Engineering Constraints as a Security Feature: Lessons from the BSides 2023 Badge

TLDR: The 2023 BSides Salt Lake City badge demonstrates how extreme hardware constraints, such as solar-powered capacitor-based energy harvesting, can be used to force unique security challenges. By limiting power to the point where the device remains in a deep sleep state, the designer created a platform where traditional interactive exploitation is impossible. Researchers must instead focus on side-channel analysis and physical manipulation of components to bypass these hardware-level security controls.

Hardware hacking often devolves into a race to find the easiest path to a shell. We look for exposed UART headers, JTAG interfaces, or poorly implemented bootloaders. When those are absent, we move to side-channel attacks or fault injection. However, the 2023 BSides Salt Lake City badge presents a different kind of challenge: a device so constrained by its power delivery system that it effectively secures itself through physical limitations.

The Power of Constraints

Most conference badges are glorified blinky lights powered by a CR2032 battery. This badge, however, uses a small solar cell to charge a capacitor, which then powers an e-paper display. There is no battery. If the device is not in the light, it is dead. This design choice is not just an aesthetic or environmental decision; it is a fundamental security control.

Because the device relies on a capacitor to store energy, it spends the vast majority of its time in a deep sleep state. It only wakes up long enough to refresh the e-paper display when the capacitor reaches a specific voltage threshold. This creates a massive barrier for anyone trying to interact with the device. You cannot simply attach a debugger and expect a stable connection. The device is essentially a transient target that disappears the moment you try to probe it.

For a pentester, this is a masterclass in how hardware design dictates the attack surface. If you want to extract the firmware or manipulate the logic, you cannot rely on traditional interactive methods. You are forced to look at the physical layer. The badge’s reliance on Kicad for its PCB design means that anyone with the source files can map out the traces, but the lack of persistent power makes traditional in-circuit testing a nightmare.

Cryptographic Puzzles as Logic Gates

The badge is not just a piece of hardware; it is a series of cryptographic puzzles. These puzzles are not just "find the flag" challenges. They are implemented as logic gates that require physical interaction with the board. For example, the badge includes a Stargate-themed puzzle that requires the user to remove specific resistors from the PCB to unlock the next set of screens.

This is a brilliant way to force a researcher to understand the hardware. You are not just solving a cipher; you are modifying the circuit. If you remove the wrong resistor, you might break the power delivery system or prevent the e-paper display from refreshing. This is the hardware equivalent of a Buffer Overflow where the "memory" you are corrupting is the physical integrity of the board itself.

The puzzles themselves draw from historical ciphers and cryptographic concepts, including Visual Cryptography. In one instance, the badge displays a static, noisy image that appears to be random data. When you overlay the correct physical component or use the provided QR code to access the digital version, the image resolves into a readable message. This forces the researcher to bridge the gap between the digital and physical worlds, a skill that is increasingly rare in an era of cloud-native security.

Real-World Applicability

Why does this matter for a pentester or a bug bounty hunter? Because we are seeing more IoT devices that operate under similar constraints. Whether it is a low-power sensor in an industrial control system or a remote monitoring device in a hard-to-reach location, the constraints are the same. These devices often lack the power for robust encryption or complex authentication mechanisms.

When you encounter these devices in the field, do not look for a web interface or a network-accessible API. Look at the power delivery. Look at the physical components. If a device is designed to be low-power, it is likely designed to be simple. And simplicity is the enemy of security. If you can manipulate the power state or the physical components, you can often bypass the entire security model.

Defensive Considerations

For the blue team, the lesson is clear: hardware is not a black box. If you are deploying IoT devices, you must assume that an attacker will have physical access. If your security model relies on the device being "too hard to open" or "too complex to understand," you have already lost.

Defenders should focus on tamper-evident packaging and, where possible, secure elements that can detect physical intrusion. If a device is meant to be low-power, ensure that the firmware is signed and that the bootloader is locked. Even a simple, solar-powered badge can be a powerful tool if it is designed with security in mind.

The next time you are at a conference, take a look at the badge. It is not just a souvenir. It is a piece of engineering that tells you exactly how the designer thinks about security. If you can understand the constraints, you can understand the vulnerabilities. And if you can understand the vulnerabilities, you can build a better defense.