This is a write-up of the FriendFinder challenge (150 points) from BSides Canberra 2017.
It’s no fun being all alone, particularly with a badge that isn’t complete. But at BSides Canberra, you are literally SURROUNDED by friends! Rise to the top of the popularity chart to claim your flag.
Each attendee at BSides had a MiFare NFC card provided in their registration pack, along with an electronic conference badge including an NFC reader. The aim of the challenge was to walk around around the conference asking others to tag their NFC cards on your electronic conference badge until the flag is revealed.
As this was a physical challenge involving the conference badge, it is not available online to try.
We walked around for a while scanning peoples’ NFC attendee cards, getting to a score of around 10. However, there were some issues with the badge in terms of both software and hardware — sometimes the badge rebooted, which reset the count, or the NFC scanner came loose and required a reboot of the badge, which also reset the count. We also found that some cards would not be recognised by the badge for some reason (we’re still unsure why…). This happened a couple more times before we decided to see if there was an alternative way to get the flag.
Hacking the Hack
We decided to try using Apple Pay on my watch as it works through NFC, like the BSides cards. We found that each time the badge scans an iPhone or Apple Watch with Apple Pay it thinks it is a new, unique card.
We found that if the watch or phone is left in range of the reader, and you scan the device multiple times, it treats each scan as the same card and leaves the count as-is. In order for the badge to recognise the device scan as a new card you must remove the watch or phone from the reader’s range and then move it back. You do not have to restart Apple Pay — just move out of range.
After 30 scans the badge showed us the flag:
The flag was
A big thank you to the BSidesCBR CTF organisers, and team who engineered the electronic badges, for this fun challenge.