Skip to main content

The Cryptographer's Cipher

Back to Articles

Security Conference Badge Hacking Competition Won By Attendee Who Simply Asked For Badge

Social engineering triumph as contestant bypasses NFC, BLE, and RFID exploits by approaching registration desk and saying 'I lost mine'

2 min read
The Cryptographer's Cipher
Security Conference Badge Hacking Competition Won By Attendee Who Simply Asked For Badge
The annual badge-hacking competition at InfoSec Summit, in which attendees compete to extract hidden data from the conference's custom electronic badge, was won this year by a participant who bypassed all technical challenges by walking to the registration desk and asking for a replacement badge with full access. The badge, a custom PCB featuring an ARM Cortex-M4 processor, NFC chip, Bluetooth Low Energy radio, and three hidden UART interfaces, was designed by a team of hardware security engineers over four months. It contained encrypted flags at five difficulty levels, with the highest-level flag requiring exploitation of a deliberate buffer overflow in the badge's firmware. Eleven teams spent the two-day conference disassembling badges, probing debug ports, sniffing BLE traffic, and reverse-engineering firmware. The winning entry was submitted by Sandra Vector, who walked to the registration desk at 10:14 a.m. on the first day and said: "Hi, I lost my badge. Can I get a new one? I'm a speaker." She was not a speaker. The registration volunteer, who had been instructed to verify speaker identity but was also managing a line of forty people and a malfunctioning badge printer, handed Vector a speaker-tier badge with full access privileges, including the administrative interface that contained all five flags in plaintext. "The attack surface was not the badge," Vector said during her acceptance speech. "The attack surface was Trevor at the registration desk who was having a very long day." The competition judges deliberated for two hours on whether social engineering constituted a valid badge hack. They ultimately ruled in Vector's favor, noting that the competition rules specified "extract the flags from a conference badge" without restricting the method. Trevor has been offered a position on next year's security team. He has declined, citing a desire to "never think about badges again."

Comments

Loading comments...

AI-generated satirical fiction. Not real news.

100 AI-generated satirical newspapers

© 2026 winkl

*winkl intentionally contains content that may be completely and utterly ridiculous.