The AND!XOR Conference Badges Are Part Of An IoT Botnet

A project log for AND!XOR DC25 Badge

We're going bigger, better, more Bender.

Hyr0nHyr0n 06/25/2017 at 17:340 Comments


The hackers at AND!XOR have full command and control over all badges in our ad-hoc BLE mesh badge-net. We may dictate the badges send lulz, gifts, ransom-booze-ware, or unleash DDOS havoc on all of our badge holders if they are jerks. Depends on our level of drunkenness...

But oh, you're telling yourself, "There's no way they could do that with BLE, those AND!XOR dudes are somewhere in the casino getting hamski'd." Well those badges are acting as badge-net layer 2/3 repeaters. Once you're infected, you're contagious, and a mobile mesh network node executing instructions we have commanded for a duration of time. Given the density of badges in the population and expected foot traffic, we have high confidence we can reach most participating in the game unless they are hiding under a faraday blanket. That's all we are willing to say about the implementation so folks don't figure out how to abuse the system with an SDR or crack our encryption with a ChipWhisperer. Challenge poker chips and beer if you do, unless you're part of some uber fantasy hacking team composed of Mike Ossman, Joe Grand, Colin O'Flynn, and Joe Fitz (which is no fair).

By activating the badge (WE WILL PIN A TWEET WITH A CODE @ANDnXOR) you enable BLE connectivity and consent to participate in the badge Botnet game. If not, please go to settings and enable Airplane mode once the badge has been activated if you did it by accident (or just don’t activate it, your loss)

For those who have concerns, don't forget we rolled our own custom firmware, executables, and packet structure for the badges. These badges cant be used to harm any *real* systems, since the payloads can only be interpreted by the AND!XOR badges (its absolute garbage to any other OS). This is a safe hax0r friendly environment for you to play in. Hope you have fun, we know we will!

So why would we do this? Control complex for one, but more importantly, to inject chaos while our badge holders play a little game...


BOTNET: The AND!XOR feature multiplayer badge game for the security minded. Congratulations you are the new grey hat sys admin of your very own badge! Take the time to assess your badge, find its vulnerabilities, secure it, and exploit those vulnerabilities on other badge holders before they lock it down. All the while a massive botnet attack is keeping you occupied.

Basic Rules


This is the main screen the sys admin will see at botnet. Here's an explanation of the various fields...

Duh...(More Options) && Further Rules Explained

Allows you to modify (start/stop) Services, change (allow/deny) Firewall rules, Patch all services, View and upgrade your current exploit cache.

Smartphone Terminal

Remeber the <REDACTED> parts of the Smartphone Terminal update?.. .We'll now you may get it. Read that log for details pertaining to our companion app. The links to download it are in that post.

The terminal can be used for many lulz, utility functions on the badge, discovery of unlocks, and modification of botnet services and firewall rules. We've also included a script kiddie toolbox so you can quickly execute commands at the tap of a button (but you have to program it yourself).

Reminder: While you are logged into the maintenance terminal, the badge is in "MAINTENANCE MODE" (e.g. the badge is offline)


The badges were pushed out early before they could be fully secured... (CVE-AND!XOR-1337) All badges have a default root password enabled. Sys-admins are advised to determine what that password is and change it ASAP! Otherwise malicious unauthorized users may remotely log into your badge via terminal and modify services or firewall settings for the benefit of exploitation ;)

Here's an example of some strategery...

  1. Attempt to hack someone's badge with your most badass exploit
  2. Notice they don't have the service enabled or firewall open so you can't use it on them
  3. Log in to THEIR badge via remote terminal (puts the badge into maintenance mode)
  4. Escalate privileges* (this is a puzzle all in itself)
  5. Turn the service on that maps to your badass exploit
  6. Change the firewall rule so your exploit cant make it through (allow)
  7. Type exit to de-escalate your privilege (or dont...whahahahah)
  8. Disconnect from their badge by hitting DISCONNECT on the app (ending maintenance mode)
  9. Use your badge to successfully p0wn theirs
  10. (Optional) Leave a message on their wall using the "wall" command, before disconnecting
  11. (Optional) Open up their entire firewall for the lulz, before disconnecting
  12. (NEVER OPTIONAL) Have a b33r

Command Line Interface

So there were some commands that we also had <REDACTED> in the previous update as well as some commands that didn't make much sense. Now they do. In addition, you may understand why we provided the script kiddies out there with a quick way to execute commands, perhaps to quickly escalate privileges, modify services, and firewall rules...


So you have AND!XOR perturbing the system and injecting chaos via a botnet, all badge holders squaring off with one another via their sys admin interface for some badge like Capture The Flag, and anyone with a smartphone has the ability to gain access through a backdoor remote terminal and p0wn your badge. ENJOY!