A Hardware CTF on Arduino: Abhinav Pandagale's BSidesSF '23 Badge (No Spoilers!)

A cozy night in with a hardware capture-the-flag challenge, embedded in a gorgeous PCB conference badge!

Alex Glow
1 year agoBadges / Art / Security / Gaming

This year, I had the pleasure of interviewing Abhinav Pandagale about his full-color PCB badges for this year's RSA Conference and BSides SF security events in San Francisco. He showed me some cool demos and info about the UV printing used on both badges:

Abhinav has posted tutorials for both badges on his Hackster profile:

As he mentions in the interview, the RSA badge is compatible with a set of custom remotes that activate LEDs corresponding to different villages, while the BSides badge contains an embedded capture-the-flag challenge (CTF). Plus, if you completed the CTF during the conference, you got a little add-on with a UFO abducting a cow! It took me until this November to actually try it out, but it made for a great evening of nerdy fun with my partner, T.

We started by turning the badge off, plugging it into my computer over Micro USB, and firing up the Arduino IDE. Then, we launched the Serial Monitor with the required settings and sent three stars (***) to start the challenge. Immediately, we were greeted with the first piece of ASCII art and a "system error": the first of five challenges. With each completed challenge, a different area of the badge lit up, which was thematically linked to that challenge. I love that little design tie-in!

Here are my tips for anyone attempting the CTF:

  • Bring a code buddy. Since T has a lot more programming experience than me – which came in handy several times – he recognized the initial "error code" as a particular type of encrypted text... and that's all I'll say about that. 😉
  • You may use spaces in your answer.
  • The hints were perfect – we did end up using the last three, especially because it was getting late near the end! If you're kinda stuck but don't want to use the hints yet, try poking around the website a little.

Difficulty-wise, the challenge was very approachable. It took us about 3 hours, from 11pm to 2am, including a bit of a side quest where we decided to try installing Kali Linux on a Raspberry Pi in case it came in handy. (It did not – you really only need the board, the Arduino IDE, and a standard browser. But don't let that stop you!)

If you can't get your hands on this board, you can try similar challenges at conferences like RSA, DEF CON, and Hardwear.io (a dedicated hardware security conference). I tried one a few years ago at Hardwear.io that involved using thermoformed plastic beads to create a simple utility key, dumping the program flashed to an Arduino board, and re-balling a BGA chip... which is a great way to learn how to blow tiny silver solder balls everywhere with a heat gun.

As for this challenge, the art alone was well worth the effort! I learned a few techniques, and it was satisfying to contribute a bit of non-programming knowledge to the team. Plus, it feels like I've finally earned my little UFO cow.

I hope Abhinav does another CTF; you can see more cool badges on his Hackster profile, and follow more of his work over at hackerwares.in and on social media.

Alex Glow
The Hackster team's resident Hardware Nerd. I love robots, music, EEG, wearables, and languages. FIRST Robotics kid.
Latest articles
Sponsored articles
Related articles
Latest articles
Read more
Related articles