Decrypting DEF CON badge challenges

human conditionEvery summer, tens of thousands of hackers and information security enthusiasts make a journey to the Last Vegas strip for the Black Hat and DEF CON security conferences. While most attendees spend their week watching briefings and visiting vendor booths, some choose to instead team up and tackle the different puzzle challenges that go on behind the scenes.

Here’s an introduction into the secret world of cryptography, device modding and hidden clues that happens at the world’s largest hacker gathering.

The team challenge: The DEF CON badge

Starting in 2012, the DEF CON badge became the centerpiece of a unique puzzle challenge. On the most basic level, contestants participating in the puzzle solve clues which lead them to web pages containing other puzzles and clues. Puzzle pieces are hidden throughout the conference including floor and wall graphics, the welcome book, the badge’s lanyard and even the badge itself.

DEF CON attendees get different badges depending on who they are. Regular attendees get the Human badge, volunteers get the Goon badge, contest winners get the Uber badge, and speakers get their own as well. Each of these badges have different clues, so participants need to interact with other attendees to obtain all the puzzle pieces.

The DEF CON badge puzzle challenge is designed to bring hardware hackers and cryptography enthusiasts together in teams. The badge puzzle’s creator Ryan Clarke (aka LosT), does an excellent job making them challenging enough to hold up for the multi-day conference, but with enough clues to be actually solvable.

As an example, DEF CON 23 used six different lanyards which used Nyctograph and Gold Bug enciphering to encode secret messages. Decoding the messages wasn’t enough though, challenge participants than had to use a QWERTY keyboard as a Playfair Cipher table to unlock the readable hidden message.

decrypting DEF CON badge

DEF CON 23 lanyards – Image courtesy of Team Potato

At DEF CON 24, the badge itself contained several clues. One line of encoded text used a one-time pad to hide a late-stage message for the puzzle challenge. Another string of text could be converted into letters and then rotated using a Caesar shift to spell out a word unique to each type of badge (speaker, attendee, volunteer, etc). A final hidden message pointed to a clue hidden in The On-Line Encyclopedia of Integer Sequences.

decrypting DEF CON badge

DEF CON 24 press badge – Courtesy of Council of Nine

Even more puzzle hacking: The DC DarkNet challenge

Even if that digital treasure hunt isn’t enough for you, there’s a second DEF CON puzzle tradition for you to tackle, and it’s even more cyberpunk than the first one. The DEF CON DarkNet (aka DC DarkNet) challenge is part hardware hacking kit, part alternate reality game (ARG). The ARG, designed loosely around the novel Daemon by Daniel Suarez, leads participants on a series of challenges communicated to them by a digital AI-like puppet master called a Daemon.

Like the main DEF CON badge challenge, DC DarkNet comes with its own badge as well. But participants must put the DC DarkNet badge together themselves. The badge was designed to teach participants basic skills for hardware hacking like soldering and programming.

decrypting DEF CON badge

DC Darknet 2016 badge – Courtesy of DCDark.net

The challenge itself forces participants to learn about other skills and technologies in the cryptography space. At DEF CON 24, the first stages of the DC DarkNet ARG required tasks ranging from solving cryptography puzzles using different ciphers, to looking up GPS coordinates in Google Maps to locate clue words.

The DC DarkNet project aims to provide a collaborative and educational contest. Like the badge puzzles, it requires participants to interact with each other while learning useful skills throughout the journey. It is an excellent place to start for those new to these types of challenges.

Black Hat USA 2017

If these types of puzzles are right up your alley, try your hand at cracking a new challenge this year, starting here: crimsonthorn.net. If you’re able to crack the puzzle and will be attending Black Hat this year, there will be tons more to uncover in-person at the show. You can also learn more about this year’s DC DarkNet. Good luck on the badge puzzles this year!