Content

Building the CCDC Badge System

Two weeks ago, some of the Security Weekly crew spent a couple of days down in Maryland hanging out with all of the great CCDC crew. While Paul and Darren played Red Team for the Mid-Atlantic Collegiate Cyber Defense Challenge, I got to play “the badge man”.
It was my job to design and implement a physical access control system and conference badges that was “in scope” for the Red Team to attack, and the Blue Team to defend. Ultimately I wanted the badge to be RFID enabled, have a form factor similar to those found in industry. I also wanted them to be easy to transport and reproducible for those on student budgets. In that spirit, I’m here to spill my guts about the system, hardware and code so that you too can make this part of your cyber challenge.
The Hardware:
The hardware is quite simple. It uses:

  • A Parallax RFID Reader
  • An Arduino (ATMEGA 328)
  • A red and green LEDs – many sources, such as Radio Shack
  • Various lengths of wire
  • A project enclosure of your choosing

    The badges feature laser cut acrylic (thanks to the AS220 FabLab), and Q5 RFID tags rewritten and in EN4X02 emulation mode. While we wanted to provide an RFID reader/writer for each participant, the cost became prohibitive. Instead we had some hardware that featured the ACG Dual ISO OEM Module. Our module was sourced from Adam Laurie, author of RFIDIOt, which was used to read and write the Q5 RFID tags.
    badgerb.jpg
    Red and Blue Team badges, minus the RFID card

    The Code:
    Darren the intern and I spent the better part of two weeks battling code to get this work, especially given that we were trying to compare two different variable types, and a host of other issues. What we did find that part of the problem had already been tackled before. The read and compare to a list of known values worked, but much of the rest of the code did not. The part that didn’t work we knew how to fix so we used that as the base for the system. Once that was complete, it was simple as providing some feedback to the user that a badge read failed or succeeded.
    Basically, the code takes input from the reader and compares it to a list of values. If it finds a match, it turns the green LED on for 3 seconds, continues to compare to the end of list and then waits for another badge and illuminates the red LED. If it doesn’t match, it turns off the red LED for 1 second, and the illuminates it. Green means go, red means stop.

    IMG_1002.png
    An installed reader

    The Docs:
    I also presented some information about the badge and some rules before the contest started. Those slides can be found here. Additionally, I did a wrap up of all of the ways I thought of to hack the badge system. Those slides can be found here.

    scott.jpg
    This physical security is better…

    Oh, I bet you want some other goodies! This file contains all of the code, lists of all of the RFID tag values, as well as wiring diagrams in image and Fritzing format.
    Any and all feed back is welcome. E-mail me at [email protected], or sent me a note on twitter to @haxorthematrix.
    Enjoy!

  • Larry Pesce

    Larry’s core specialties include hardware and wireless hacking, architectural review, and traditional pentesting. He also regularly gives talks at DEF CON, ShmooCon, DerbyCon, and various BSides. Larry holds the GAWN, GCISP, GCIH, GCFA, and ITIL certifications, and has been a certified instructor with SANS for 5 years, where he trains the industry in advanced wireless and Industrial Control Systems (ICS) hacking. Larry’s independent research for the show has led to interviews with the New York Times with MythBusters’ Adam Savage, hacking internet-connected marital aids on stage at DEFCON, and having his RFID implant cloned on stage at Shmoocon. When not hard at work, Larry enjoys long walks on the beach weighed down by his ham radio, (DE KB1TNF), and thinking of ways to survive the impending zombie apocalypse.

    Get daily email updates

    SC Media's daily must-read of the most current and pressing daily news

    By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.