Back to SETEC LABS
The Conference Badge That Started a War
By: VexNull

For the record: none of this was my idea. Or rather, the first part was my idea. The part after that was d4rkfl0w's idea. All downstream consequences are therefore d4rkfl0w's fault, and I will die on this hill.

The conference was one of those regional security gatherings with a hundred talks, forty of which were on the schedule, three of which anyone actually attended. The hotel bar runs out of decent whiskey by noon and the real conversations happen in hallways at 2 AM. You know the kind. Every badge on a lanyard is a social signal. People look at your ribbons before they look at your face.

The badge this year was good hardware. Nordic nRF52, small OLED display, Bluetooth Low Energy, and an infrared transceiver for badge-to-badge contact sharing. Custom PCB, volunteer-designed, the kind of thing someone put months into. There were built-in challenges: crypto puzzles, firmware reversing tasks. Solve them all, win a prize.

I solved them during the opening keynote. The prize was a custom LED animation. Anticlimactic.

So I kept going, because that is what I do when I get bored and have hardware in my hands. Ninety minutes of probing the IR protocol and there it was: the badge-to-badge communication wasn't just swapping contact cards. It was a full serial link. Undocumented commands. A debug mode that dumped flash contents. Arbitrary writes to specific memory addresses. I had a USB IR transceiver in my bag because of course I did. A short program later, and I could push whatever I wanted to any OLED within ten feet.

The first victim was the person sitting next to me in a talk. His badge, without warning, began displaying: I <3 PHP

He didn't notice for twenty minutes. When he finally looked down, his face went through five distinct phases. Horror. Confusion. Deeper confusion. The slow dawning that this was intentional. Looking around the room.

I was reading a whitepaper. Completely absorbed. Very innocent.

This is where I should have reported the vulnerability to the badge team. VexNull the Professional understood this clearly. The bug was real, it was exploitable, responsible disclosure was the correct move.

VexNull the Person Who Had Been Awake Since 4 AM and Who Had Found a Remote Arbitrary-Write IR Exploit took a different position.

I spent the next hour in the vendor hall, moving at a comfortable stroll. Badges updated as I passed. ASK ME ABOUT MY CATS. I USE WINDOWS DEFENDER UNIRONICALLY. THIS BADGE HAS BEEN HACKED BUT I HAVEN'T NOTICED YET. That last one was technically accurate and also a statement about situational awareness at a security conference, which I felt was justified commentary.

Then d4rkfl0w walked by and his badge spontaneously changed to: d4rkfl0w STILL OWES VEXNULL $20

He stopped. Looked at his badge. Looked up. Scanned the room with the specific expression of someone who has just realized exactly what happened and exactly who did it.

"Is that IR?" he said.

"Hello, d4rkfl0w."

"You're writing to the display over IR."

"Enjoy the message."

"How far does it reach?"

"About ten feet."

He looked at my bag. He looked back at me. And instead of any of the reasonable responses available to him — reporting the vulnerability, walking away, simply minding his own business — he said the words that would define the next four hours:

"Teach me."

"d4rkfl0w, I'm asking you, as a colleague, to consider —"

"Teach me right now."

I taught him.

Giving d4rkfl0w an exploit is like handing a goddamn lighter to someone who came to the party already on fire. Within forty minutes he had extended the IR transmitter range to thirty feet using a battery pack he "borrowed" from the hardware hacking village. Borrowed is the word he used. I did not investigate the borrowing process.

He settled into the lobby with a drink and began broadcasting.

His artistic vision was different from mine. Where I had gone for targeted, contextually relevant messaging, d4rkfl0w operated with what I can only describe as maximalist ambition. HACK THE PLANET on loop. A scrolling ASCII art rendering of a particular hand gesture. The lyrics to "Never Gonna Give You Up" deploying one line at a time to different badges simultaneously so that if you walked through the lobby at the right moment, you were surrounded by strangers whose badges were serenading you from all directions.

"This is amazing," d4rkfl0w said.

"This is chaos," I said.

"Those are the same thing."

"They are categorically not —"

"Watch this." He swept the transmitter in a slow arc. Six badges in the lobby simultaneously displayed a new message. He looked delighted. I looked at the ceiling.

By mid-afternoon, roughly a third of the conference was affected. The badge team's IRC channel was filling up with reports. "My badge is doing something weird." "Is it supposed to say HACK THE PLANET?" "Mine just rickrolled me?" Someone posted that their badge was displaying VexNull Was Here, which was d4rkfl0w's contribution, not mine, delivered without my consent, and I want that on record permanently.

"Why did you put my name on it?" I said.

"For attribution."

"You're the one broadcasting from the lobby with a battery pack."

"You found the vulnerability."

"I found it for my own quiet personal use."

"That's not how any of this works," d4rkfl0w said, and took a sip of his drink, completely at peace with the world.

The badge team figured it out around 4 PM. To their enormous credit, their first response was laughter. Their second response was faster than I expected: two hours from discovery to a firmware patch pushed over BLE to every badge simultaneously. Clean incident response for a volunteer team, under the circumstances. The exploit stopped working mid-transmission, which I discovered when a badge three feet from me simply stopped responding and d4rkfl0w said "oh" in a tone of mild personal loss.

They gave us Badge Breaker ribbons. Handmade, white fabric, black letters. d4rkfl0w put his on immediately and wore it with the quiet dignity of someone being awarded a medal. I attached mine to my lanyard with the specific energy of someone participating under protest, which is my resting state.

"This is the best day," d4rkfl0w announced.

"We compromised a third of the damn conference badges."

"And got ribbons for it."

"That is not the takeaway."

"It's definitely the takeaway." He looked at his ribbon. "This is going in the photo."

Postscript: n1ghtsh1ft had been at this conference the entire time. Nobody had seen him because he was in a dark corner of the CTF room. He informed us afterward that he had found the same IR vulnerability twelve hours before I did and had chosen not to exploit it because he was "busy."

"Busy with what?" I asked.

"I'd been awake for forty hours," he said. "I achieved packet enlightenment."

"What does that mean?"

"It means don't ask."

The badge team's published write-up credited me for the discovery. They did not mention d4rkfl0w's lobby operation or the ASCII art. Diplomatic decision. I agreed with it then. I agree with it now.

d4rkfl0w still owes me twenty dollars.

— VexNull, 2026

Back to SETEC LABS