Every year at the beginning August, hackers and security enthusiasts from around the world make their annual pilgrimage to Las Vegas for the Black Hat, DEF CON and BSides security conferences. Throughout the week, suspicious Wi-Fi networks pop up, ATMs mysteriously go down, and people compete in hacking skills tests called Capture the Flag contests or CTFs.
CTF challenges can range in skill levels, from basic cipher cracking to full-blown vulnerability discovery and exploitation. The official DEF CON CTF for example, spans 48 straight hours and sees 24 teams attempting to hack into each other’s systems to capture digital “flags” while at the same time, finding and patching their own vulnerabilities before opponents can get in.
Other CTFs are much less hardcore but still fun. The DCDarknet challenge is one of my long-time favorites, with challenges that focus on puzzle-solving vs raw reverse engineering. One of the defining features of the DCDarknet CTF is their badge. For the uninitiated, #badgelife has become a staple of the DEF CON conference in recent years. Hobbyists and organized groups design and produce digital circuit board badges which they then sell or distribute during the conference to like-minded individuals.
These badges come as simple as an LED-lined dragonfly to a badge complete with built-in mini-games. The #badgelife phenomenon started back in 2006 with the first digital conference badge for DEF CON 14 . The DC14 badge wasn’t incredibly complex. It consisted of two LEDs, a battery clip, a button, and some circuitry to enable different light blinking modes. From that point on though, the official conference badge became more and more complex every year (taking a year or two off and reverting to a non-digital badge every once and a while) and other hardware hackers joined in on the fun bringing their own badges.
Two years ago, our WatchGuard contingent of hackers decided we wanted in on the fun. In the months leading up to Black Hat 2017 and DEF CON 25, we put together our own CTF contest complete with its own digital badge for participants. We created a story for the event where participants were working for a mysterious hacker organization known as Crimson Thorn to help agents out in the field. While CTFs weren’t entirely new to the more corporate Black Hat conference, digital badges definitely were, and we decided to bring both to the conference anyway.
Much like the DC14 badge that started it all, our inaugural badge was pretty simple. It consisted of an Arduino Pro Trinket soldered on to a PCB with 5 buttons and 8 orange LEDS.
CTF participants had to solve puzzles and crack codes on a website designed to look like a command line terminal (the source code for which I’m still too embarrassed to let see the light of day). Some of the challenges required entering code words into the badge by lighting up the LEDs in the binary representation of letters. One challenge even used the LEDs and persistence of vision to form a hidden message if participants waved their badges back and forth fast enough. That last one was where we discovered the battery holder we used wasn’t as snug as we first though.
Participation in our first CTF admittedly wasn’t amazing. Less than 100 people completed the first challenge and only around a dozen made it past the first ten. Badge demand was so low that we still have boxes of them sitting in the WatchGuard Threat Lab offices. We learned from the experience though and came back firing on all cylinders in 2018.
For our second year, I overhauled our contest website into something far more stable, our hardware expert Zane devoted even more time into creating an impressive badge, and the rest of our team worked hard to come up with even more interesting CTF challenges.
We built our 2018 badge around the Raspberry Pi Zero which is a neat little computer. The badge included a screen for displaying challenges (and a fun/frustrating racing game), buttons for navigating around the menus, and a circular grid of LEDs for displaying a symbol substitution cipher.
Aside from a few minor issues (including a visit from the dreaded electronic smoke monster), the 2018 CTF was a resounding success. Over 700 people participated during the event with hundreds of them going considerably deep through the challenges. We ran out of our badge allotment for Black Hat before the end of the conference and quickly gave the rest of them away early on the first day of DEF CON.
I’m happy to say that this year, we’re back and better than ever. As I write this, the 2019 badges are on an airplane to Seattle and our team is hard at work finishing this year’s challenges for the CTF. We’ve taken what we learned from previous years (test the charging circuit early and often) and built a truly spectacular digital badge that, once again, we’ll be giving out for free to lucky participants.
We actually started our badge development pretty soon after arriving back home in Seattle from last year’s gauntlet of conferences. Our first dev board came in around December, after we decided on the components we wanted to use. It wasn’t pretty, but it was functional.
We then played around with fun shapes for the PCB, testing how complex of a design our manufacturer could punch out for us. We also tested the components we could connect up to the microcontroller and made sure our battery charging circuitry was 100% working early on.
We want to keep the final badge secret until closer to the conference but there are a few things I can share. First off, we’ve switched from using development boards like the Pro Trinket and Pi Zero to designing our own custom PCB around the Espressif Systems ESP32 microcontroller, giving us access to Wi-Fi and Bluetooth.
In fact, we’ve removed all of the daughterboards and flush-mounted every component directly to the badge in a much slicker design. This includes a new screen and navigation buttons. We also increased the LED count by an order of magnitude, because light-up bling is awesome. Finally, we’ve included a Shitty Add-On V.1.69bis-compliant header for all of your SAO needs.
If you’re itching to start on this year’s CTF, we’ve already hidden the first teaser challenges on the website CrimsonThorn.net. If you’ll be at Black Hat or DEF CON and want to earn a badge, you’ll need to complete a few additional challenges too, the first of which go live very soon. If you won’t be in Vegas next month, you can still play along with the CTF when it launches in totality on August 7th.
Cqi'ox rqjsz a aaynmb gqrx. Raw'aq jemz pdqa jqf t vtcaqanoa hwbmv. Vvx vaft bkrl eo xilkgzbyq.