Beyond the Badge: Lessons in Embedded Systems Security from the Bic Pick

TLDR: The Bic Pick badge from DEF CON 2025 serves as a masterclass in embedded systems security, utilizing an ESP32-S3 microcontroller to facilitate inter-badge communication via a custom protocol called BadgeNet. By exposing a serial terminal interface, the badge allows researchers to manipulate hardware states, interact with a virtual file system, and participate in a scavenger-hunt style CTF. This device demonstrates how seemingly simple hardware can be leveraged to teach complex concepts like side-channel analysis and protocol exploitation.

Hardware hacking often feels like a black box to those of us who spend our days in web application security or cloud infrastructure. We see the shiny PCBs and the blinking LEDs, but we rarely get to see the underlying architecture that makes them tick. The Bic Pick badge, designed for DEF CON 2025, changes that dynamic by providing a transparent, accessible platform for learning about embedded systems. It is not just a piece of conference flair; it is a functional, programmable device that forces you to think about the physical layer of security.

The Architecture of the Bic Pick

At the heart of the Bic Pick lies the Espressif ESP32-S3, a powerful, dual-core microcontroller that is a staple in modern IoT development. What makes this badge interesting from a security perspective is its implementation of BadgeNet, a custom protocol designed for wireless inter-badge communication. This is where the real fun begins for a researcher. By enabling devices to talk to one another, the badge creates a mesh-like environment where data can be intercepted, spoofed, or manipulated.

The badge exposes a serial terminal interface, which is the primary gateway for interaction. You do not need a complex debugger to start poking around; a simple serial connection is enough to get a shell. Whether you are using screen or minicom, the process is straightforward. Once connected, you are presented with an AT-style command interface that allows you to control the hardware, including the 18 onboard NeoPixels.

Interacting with the Hardware

The power of the Bic Pick lies in its accessibility. You can manipulate the badge state in real-time, which is an excellent way to understand how firmware interacts with physical components. For example, if you want to interact with the badge via the command line, you can use the following commands to establish a connection:

# Using screen to connect to the serial port
screen /dev/ttyACM0 112500

# Using minicom to connect
minicom -D /dev/ttyACM0 -b 112500

Once you have a shell, you can start exploring the virtual file system. The badge is designed to be a learning tool, so it includes various commands to help you navigate its capabilities. If you find yourself in a situation where the badge is behaving erratically, it is often a sign of a poor physical connection. Resoldering the 3.3V or ground lines on the NeoPixel pins is a common fix for these issues. It is a tactile reminder that in hardware hacking, the physical layer is just as prone to failure as the software layer.

The CTF Component

The badge is also the center of a scavenger-hunt style CTF. Unlike traditional CTFs where you are given a set of objectives, the Bic Pick requires you to explore the environment to find flags. These flags are often hidden in the firmware or embedded within the BadgeNet protocol. The flag format is simple and consistent:

BIC{some_witty_message}

This format makes it easy to identify when you have successfully exploited a component or decoded a packet. The challenges range from firmware-level puzzles to application-level logic flaws. Some challenges require you to understand the underlying communication protocol, while others are simple puzzles that reward attention to detail. This is a great way to practice your OWASP skills in a non-traditional environment. For instance, understanding how to prevent unauthorized access to the serial interface is a direct application of the principles found in the OWASP IoT Top 10.

Real-World Applicability

Why should a pentester care about a conference badge? Because the techniques you learn here are directly applicable to real-world IoT engagements. When you are tasked with testing a smart device, you are often looking for the same things: exposed debug ports, insecure communication protocols, and weak firmware protections. The Bic Pick gives you a safe, controlled environment to practice these skills without the risk of bricking a client's production device.

If you find that the BadgeNet communication is becoming too noisy or distracting, you can disable it using the following commands:

# Disable BadgeNet
AT+FWR=disable,badgenet.txt,base64_blob

# Re-enable BadgeNet
AT+FWR=enable,badgenet.txt,base64_blob

This level of control is exactly what you want when you are trying to isolate a specific component during a test. It allows you to focus on the vulnerability at hand without being interrupted by the rest of the system.

Defensive Considerations

From a defensive standpoint, the Bic Pick highlights the importance of securing debug interfaces and implementing robust authentication for inter-device communication. If your device exposes a serial shell, it should be disabled in production. If it must be enabled, it should be protected by a strong, unique password or a physical lockout mechanism. Furthermore, any wireless protocol used for inter-device communication should be encrypted and authenticated to prevent the kind of spoofing that is possible with BadgeNet.

The next time you find yourself at a conference, do not just wear your badge. Take it apart, look at the traces, and see what you can learn. The Bic Pick is a reminder that the best way to understand security is to build, break, and rebuild the systems we rely on every day. Grab a soldering iron, open a terminal, and start digging. There is a lot more to these devices than meets the eye.