The Badge Talk

[Music] this is the badge talk it's very non-security technical except it is going to have some security elements to it um I'm Joe uh I designed the badge and I've been doing Hardware stuff for a while and this is I'm Smiley um I'm a pentester over at BPM I think there are some BPM people around here somewhere uh I have a little bit of experience with electronics I've most done like Robotics and whatnot and some embedded systems development on there um got some fun facts about me up there that's really it so I'm going to get a little background and then we'll talk about the the badge project and then we'll talk about the actual badges in your hands so

what's the point of having a badge you know you need access to something so it could be as simple as a wristband um but then cool Factor really weighs in there these are a bunch of uh actually bside two bsides uh three bsides Portland and a couple four4 con which is a a London conference Tiara con which is now D initiative and this was a 503 party you can see a 503 in the wheels of the bike um so they got to look cool and um the other part about badges is there's there got to be some interaction like just because it's electronic doesn't really mean much right electronic and communicating suddenly opens up a whole

realm of cool stuff um so this was from Defcon a few years ago where um you had like a a piece a stone basically and it had a little uh em field that it would create through a little uh inductor that you put them close together and they'd start flashing and sink and a few things it was pretty cool it was very uh analog like it was very like Loi is that the right way to describe the K Lo yeah um well yeah no like it was It was kind of uh it's cool it looked really neat and um the real reason I think that badges are great is because they're a learning opportunity um so this is that same

badge you had to get the programmer and you could plug some pins on there and you could rewrite it and change the patterns and do all sorts of cool stuff um so those are the things that I aim for when I make a badge so I decided okay people keep asking me to make Badges and the answer to the question Joe do you want to make a badge for us is pre pretty pretty always pretty much always know um but I do it sometimes anyway um so uh the American badger is uh taxa taxes and so this project is open taxes right it's the open Badger um the idea is it's going to be an open

source badge platform that you can literally like like type in the conference name and upload an image and you'll get all the files you'll need you get like a a badge with a logo on it that you can go send off to manufacturer you'll get all the code and you just like type your you know like conference name in and it runs and it flashes all the badges for you so that's the vision not that everybody's just going to copy the same badge but you can focus on the things that you want to do so if you want to focus on making a cool game for the conference you can do that and not worry about the rest of the crap or if

you want to worry about like the artwork you can do that and not worry about the software knowing it's just going to work so so custom so this is a couple iterations uh on the upper right is the the first prototypes um and these were for a conference called labson that uh wanted to have a badge and actually we should thank Luda security for SP for sponsoring that badge and all the research that went into making and developing these and Manufacturing them um and uh yeah so it starts out with a crappy board that's like wired together with uh fixes because didn't work properly it ends up with this first revision but then um I was chatting with

someone who's like yeah we we're having a hard time with our badges we're beside San Francisco so and I'm like oh I have I have an open badge design you can just take it and run and they like okay uh can you help us a little bit like with the the the hardware and just getting it tailored like sure so I I I helped manufacture the hardware and then like the software is like yeah ended up helping with that too but you know it's kind of like bsides you know you show up and suddenly you're in charge uh I used to run bides Portland that's how that's how it happened I showed up um so um another idea I wanted this to be

super cheap um because like you know conferences shouldn't spend like thousands and thousands of dollars on badges except when we do um so when we did uh I think we had uh like almost 3,000 of them for bide San Francisco they were like $6 each fully manufactured and assembled and shipped to the United States uh for besides Portland they were a little more expensive because we were being really complicated with the artwork on it and also because um lower quantities like if you have under a thousand you're part quantity costs go up um so I want to do interaction and um what I'm using is infrared uh IR communication and it's just basically spitting out a Serial Port over one IR

LED and receiving it on an IR trans transistor um it's very short range it's very difficult to figure out any way to track people using it so it's just kind of like basic um and that's all you really need and it's also Dirt Cheap the bill materials cost for all of the infrared Communications Hardware is about 12 um and of course learning uh one of the things that I was amazed with so that the the labcon project was actually someone else's project that they needed to hand off and they were prototyping with uh an Adafruit Dev board and a bunch of modules that plugged in and their bill of materials cost was like $120 um but they were using circuit

python which I had never used before circuit python is amazing who here knows python okay you all know circuit Python and can control can run code on microcontrollers now okay how many of you have dealt with microcontrollers before like embedded systems okay quite a few of you all you have to do is plug this in over a USB port and you have the console and you get all the output from everything that breaks when you push buttons um and if you press contrl C you get a reppel you know you can go and type python commands in and if you want to go and modify code on it you just look at the USB drive that mounts and

modify code. py and that code runs the next time next time you write the file so it's super easy you don't need a compiler you don't need any tool chain you just need a drive uh a USB like mass storage Controller driver in your operating system so yeah we went through a mechanical uh prototype and then an electrical prototype and then a another mechanical prototype and then the uh other other one um so it's all the prototyping has been done right for bsides Portland I moved a couple things to make the artwork work and I sent it off I didn't prototype it at all because the whole circuit is the exact same thing as it was minus two resistors uh I

changed two resistors to give a little more range to your IR communication um because bside San Francisco they had to be like touching each other but um easy to do um safe uh you'll notice it's a AAA a doublea battery right um a lot of people really like to put lithium batteries on things because they can like last a long time um The Dilemma with lithium batteries is they're kind of dangerous so like walking around with something on that has metal pointy things as well as a pouch of lithium ion fluid that doesn't seem like a good idea to me um when we were packing these badges we flashed them all we put the batteries in them

and we got two badges and put them back to back like put them face to face and then like stacked those and we actually had batteries that were like shorting each other because we put them backwards to each other and so we're like why is it why is it smell they're like why is it hot why is it really hot and so like we pull them all out we get the batteries out like we check with a multimeter there's no short like that's what what's going on and we realized you put them back to back they short each other out it's bad so we wrapped them in bubble wrap oh well um but if those had been lithium batteries

that would would have really sucked because they would be back to back and they would be uh hot and they would be in a box full of other batteries that were going to also get hot and you know that's yeah it's not like Pages or anything but um yeah so I think uh I'll re rehash that was I don't know if that was a inappropriate joke but um if uh I went through these these pictures in the opening but basically I added one thing there's a little a little power switch on the bottom so you some people that was hard to find and I actually realized that's another change besides San Francisco this little plastic thing was a tiny bit longer it

stuck out a little bit more so it might have been more prominent um but it all depends on which switch is in stock that day and cheaper and so I probably saved 8 cents or something for using that switch instead of one with the longer plastic thing and of course all the control is that one button in the middle I love this eight this 5way d-pad I used them on other badges before because they're it's a single component and it just works and you get buttons which is awesome and they're in a logical format and it takes up very little space um again we IR communication um I put the IR components and actually everything

underneath the screen just to hide it for aesthetic purposes but also kind of shields it from IR noise so if you're somewhere where there's some flashing IR lights it's less likely to interfere with your communication um but yeah hold your badges together push the button up they should communicate if they sit there sitting on receiving right then one of you should just push the button and you'll you'll transfer the other will receive it and then you'll transfer back and it might get errors it'll keep bouncing back and forth with errors you might want to move the badges closer or farther apart or hold them still and eventually they'll get the right data across and if you do it again it's okay

you'll just like get duplicate candy oh this there we go um so yeah after this we're going to go over to the registration room and we'll have some candy to cash out um has anybody gotten more than five of any one candy type okay not many of you well we have a lot of candy so hopefully maybe you can go in there and like get in groups of like Snickers and Tooty roll there no Tooty rolls the Twix and everything else Anda and trade so we can give out some candy and and test the code I haven't actually tested it with more than like eight pieces of candy because you know testing um oh um so here's a schematic it's very

small you may not be able to see but the big one that's an rp240 that's a RAS a chip made by Raspberry Pi it's really cool it's 64 cents um and it has USB and it connects to a flash chip which has 16 megab of storage space so like if you told me uh 5 years ago or maybe 10 years ago like oh yeah you're going to have a badge at a conference it's going to run Python and it's going to have 16 megabytes of storage I'd be like uh yeah right how much 500 bucks like no no it's going to be $5 I would not believe you but it's here um and yeah the battery

says do not not rechargeable on it that's the battery like as some people were looking at wondering if they couldn't plug it in over USB because it would charge no do there's no char charging circuit there's no connectivity between USB power and the battery so don't worry about that the switch is either USB or battery never the two combined um any anybody have any questions so I'll talk quickly about the software and then we'll talk about security because it's security conference and we need to be relevant um so if we look in the tree we've got basically top level directory we have like the hardware right we got a license and the read me um attribution that was

the original game that was used it was like an attribution game where you had to attribute the the a AP to like what attack did they they did and who the victim was kind of like the game of Clue um so we bought a new one for treating for this conference which is a little bit simpler where we just kind of trade candy um and if we look inside the badge there's a lot of python files um I kind of tried I'm I'm not a good programmer but like I I'm a hardware person that has to make pro software sometimes so I'd love if anybody wants to come in and refactor all this code and make it look

pretty but right now it works um we've got a whole bunch of different pages we have a home page we have a Candi page we have a um what's it called trading page we have a a settings page and each of them is a separate file where you can go and look at things there's also LEDs py um and huh there's no flag. py was there supposed to be okay good um um there is a flag in the badge somewhere though um whoops so then we've got the controller this is the software that runs on the host um you can see there's a pub and a pr. Json yes there are Keys um and to tell you more oh yeah and when

you go to check out you'll plug in your badge like have your badge on and the screen on you plug in the USB cable it'll go and check all of your candy and it'll tell you how many you've got so in this case uh I had a bunch of this is my first time mentoring I had two of these two of these three of those two of those um I didn't have enough I didn't have five of anything I had no cash out and I hadn't been there before so there was no record of a previous one yes we're going to check so that you don't can't come back and do it like 10 times because we

know how hackers work but Smiley's now going to tell more about the the the threat modeling and security concerns we came up with all right so to start off I don't have any professional photos so I just decided to throw some funny photos of myself up there um so some some security considerations for making this badge were make sure it's a good challenge for some hackers or some nerds um it needs to be able to be reused for other badges which is why we have the uh key Generation all that kind of stuff um has has to be semi efficient because at the end of the day it is just a little badge it's a little uh Raspberry Pi Pico um

and make sure that the security doesn't take away from the fun because at the end of the day fun is more important than security at least here um so in life in life yeah uh some of the implementations were we threat modeled everything from day one when I started this project about month and a half ago or so two months ago um we started threat modeling the hardware then we started coming up with the ideas and threat modeling that and then finally we threat modeled the software within that to be the most secure that it can make sure that they can't be like overflows or underflows or anything like that um it also uses some public key

cryptography it specifically uses RSA 512 for signing and encryption making sure everything is the most secure and and to make that efficient we pregenerated a lot of those keys so those are not done on the badge those are done prior to it and then it is assigned to each badge when it's flashed yeah like I said most of the security operations are on the server side because if you ran it on the regular badge I tested this before it takes about 30 to 45 seconds to uh start or make a key pair uh just using the badge which times that by by 700 Badges and that takes a little bit too long so some lessons learned from this is

that scalability is very difficult if I only had like five of those badges I would have no issue with making all the keys on the badge itself because that would take less than 5 minutes but when there is 700 badges you want to think about the most efficient way to do all that also I learned that circuit python is awesome uh it allows for very easy programming of things don't have to program in C or assembly even like I have some experience with that and some other microcontrollers so uh and always document everything uh threat modeling is something that you always want to have documents on make sure that you have documents for every single step of

the process uh that way you can like repeat issues or just have another badge for another conference and then this is is when Joe was flashing all the badges last night right th Wednesday night Wednesday night and he has this awesome rig that can take like 14 of the badges and Flash them at once so highly efficient um so one of should we talk about some of the threat models that we actually mitigated versus the ones we did not we don't have to talk about those all right so for threat modeling uh one of the big things that came to my mind was is what would happen if there was like a replay attack so if like you

record the infrared and then just like replay could you cash multiple uh things of candy and then at the end of the day I I didn't really care about that who here is going to record like infrared it travels or it's better and faster than like most modems back in like the 90s and 2000s so you're not going to get that and it's incompatible with the flipper um there are some vulnerabilities though that we decided to accept uh the main ones that we mitigated or got rid of were anything that could take away from the fun uh everything that is everything that we allowed to happen uh does not break the game for anyone or any of that

kind of stuff it can only increase one's fun and chances to get more candy can't take away from other people so that's all the threat modeling really any questions I just want to say [Laughter] than I I like to call it armchair hacking um because that's where I just sit there for like six weeks and talk about things and then and then in the last week we do all the coding yeah yeah that is exactly that is exactly how it happened uh we would it has been like reworked a couple of different times and we would spend about like an hour each week thinking about like the threats and the way mitigate them and we've been

doing this for like the past seven plus weeks so there the screen is i squ c um there's also a little white connector on the side underneath the screen that's a stemma qt or a quick connector so spark fun and Adafruit make a lot of components that communicate over ice C that can connect right up to that so you can hook up like a temperature sensor or something like that um and the UR the serial communication between the the infrared is Art so basically it's it's just if you ever looked at Art it's art just flashing a light and receiving on the other end what the flipper does is actually uses 38 khz modulated RF uh IR

which is what remotes use so it's a little more complicated a little fancy a little more robust but also we didn't want to turn screen off from across the room we wanted to communicate with two devices right next to each other so I don't think I've gotten it to work more than two inches away at all on any of them so we also wanted to make sure that you can't uh use a universal remote to hack the thing so yeah I I noticed it's missing an SEO connector do you consider uh quick to be kind of the modern replacement for SEO good question um it's one of those things I keep meaning to put on there

and haven't one of the reasons is that um a lot of the SOS get pretty bulky and so most people want to use the through hole connectors for the saos and if you'll notice the the art side of the badge has very very very few holes in it um and I gu you look you'll notice that even the vas little spots where wires go through to the other side I tried to move those into the black portion of the silk screen so that like you wouldn't St they wouldn't stand out as much so the the lack of through holes is the big factor and you know we could put pads on it and I probably should have done that

because that's also air squared c um I just haven't gotone around to it but poll requests are taken so Nisha helped us with uh game designing she came up with the original idea actually it was it was a lot more complicated it was a lot better at first but we kind of whittel it down in our weeks of threat modeling oh yeah and uh goam mayerik uh he was an eighth grader at uh hazelbrook um who actually is the one who came up with the game idea so we should all be thanking them can we go get can we candy now yeah awesome thanks everyone [Music]