general consensus was it wouldn't work but um you got to test these things right that's the culture we've got in info SEC is the data sheet says no but reality can say yes so you end up doing nonsense like this so this is the very first

prototype of a of a bad you know Bread Board in it but also this sort of stuff where I've literally got LEDs shoved them on a board and now I can find a way to test them at various voltages and you going and buy one of these things of Amazon so this allows you to dial the voltage in the amps so now I can go will it will it work at 3vt will it work at 2.2 volt will it work if I drop the the ampage what happens if I put too much through it um essentially it would work so now we get into this sort of prototype so this is another badge uh again it's the

Cyberman I don't if you can make it out of the back but rather than the battery P we've got troves on the battery casing and we can put variable voltages through those I screwed up the circuitry so I had to put this like horrible wire on it um because after things are back to front but that's that journey and this is what the cman ended up being so the Cyberman in the middle works and all these other ones don't so it's quite a painful journey and every time you make a mistake it takes you two weeks for the bord to come from China before you realize or I think it's better or worse sometimes you realize a week in you

still waiting for your order and then you sort of have an epiphany in the shower oh that's never going to work so um it's quite a painful feedback loop and I think in it we get quite used to Quick feedback loops so we're quite happy to make mistakes because it it surfaces quite quick and then we fix um you don't really get that with this it forces you to slow down cool so we do a S man badge at this point and then bides CH last in 2023 um I'm on socials and they say they got back to the future thinge right so I'm like a this cyber man if you sort of stretched it a bit we got a DeLorean so

let's go and do a DeLorean batch and that's where this came from now this itself introduced a few challenges so the delorean's got this re Back to the Future parts that light up blue um so this this rail here and the bottom would light up blue if OB if you're shining blue light through a yellow board it diffuses really quick and you don't really get the bless so a lot of the game here this is the first prototype of that board and there should be one doting about is basically a board with different size LED slots and then we can try all the different LEDs and see which one produces the best light for the

board and then we order actually about three or four different boards uh from China of different depths because we want to try and make it sure the light diffus is enough but actually it's not if the board's too thick the light diffuses so well you can't see The Damp thing so there a bit of a mix to play there so that was the b-size cham DeLorean uh and that was the end result so we had the blue lights coming through and then the headlights are all different colors it work quite nicely we had a bit of a mini game on it um and that's where we shining that blue light through um so the following year um B sh

them had a UFO theme and again if you get a Cyberman and sort of stretch it and squee it a little bit we we have this so this was like absolutely nauy there was no rejects apart from um I ordered some prototypes and then they didn't like these Landing legs they said they look like um some sort of like sci-fi ERS so we end up with a new board without the ERS so you'll see one floating about smaller as well the on look slightly bigger was a fairly smooth process cool so by this point bid sh I'm fairly happy that I can do a fairly decent badge game right for for conferences um and bid new C is a local

con right so we're I'm in North pal in North pal bides is is is our closest one and they've got this like really quirky plant them right what the V new came to was giving out succulent plants so like let's lean on the plant Vibe um so I get in touch with Ben and Ryan said that yeah punk would love to come and do some badges um and they send these sort of pictures so this you know plant po Geer here is the mascot of P it's like okay what sort of badges can we do here and I was a bit probably overly ambitious so my first thought was well if it's plant Vibes can we make a

plant sensor so can we can we work out if the soil's too dry and you can get these things up Amazon right so um Su whack it in the soil and you should a to work out if the soil's dry or wet that's the gist of it so can we get this key they giveing big sort of golden legs and pop them in a plont of soil po of soil that's the plan here's a science behind it the way that that sort of mechanism works is this is if everyone's um Electronics sort of Basics here we've got a voltage applied to a circuit we've got two resistors and in the middle that voltage the value of the voltage on this

V out stand by that green circle will fluctuate depending on the value of these two resistors right that's what we call a voltage divider so if we replace one resistor with soil and that soil resistor resistance changes based on its moisture content then as the soil resistance changes if the top one is the same then this voltage changes and we've got a way of measuring um res the resistance of the soil and therefore it's moisture content that's the science there you go add some water so then we get into testing so this is um one of those Cyberman badges that are floating about and I was trying to work out what's the best way of measuring the

soil moisture you should it be longer probes shorter probes far apart close together you know rather than actually research it I figured i' just sold us some wires in front of this cyman shove them in a PO soil then take Lo the measurement of resistance between the wires right so that's what's happening here um so that's all good but then the reality is within a few hours of passing current through those plates the electrolysis kicks in and it takes all the Popp off it so now at this point you can no longer get Med so whil it did look to Works quite nicely the badge just basically destroys itself when we do the testing right this is a bit of a drama

so you go back to the drawing board internet's like oh well can't really use those you have to coat the surface in something Galvanize it essentially so I thought oh what about a bit of a hair brain scheme number two he's got his arms out we'll give him some wires and we'll hand out a bucket of galvanized nails at the door and then you can just skew those into the pot and then it'll be and do it right that would be great but thought even for bsid Newcastle a bucket of galvanized nails going out to people it's probably a bit stupid it be sticking people's legs and things so so that wouldn't work so then hair brain

Scream number three and this is where I should have really took Ain in it it's capacitive sensing so how can we measure the moisture of soil and not you're thinking why are you still going down the soil rout right I I don't know but anyway so so how can we make the moisture in the soil without putting electricity directly through it and therefore causing that problem this problem has been solved it's on Amazon for like a pound right capacitive soil moisture sensor you think if something's on Amazon for a pound it should be fairly easy to do right it turns out uh it's not so here's a circuit for a capacit uh soil sensor um and I'm trying to

basically remove all this stuff cuz I don't want to solder it all and just get away what is the absolute minimum we need to test it um so let's talk science there for a second so the way this works now is we are going to try and um connect two pins together connect two pins together on the controller and we put a voltage out of one pin and read it on the other right so we turn a pin on it's wired to the next one we read it and there's a bit of a resistor in there to slow down electricity getting through okay that's the theory and what happens is when the soil is connected to that

pin it acts like a little bit of a battery and therefore the voltage won't immediately go up it creates a curve right that's science1 and the idea is if we put terribly pixelated water into the soil then it becomes a bit bigger of a battery and now that rate of charge will be different and therefore if we measure in the rate it charges we can see how good the soil is I know you're thinking this is absolutely nothing to do with conference badges is it Simon but it's the pathway going down so I didn't have a prototype to test that hence the first version of um the badge which not too similar to the one you've got today uh

two weeks later that comes in the post and this is what it turns up like and it's not a trick of the projector I completely messed it up so there is no art on it at all um off to a good start there and then you can't really see I don't think but what it's basically solding a load of probes to the badge at this point to work out um if it will work me with this weird system in the living room for approximately 3 months in various gues um of plant pots with sensors in going to a laptop some serial outs and we're just measuring the rate of charges we'll go into that in a

second but we start doing this um you won't work this out but the reality is it didn't work so as we start to measure this measuring the rate of charge the rate of charge appears in sometimes to be slower when it's wet but not all the time different times a day I was doing it for about 4 hours trying to work it out and it was basically too close to my laptop monitor and the interference was trashing it different parts of the day would cause it it was just a bit of a nightmare really so um what I then worked out as well is when I connected it to my laptop to get the data off the chip the the chip is

powered by the coin cell Factory but to get Cal to work you have to have a common ground so you connect the ground to your laptop by the cereal cor and now when the laptop's connected that throws interference down the the ground line so your ground's moving whilst you're trying to measure a voltage difference is an absolute nightmare so you end up with this chunky thing which is a breadboard with a load of relays on what we're trying to do is get the this to measure the soil moisture whil it's not connected to the laptop and then connect to the laptop and take at the reading in an fairly automated way so um this becomes a reality we've connected it to

the laptop interference is kicking in so we cut the lines with a relay the device then measures it then we remove the brake and we read it in the laptop and we do that over and over and over soil takes an extraordinary long time to dry if you haven't got a plant in it so just really painful um and that's where this device comes in so this allowed me to do this over you know days weeks and it just sounded like I had some sort of weird robotic Cricket living in the living room um it's so so we're doing that now and it still doesn't quite work so what we see is this same problem we're doing sampled

readings but one time it can be completely different to to the next and there's no real obvious pattern so then I start looking at open source research and what other people are doing someone's actually got an open source one of these which is where I got that schematic from earlier here um but the obvious thing really when I looked at it on this picture is that their probe is like this probe there a middle ground pad um you can't really see it in this so we go back we order a new one back from China and now we've added this middle sort of L and that allows this battery element to form some people say

you don't need it it really works for us though but the feedback of drying out soil is still too slow so now I have to buy a green house out Amazon and a dehumidifier and then the whole thing sits inside these shelves and we drying soil as fast as we physically can because what happens is you put the badge in you go oh this is great soil's dry and then you water it and the values change you go this is great I'm detecting water and then at some point over like 2 or 3 days it stops working and you have to S of work out what you've done wrong and and that feedback loop of drying soil is absolutely

horrendous so this ends up in the living room for a good while um and then we switch to this mode so that what we talked about before is that battery charging or some clever individual figured that if you put a signal through it rather than just charge it and try and measure it you put a signal through and then if it doesn't fully charge because the batter is bigger it and it won't fully discharge because the battery's bigger we end up with a slightly different value on average and that's easier to to work out and that's what you're seeing in this so then you start getting the C on the bag and this is our charging cycle I

can't remember if if this plant's wet or dry at the moment it looks like it's wet it gets squashed when it's wet so you end up with this pattern and it's B then how do we programmatically read this pattern on a microcontroller um cool but then what we also see which was the first time I'd seen this and kind of makes sense is the bit that we're trying to measure is this and this is on each of those lines so whatever this background noise is I don't know if it's me broadband me microwave or what have you um causes Arrow signal to ride on another signal and actually from the microcontroller it couldn't take it couldn't tell when this

was happening but the numbers would be up so then we need to work out how to eliminate that is the Gaz are in the greenhous chilling um so we test and Tes and testing it still doesn't work and I'm sort of getting a bit Fed Up of it um and then it sort of works out that it's this static resistor we've got at the start so if this is really high get super good granularity and that's why we were using it to start with so when the soil is wet it takes absolutely ages to charge and we can measure that really easy and when it's dry it doesn't that's really good we got a good sweep when the

resistor is smaller the effect of the soil is less because the battery charge is faster if that makes sense um problem is that high resistance also means that you there's so little power coming through to charge the battery that external noise can charge the battery as well so um that now seems obvious but that did take me about a month to realize so um what we do there is we pop the resistor off and we put a variable resistor on and this allows me to just put a screwdriver in and change the value of resistance and then it goes back in the green house and there's two running side by side and we just keep

testing and testing until we find The Sweet Spot which on these is 6.8 th000 ohs of resistance um tweak twe tweak is back in the green house and then finally we get to the point where it works and this was probably mid August I'm on the Discord I'm like it actually works like this is great I could sort of loosely tell when it was in water or not it just wasn't working as a soil sensor so for a little bit of a time I had an idea that we could use this as a game right so it sit there and You' go red when he's angry and you dip him in a cup of tea or

something and then you'd unlock a new flashing mode you turn it into a bit of a tamagi um that was you know insane so thankfully it worked uh so here is is going to play the first time it you know first prototype really working he comes out and he starts flashing red when he's out of the water and then you pop him back in the water and he goes back to sleep that was just so satisfying glad you all really appreciate that so we're back in there we tweaking the codes now and then we had a sunny day in Yorkshire so he was out in the garden for a bit trying to dry that soil um and we get

graphs like this so what we're trying to do here is work out what that what that tolerance should be so um what we're seeing here is um got better we'll come back to this this is a a video of some guy did on YouTube and it shows this signal we were talking about getting squeezed as it's getting in this case in our case when the soil's wet but he's just touching the pro so I don't if you caught that but essentially that's that's exactly what we're measuring here so when we get this signal in the code is measuring it yeah yeah so when the s dry we get this nice big peak and ideally it should be

square pin comes on pin comes off we end up with this sort of Saw too and and the wetter the saw the bigger the battery gets squashed down um and that's what this graph's showing us so when we start to sample that data we end up with a low point a high point and then the difference between the point if you imagine so we get three things and what we actually care about is the difference because the low and the high can move depending on battery voltage and stuff so then you start writing lots of weird code to sample it as fast as you can lots more graphs lots more tweaking and then just one more piece of

the puzzle at this point we've got a working badge and we can measure soil but what you want to do is put this in a part of soil this more say I'm aware saying this process but we want this got put in the and last like a year or so right there no every two weeks you got change the battery at that point you can probably just like the so and workout a bit dry and add water so you want to be able to the battery life to last when you're doing conference badges this might actually be relevant if you want your own badges is you need to work out what the power consumption is right so

if you're run on a coin sale this in flashy mode will last you maybe a day or two in soil mode you easily get over a year out of it and when it's turned off the M stay on but it will last probably a decade and this is exactly how we do it so um I used to have this trash scope this fancy electronic one and we have what we're seeing here is when the pin comes on to start measuring the the um in this instance actually when the when the SCE to dry the LED Splash red what we don't want to do is the LED Splash red for a day and then it dies and then plant dies you're like

that it's fine so what we're doing here is working out exactly how long did the LEDs come on so here it says 15 milliseconds F so you can see the LED voltage shoots up the Z contr turn it on and flashes so now we know that the they're on 50 milliseconds and you're into a game of working out um what's the minimum you can Flash for but a human eye picks it up as a flashlight you 50 milliseconds it's only on for 12 a second it's enough for you to recognize it so we flash that every 4 seconds so now we've got a ratio of when it's on to off and then we use a very expensive

multimeter to work out it's not it's about to work out how much power that's using at that time right so you see the M they can do that bit of match to times those together and these should last about if you don't you know they'll last longer than your plant if you put this in a plant and it start flashing red you get about two months out of it I think if you don't water it in those two months your plant's dead anyway so you might as well stop the battery um yeah but in sensing mode it last years um we added some shiny teeth to it added the instructions on the back uh tested it

some more cuz it turns out that if you add shiny teeth it might change some of the way that that capacitive circuit's working cuz youve had big play sort of in antennas essentially um but that was fine add the flashy modes sold a 220 of them uh program allad M controllers produce a very Punk version uh and that's it You' got yourself a conference

badge wow [Music] and so for how many months have you had random like plant so well you don't plant like soil and electronics line all over your Liv that be murdered yeah it was bad the wife had these like two olive trees and the pot were just absolutely brilliant for building a soil sent theive trees I mean they were fairly dead anyway but the ol trees were great antenna so they have to get HS overx that probably the worst but yeah it was it was sort of electronic Cricket noise for like two months a b problem yeah any

question min five um I tend to get int there's always that hopeful that they will work and they don't but yes yes so 5 or 10 yeah with you order over 20 I think the shipping starts to get a bit weird at least I use J C PCB which is the only on I how many how many iterations of boards did you have to order disp dispatch was um four but a competent engineer would have ordered less yeah four given the number of things had problems most problem like changing this level of the end one little component [Music] question I think over time she's G

why yeah I think yeah yeah is this question yes you've got a few what you do um an individual and a company try open source so I've been a busy to get yet but Shon 2023 of course they on the code all the things you can just go to and all the five of them is all on there do it or any

yeah yes yes so so this is um this ISO header simpi more at the start um that exposes the three on the ground so

you're we use unated because every single get yes you can put I think or do de this work

extension of Applause for