"Hack the Planet!" and Badger Were Hits!

Two huge projects I’ve been working on these past few weeks debuted at HackMerced VIII last weekend and they were successful! “Hack the Planet!” was an interactive cybersecurity education event that ran for 16 hours on the Saturday of the hackathon and Badger was the RFID-based IoT registration, attendance tracking, incentive, rewards, stamp, etc. system that I set up to streamline logistical functions for the event.

I’ve been excited to talk about them, but being so busy these past few weeks, I had no time to do so. Now that the event is over and my projects have successfully passed their proof-of-concept phase, I can finally talk about what I’ve been up to.

“Hack the Planet!”

Last October, I was wondering what I should do for HackMerced’s Local Learn Day. In the past, I’ve done “Hack the Power!” (hack a solar panel array) and “Hack the Packet!” (intro to network hacking, Wall of Sheep style), so I really wanted something to take the cake. What I needed was an idea.


"Hack the Packet!" 2022

An idea came: “Hack the Tracks!” I created a model railroad and vulnerable infrastructure systems and over the span of 2 hours at HackMerced’s Local Learn Day 2022, I taught students network hacking, scanning and enumeration, web application exploitation, command injection, initial access, privilege escalation, and so much more.


"Hack the Tracks!" 2022

“Hack the Tracks!” took place in November, and then I graduated in December – high honors, outstanding CSE student award, 3.87 GPA, all that jazz. However, my contributions to UC Merced’s incubating hacker culture would not stop there, as I continued to be involved with HackMerced as the Director of Special Projects Engineering. With so much freedom to do whatever I wanted, I began to brainstorm ideas for what I’d do at the HackMerced VIII hackathon in March.

There’s no way that I could top “Hack the Tracks!” right? My workshops and events had been steadily evolving over the years. As a second year, I taught Python workshops and plenty of basic things like automating work tasks and creating simple games. As a third year, I taught programming and hacking drones plus hacking a solar panel array. As a fourth year, I taught network hacking and hacking a train. How could I possibly evolve further?

One of my teammates at IrisSec, codedninja, used to have this GIF as his Discord profile banner:

Behold, the final evolution: the planet. Hack. The. Planet.

I began to fantasize about what this event would look like. Through “Hack the Tracks!” I’d gotten interested in n-scale model railroading. I had an idea: an n-scale model city where everything is hackable. It has a functional electrical grid, hackable smart homes, and more – hell, even a space shuttle to learn radio hacking! Dozens of targets. All. Hackable.

I made it happen. It took a lot of sweat, blood, tears, and a massive hole burned through my wallet, but last weekend, my passion project debuted:

Everything was hackable. I picked up a bunch of Aerohive AP130s from eBay for dirt cheap, set them up to broadcast networks for each target (separated by VLANs), and set up a Kubernetes cluster on Google Cloud with 27 targets in the form of pods. I painstakingly wrote Dockers for each target. They were all connected to a VPN server where I set up iptables configurations in order to segment the networks for added realism, and the physical in-person networks themselves would grant the hacker network access to the VPN after they’d successfully hacked the IRL network. After gaining network access, they could attack any target on the network through a variety of means.

Some target networks were not feasibly hackable via traditional network attacks and instead forced the participants to learn spearphishing and program malware in order to gain initial access to a network. In addition, there was a model space shuttle there as a target for radio hacking. I provided all the gear: an RTL-SDR, HC-12, and HackRF One. I gave everyone a legal disclaimer before they were permitted to enter the game, and then it happened. 16 hours of hacking. Over 50 participants from the main hackathon came to try out “Hack the Planet!”

It was so amazing to see teams get excited upon popping their first shells. The excitement of a newbie is something that rejuvenates me with memories of my first hacks. The hacker scene at UC Merced was nonexistent before I came, and over my 7 semesters of being a student, I began to see it sprout and grow. I’m very proud of this event, and now…

… it’s a thing. It was so awesome, I’m not giving it up. I already know plenty of universities around the US who’ve been watching this unfold in real time and they, too, want to hack the planet! I’ve learned a lot from the “Hack the Planet!” debut event, and now I’m going to be working hard to make this more modular and replicable for others to do themselves.

hacktheplanet.shawnd.xyz

Badger

For the past 3 years of HackMerced’s history, various “engineers” fantasized about the idea of this thing called a “BattlePass.” It was supposed to be some sort of system for announcements, or something – I’m not sure, because literally zero lines of code were ever written for it. It was thought up by “engineers” who only looked to talk so that they could have something to add to a resume. Three years. Zero progress. What happened?

Then, I came along. The problem that “BattlePass” sought to solve was still valid: we host a large event and we need a way to streamline plenty of logistical functions related to attendees. Over the span of a week, I made Badger: an open source IoT RFID-based authentication, attendance tracking, notification, and rewards system for small to large scale events. I didn’t want any of the stink associated with the dead project that was “BattlePass,” especially since I’m working off of zero of their work (there is none) – my work separately came along to solve the problem that they never did.

For HackMerced VIII, we dubbed it “HackerPass.” It’s a wrapper around my project, Badger, since Badger’s goal is to be a platform for individual events to adapt and create from. The way it works is simple, actually: we have a web API in the cloud that handles holds a database of attendee information as well as event information; attendees have badges that they scan when entering an event, claiming a reward, getting food, etc.; and those badges have information that attendees can use to access a web panel showing them all the information about an event (such as workshops and announcements) as well as information about their points and rewards.

NodeMCU. RC522. LEDs. Badges. Web API. That’s all. Badger single-handedly streamlined registration, incentive, rewards, attendance, food distribution, announcements, scheduling, and so much more. Oh, and it can be completely battery powered too, freeing you from the restriction of outlets.

And now that Badger has passed its debut event and proof-of-concept, it’s not over. I’m continuing development on it by getting rid of the prototyping boards and turning it into one cohesive circuit board. This also gives me an opportunity to learn and practice SMD soldering. I’m also going to be continuing to develop Badger so that other large events can use it as well, and making improvements based on what I’ve learned from the debut event.

Badger can expect dual antennas, even faster response times, on-premises replicator nodes to decrease network dependency, and longer battery life. I also might experiment with e-ink displays as an additional add-on. Either way, it’s not over.

badger.shawnd.xyz

What’s Next

So yeah, I’ve been pretty busy lately. The storm is over now and my focus is back on looking for a full-time job in cybersecurity, then moving and driving again. “Hack the Planet!” and Badger are still things I’m passionate about and intend on continuing to improve, but first, I gotta pay rent and put food on the table. Until next time,

Happy hacking!