tl;dr — I created a fake wristband for DEFCON this year. I attended the majority of the conference with only this fake wristband visible and was never confronted by a DEFCON goon. This was a fun exercise in bypassing a modern requirement in current times: vaccination checks. It was not meant as an exhaustive check in “bypassing” these measures and I don’t recommend/condone doing so in the real world.
First and Foremost: I’m fully vaccinated. I provided proof of vaccination to DEFCON and was in possession of a real wristband the entire conference.
What & Why?
In 2019 I wrote about how I made a counterfeit of the DC27 badge. 2020 DEFCON was virtual with no badge. I enjoyed 2019’s exercise and was keen to do this again.
Authorization vs Authentication
DEFCON 29 had planned to be both in-person and virtual (hybrid), but with one interesting requirement: proof of vaccination for COVID-19. So, what did this mean for the conference & attendance? Typically, DEFCON required a badge as proof of a ticket. Depending on the year and availability this is commonly a PCB or a plastic card with lanyard. This year, the main form of authorization to attend the conference was the proof-of-vaccination wristband. The primary form of authentication to support this was a vaccination check by a third party. There were PCB badges provided as part of your ticket. However, as I understand it, if you didn’t have proof of vaccination then you’d still be eligible to receive your physical badge, you just couldn’t attend the conference in-person. There were also advertisements of badges being sold outside of the conference for ~$75. So for all intents and purposes, faking a badge this year wasn’t really the goal.
Now, let’s discuss the hack.
Wednesday August 4th, the night before DEFCON I start doing some quick OSINT. The first result was easy enough, searching “DEFCON wristband” on Twitter led me to this tweet (now deleted/pruned, likely automated):
Excellent! We now know the following characteristics:
- Holographic, likely a pattern but appears random from a distance
- Plastic wristband, not paper like some festivals/nightclubs
- Holes for adjustment/fit and a plastic clasp
- DEFCON 29 written across
- DEFCON logo with multiple horizontal lines through it
This is a good start, let’s analyze the font, crop and see if WhatTheFont has any recommendations:
Okay, some of them are okay, but this isn’t what we hoped for, what if we simply wrote out DEFCON in a word processor and tried a bunch of common fonts?
Aha, Times New Roman bold seems to be the winner (or it’s close enough in my book).
Enough of the font enumeration, we’ll deal with the logo later it’s all over the internet. First step was to show my research to a friend of mine, he’s in the entertainment industry (DJ, artist & Vegas local) and figured he might know the spot in town or have some inside contacts in event management. The immediate recommendation was Hobby Lobby or a party supply store with such short notice, smart, but neither are open at 10pm on a Wednesday (at least during a pandemic).
What is? Walgreens & Walmart.
Walgreens arts and crafts section didn’t have the pattern. I did find a wrapping bow/gift wrap that might have worked but I suspect would have been identified quickly.
I left and went to Walmart. There I first checked the office supplies & DIY section (scrapbooking section of Walmart mostly). Viola, I did find a product that appeared to be the exact same pattern, a set of sticky tabs for documents:
What does this tell me? Supply chain studies would allow me to assume that this pattern is reused somewhere else in the Walmart collection. So, while browsing the rest of the store there was a special kids back to school section. An item appeared that would solve my immediate problem. A pink plastic pencil case contained the same exact pattern as the wristband!
Okay, so this should be good for now. Let’s prep the materials.
We have a piece of material with the pattern on it. Here’s what’s missing:
- Removal of the decal (painted stars)
- Shape & size into a wristband
- Font & logo
Tackled separately, I started with the paint removal.
First Attempt: 91% Isopropyl Alcohol & Q-Tips – This failed spectacularly, some of the paint was removed but it would have been labor intensive.
Second Attempt: Heat gun – This… also failed.
Frustrated, I did additional researching and finally wanted to try nail polish remover (with acetone) and cotton balls.
Third attempt worked like a charm:
Let’s take it a step further and turn it into a wristband! Cutting and sizing wasn’t an issue. Regarding the lettering & logo, I did consider getting stenciled lettering and putting a logo on it. I thought it might be funnier passing without, so this was the end result with the real wristband hidden under an incredibly fashionable Walmart sweat-wrist-band:
There’s not much more to say here. I was able to attend the remainder of the conference (3 days) without issue.
Conclusion & Closing Notes
This wasn’t ground breaking by any means and there would have been a multitude of other mechanisms to bypass this vaccination check:
- The COVID card PDF is openly available on the internet with some targeted searches. One could have made a fake physical card, printed and/or photographed and shown to the third party as evidence.
- The wristband provided was loose enough to slip off my wrist, it could have been supplied to someone else to attend the conference.
- The wristband clasp/mechnism wasn’t checked, so obviously someone could have cut theirs off and given it to an un-vaccinated person.
This isn’t meant as a “ha, gotcha” to DEFCON or it’s staff. It was a fun exercise I was happy to participate in, gotta love last minute DEFCON shenanigans. And as DT stated in the DEFCON documentary:
If you can counterfeit the badge, and you can get past the guards, repeatedly, good for you. You probably deserve to get in. Right? That’s what a hacking convention is all about.Dark Tangent, DEFCON Documentary
Can’t stop the signal.
Until next time,