Microsoft Subnet An independent Microsoft community View more

Kingpin aka Joe Grand of Prototype This: The Birth of Hardware Badge Hacking

Joe Grand, once known as Kingpin with the legendary hacking group L0pht, has co-hosted the Discovery Channel's Prototype This and runs Grand Idea Studio. But Grand, an electrical engineer, was the first to design electronic badges for Def Con. The birth of electronic hardware badge hacking happened in 2006. I spoke with Grand about hardware hacking...

If you've seen Prototype This! on the Discovery Channel, then you know Joe Grand. At Def Con 20, Grand and Zoz presented "More Projects of Prototype This!" such as "the Mind Controlled Car, Boxing Robots, Six-Legged All Terrain Vehicle, Get Up and Go, and Automated Pizza Delivery, each of which had to be designed and built in a matter of weeks."

Grand also gave a talk in the Hardware Hacking Village about hacking a Laser Range Finder with a Game Boy printer. The HHV doesn't seem to get enough social media love, but hardware hacking is extremely popular at Def Con. Part of the reason for that is Joe Grand and his amazingly creative Def Con badge designs that were the first electronic badges. It introduced people to badge and hardware hacking which has taken on a life of its own at Def Con and hackerspaces.

At Def Con Kids, Grand was teaching kids about hardware hacking, how to solder, and 3D printing. I caught up with him as held the kids spellbound; he taught, answered questions from young curious minds, and 3D printed all kinds of awesome objects with MakerBot. His passion for electrical engineering began at a young age. "I've been involved in electronics since I was 7," Grand told me.

90% or more of people are hardware device users, not hardware hackers, so after Dark Tangent, aka Jeff Moss now with the Homeland Security Advisory Council, saw Grand's custom PCB developed in 2005 for a Black Hat Hardware Hacking course, Moss told Grand to "Make it happen" for Def Con.

Grand said when he was thinking about the Def Con 14 badges, he realized, "Most people haven't had this experience. It's a great opportunity to get them involved and to learn that it is okay to open things up. Even if something they try doesn't work, that's still a way learn." And Def Con 14 in 2006 was the birth of electronic hardware badge hacking.

Def Con 14 Badges in 2006 by Joe Grand:

"In the beginning, badge hacking was a one good way to get people interested in hardware hacking. It was a great way to educate people about electronics." This was before badge hacking was a craze with hackers, so Grand said, "To help people understand it, how to hack it, I used a vendor table to setup and show people how to hack badges."

I highly recommend you read "A five year history of Def Con's electronic badges" [PDF]. It shows a great deal of detail, functionality, schematics, subsystems and development as well as badge hacks by Def Con attendees. Here's a quick look at Grand's designs, the Def Con badges from 2007 - 2010

Def Con 15 Badges in 2007 by Joe Grand:

The default text message display was "1 <heart> DEFCON 15."

Def Con 16 Badges in 2008 by Joe Grand:

Def Con 17 Badges in 2009 by Joe Grand:

Def Con 18 Badges in 2010 by Joe Grand:

"The Def Con 18 badge was my favorite," Grand said. "I decided to stop while I was ahead. By 2010, electronic badges were common." He is an electrical engineer, a hardware hacker who likes to put out engineering content like you can see on Grand Idea Studio. He likes to design new things and to inspire others to dig in instead of taking hardware for granted.

Way before computer security was big business, Grand was a member of the legendary hacker collective known as L0pht Heavy Industries in Boston, Massachusetts. The L0pht hacking group gained notoriety for their warnings about weaknesses in computer security. This was a different world, before "responsible disclosure practices," back when vulnerabilities had to be released to the public so vendors would be "forced" to fix the security flaws.

In 1998, seven L0pht hackers testified before the United States Senate Governmental Affairs Committee where they were called 'modern day Paul Reveres' and 'rock stars of the hacking elite' for alerting the world about exploiting computer security flaws. Even more interesting, other than people in the witness protection program, they were the first group to use pseudonyms while testifying in front of the Senate. Grand spoke about government and homeland computer security vulnerabilities under his internet handle, Kingpin.

For years, he participated in educating people and hackers about computer security; he helped teach people how to break and exploit hardware devices. Now Grand is the president of Grand Idea Studio in San Francisco which does product design, development and licensing. He also still teaches training courses like "Hands-On Hardware Hacking and Reverse Engineering" recently at Black Hat USA. He is still raising awareness about hardware hacking. At DESIGN West, he presented The Current State of Hardware Hacking which encouraged engineers to think more like hackers and talked about common attack vectors against embedded systems.

Hardware hacking is on the rise and most of the electronics industry is in denial. High-profile attacks against ATMs, voting machines, parking meters, medical devices, and printers were so simple, they should never have been allowed to happen in the first place. Challenges, constraints, and trade-offs are part of any product design, but it's time security was taken a little more seriously.

"If you can still reverse engineer it, then the whole infrastructure goes down," Grand said. If that happens, then Joe Grand will be the person to know, the person who you've hopefully listened to about scavenging hardware components in order to DIY rebuild during the zombie apocalypse.

If you surf over to kingpinempire's YouTube channel, then you can see some behind the scenes of Prototype This! He is incredibly nice, very down to earth, and a vastly entertaining man.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies