Intelligence in Hacker's Perspective: Tips for Defenders
IMG 3390

DEF CON 30 in Review: How the Echelon Team Won a Black Badge, and a Black Badge Breakdown

If you read Dahvid Schloss’s review of DEF CON 29 from last year, you might remember his depiction of the event being smaller and more reserved than previous years due to COVID concerns. If you haven’t, go check it out here to catch up.

I remember reading his write up last year and tempering my expectations for this year’s DEF CON 30 which was my first time attending the conference.

I was not prepared for what occurred.

For those who don’t know, DEF CON is usually big. Like, really big. And this year, the 30th anniversary branded as “Homecoming”, was no exception. The team and I arrived Thursday afternoon and felt like we were in a sea of people until we left Monday. While walking to Caesar’s forum to register on Thursday I recall being blown away by how many people I saw wearing these white badges that looked like pianos. Even more noticeable to me was the variety of people who were attending.

But the badges. Let’s talk about the Badges.

It sounds ridiculous if you’ve never attended but badges are one of the most exciting parts of DEF CON. They’re not ordinary badges, though. Each badge, which is usually a decorated PCB, has some way for the owner to interact with it. Some are puzzles, some just light up, but all of them are supposed to represent the organization who distributed them. Everyone who attends DEF CON gets an event badge (unless they run out) but you can win or buy other badges from vendors and villages.

Above all other badges, DEF CON also presents the coveted Black Badge, which, according to their website, “is a powerful talisman, awarded only to those who have emerged unbeaten from the crucible of elite DEF CON competition.” A Black Badge allows the holder to attend DEF CON for the rest of their natural lives. They are elusive, highly regarded, and treasured.

So, this is the story of how our team won a black badge.

One of the pleasant surprises of DEF CON 30 for a first-time attendee was the number of villages available to browse. There’s a village for everyone, from the Ham Radio village, where licensed amateur radio operators were discussing the latest news and administering tests, to the Lockpicking village, where attendees could learn and hone lockpicking and bypassing skills, to the Car Hacking village, where I watched people attempt to hack vehicle central consoles.

One of the villages I knew I wanted to visit was Blacks in Cyber (BIC), which is a group of infosec professionals with the shared goal of elevating and highlighting the Black community in Cybersecurity. I have been impressed by their outreaches and wanted to introduce myself. On Saturday, I visited the village and, after some time meeting some of BIC members, I saw that they were holding a Capture the Flag (CTF), so I decided to enter the competition.

The next 24 hours were a blur. After a few hours of attempting on my own, I found myself in second place. Since we could work in teams of up to four, I enlisted my team to help with some of the challenges with which I was struggling.

We stayed up late. We got very little sleep. We missed talks we really wanted to see (it’s ok, we were able to watch them later). But by the time the event ended on Sunday, we had won! I could do another write-up just on how well-thought-out, challenging, interesting, and fun the BIC CTF was, but I will summarize my thoughts at “impressed and looking forward to next year.”

Unbeknownst to us, BIC was one of the few villages chosen to present a Black Badge this year. So, when we were invited to the award ceremony on Sunday evening, you can imagine our surprise when we were ushered into small room and presented with the Black Badge. Even now, it doesn’t feel real.

That said, I present to you DEF CON 30’s Black Badge.

DEF CON 30 Black Badge Breakdown

When I finally had an opportunity to REALLY look at the badge and take everything in, there were a few components that immediately stood out to me. The first parts were the switch and two buttons on the side. The switch turns the badge on, while one button activates moving LEDs around the interior of the badge and the other announces, “Congratulations! You are holding a DEF CON 30 Uber Badge.”

One interesting note about the audio is that if it pressed again, the audio sounds like it is the same file but cut short, so you only hear, “DEF CON 30 Uber Badge.” Finally, if you press it a third time, it says, “Uber. Uber. Uber, Uber, Uber.” I don’t know think there’s any significance to this, but I found it interesting.

The next piece I noticed was the keys on the back displaying “DC 30.” During some Open-Source Intelligence Gathering that was required to further understand the badges, I found that all of the badges had different keys from different keyboards, which I thought was a cool touch.

Getting past the obvious, I started thinking more deeply about the front display. I could not figure out what it was. At first it was suggested that it was a spectrogram, but I could not find a way to scan it. I tried using various reverse image searches, turning it on its side and upside down, and every other CTF and escape room trick I knew only to come up empty handed.

It wasn’t until I tried using Google Lens with the borders intact that I discovered images that looked nearly identical to this one. The images led me to a mobile application called “Phono Paper” which was, of course, a spectrogram reader. After a few attempts, I got Phono Paper to read the front, doubled the speed, and was presented with the secret message. “Congratulations! You are holding a DEF CON 30 Uber Badge.” A little disappointing, but I was excited that I figured it out.

The next rabbit hole I went down was the binary code on the back. The challenge reading to the binary was that the DEF CON logo, along with random electrical components suspended in some form of resin, was covering covered the binary in the center of the badge. I ended up creating a table in excel, populating the cells I could clearly see, then going back and looking at the small corners of ones and zeros I could see under the clutter.

Once the table was populated with everything I could clearly see, the values were converted to ASCII. After some educated guessing the message became clear: “This will be an everlasting love.” A clear reference to Natalie Cole. I listened to that song all day the next day while thinking about what kind of clue that could be, but I’ve come to believe that either it’s just a reference to a great song or I’m missing something.

There were a few other interesting pieces to consider about the badge. While reviewing the pictures of other badges I found online, I noticed that each of them had random components in random places except all of them had a resistor directly to the left of the logo.

Other people's badges that I found online

Resistor values can be determined by their colored bands the resistance in ohms. Since the resistor is the only component that was in the same place on every badge, I think there’s significance to it. My leading theory is that the values dictate which number badge you received. Until someone tells me I’m wrong I’ll continue to pursue that theory.

Lastly, I wanted to pull the firmware off the badge and review it. I had a pretty difficult time with this. The badge is a Raspberry Pi Pico, which allows for firmware to be uploaded by putting the Pi in bootloader mode and uploading the UF2 file. When in bootloader mode, the Pi appears as a mass storage device where the UF2 file can be placed.

I connected the badge to my computer and attempted to interact with it over a serial connection, but the only interaction I could get was with the storage, so I imported another UF2 which I thought would let me use os.walk and to navigate the firmware. That was when I learned the Pico can only support one UF2 at a time and I had overwritten the original firmware 😊

Thankfully, the husband-and-wife duo who created these badges was kind enough to send me the original firmware to put back on the badge, so it worked properly. When I did have an opportunity to dump the firmware to hex, I did not find anything that seemed entirely out of the ordinary except these two strings.

One says, “DEF CON 30 Uber Badge” which made sense to me. The other, however, showed numbers zero through nine and letters A through F, followed by Piano, Violin, and Clarinet. This is particularly interesting because the musical DEF CON 30 badge that all attendees received had a debug mode in which these same numbers and letters were used to validate each button was working. Also, the DEF CON 30 badge had a piano, violin, and clarinet option, though there were a few other options in addition.

Is this just reused firmware? A mistake? A clue? I don’t know. Yet.

What’s Next?

I think I’ve gone as far I’m going to for now with this badge. If anyone else has some insights regarding the hex code dump, the significance of the Natalie Cole song, or if I missed anything regarding the resistors or other components, I would love to hear from you.

Overall DEF CON impression? Do yourself a favor and go at least once. If you enjoy the cybersecurity field and have an interest in growing, it’s hard not to enjoy. Maybe I’ll see you there next year 😊

Sign up to get Cyber Intelligence Weekly in your inbox.