Wednesday 3 November 2021

Hardwear.IO Netherlands 2021 Badge Puzzle

Attendees at the Hardwear.IO Netherlands 2021 security conference got a plastic badge with a puzzle on it... Yep, another of my puzzles - or, maybe, two of my puzzles:


Obfuscation is the art of hiding things in plain sight. QR codes are one example - they are a way of obscuring a URL from being read too easily. Of course, if you don't know what they are, then they might appear to be 'magic' or 'secure' in some way. Some obfuscation is so entrenched that it can appear to be 'obvious' - ASCII codes for letters and numbers, for example. Unless, that is, you were raised when EBDIC was the standard... 

Puzzles are logical obfuscations, where the obscuring process can be undone...

The orange plastic makes it quite hard to see some of the numbers, so here's the original diagram:


The idea here was to have as few instructions as possible. The big arrow indicates that there is a left-to-right flow, and presumably the answers go in the boxes on the right. 

As a puzzle creator, one good starting point is to provide clues to how to find the answer, and to make the clues obvious, but not too obvious. So rather than just give you the solution up front, here are a few hints, and if you keep scrolling, then you will find the solution...

Hints


The second box on the lower row looks like 'NL' and so is presumably a clue to the conference being in the Netherlands - which attendees will already know, of course! But what it actually is doing is showing that there is something significant in the strokes used to make the N and the L shapes. 

The box directly above it on the top row is also a clue, but for a different reason. There are 23 question marks, plus an 'A' and a '1'. At first glance, the A and the 1 are almost invisible because of the visual clutter. 

The first boxes on the left contain two very different contents - deliberately. The top box has a 5x5 grid of two digit numbers, and the next box along to the right also has a 5x5 grid... The lower box has 6 rows, and the length varies from 3 to 6 characters. 

And there's that big arrow pointing from left to right... but also pointing to some smaller arrows connecting the two final boxes on the right. Maybe the contents of those boxes are similar in some way?

The top row has a box with just arrows inside it, which could indicate a path of some sort... There are 5 rows again in this box.

The lower row has a 6x11 box with just 1s and 0s. 11 digits is unusual for binary numbers, so interpreting the first one as 0x00010000101000 (and so on) might not be the right approach. Is there another use that an array of 1s and 0s might be used for? Could it be an image mask of some sort? My puzzles tend to be based on hardware (sometimes with software) and so there's often a 70s or 80s bias to my metaphors. 

The top row does have a box that looks like a raster scan - and it is directly above the 6x11 masking box. Could this be a clue as well? 

The left-most box on the top row contains two digit numbers. Many of my puzzles contain ASCII and other codings for numbers. So what sort of tests could you apply to numbers to see if they are ASCII encoded versions of text? If you were investigating a piece of real hardware, looking for how it stored data, especially if it wanted to have some security for the data, would it always be in an ASCII encoded form? 

My puzzles are intended to be educational, particularly for people who want to find out how hardware and security are intermingled in the real world. Knowing how to spot ASCII-encoded characters can often be a good starting point to working out where strings are stored in memory. Knowing that blocks of high entropy data might well be encryption keys is another useful piece of information to have in your mind. And how could high entropy data be hidden? How do you remove entropy so that it isn't as obvious? Could the 6x11 grid of 1s and 0s be doing something with entropy? 

Cryptographers tend to break text into blocks of 5 characters, and the left hand box on the lower row deliberately has between 3 and 6 characters in the rows - and none of the rows has 5 characters! This is not accidental...

The first thing that you tend to see in the puzzle is the big arrow from left to right. There's a circle at the start, so is this meant to be a vector? A pointer? A direction indicator? 

Finally, there are two small dots in the right hand 'empty' boxes. in the diagram above these are shown in black. This might be an additional clue... Almost nothing in my puzzles is there by accident. 

The Solutions


If you are still reading, then you might well be

looking

for

the 

solution.

So,

I

will

try 

to 

make

sure

that

you 

don't

see

the

answer

by

accident.

Top Row


The left hand box on the top row contains two digit numbers. They aren't ASCII-endoded numbers because the letters and numbers in ASCII are from 30 to 122 (decimal). Values below 30 are control characters from the days of teletypes, typewriters, and very slow asynchronous serial communications. Numbers above 97 are lower case letters (a-z) and cryptographers always tend to use capital letters (in blocks of 5, remember?). SOTHE YPROB ABLYA RENOT ENCOD EDINA SCII! 

Did you notice that all of the spaces were removed from the blocks of 5 characters? Old-school 'Enigma'-style cryptographers left out the spaces between words as well. You know how people always say that 'E' is the most used letter in the English language? Well, if you look at ASCII-encoded text, then usually the most commonly occurring number is not 69 (E) or 101 (e), but 32 - which is the 'space' character. Some of my puzzles deliberately leave the spaces in - as a clue that the text is ASCII encoded! 

If not ASCII, then what? The second box on the left on the top row might be a clue. In amongst the question marks, there are two characters: an A and a 1.  The 'A' seems to correspond with the 01 in the 5x5 grid in the first left, top row box, whilst the '1' seems to be associated with the 28. In ASCII, the numbers start with Zero (coding-style) at 48, and go to '9' at 57. So what might the simplest way of arranging the capital letters of the alphabet (A to Z), plus the number digits from 0-9? Well it might start at 0, go, to 9, then A, then to Z. But an index where 01 means zero seems like it is making things a bit obvious, especially when 02 means 1, 03 means 2 and so on. This would means that dates would be in the form <02-32>/<02-13>/<...and 3132 for the current year>, which might be a give-away after a while... 

So, to be contrary to the way that ASCII works, how about putting the numbers after the letters? So 01 is A, through to 26 for Z, and then 27 for Zero, and 28 for 1. And there you have it - one of several ways of arranging the letters and numbers so that they can be indexed with a two-digit number! 

If you substitute the indexed letters and numbers using this mapping, then how do you put them into the final box on the right? Many of my puzzles try to get away from the left to right, top to bottom convention that native English handwriting and typing normally follows (But note that the value of the digits in numbers increases from RIGHT to LEFT!) and use other conventions instead. Japanese and Chinese are particularly interesting here, because although they can be written from left to right, top to bottom, they can also be written top to bottom, right to left... I have often used spirals to try and hide the sequence of letters from a casual inspection, of which more later...

So the 'raster' 'third from the left' top box might be interpreted as a set of vectors, showing how the decoded characters are arranged. If you do this, then the purpose of the black dot will become apparent - it is the 'dot' in Hardwear.IO...

Lower Row


The lower row starts on the left hand side with the 6 rows of 3 to 6 characters, and NO 5 character rows at all. The characters are a mixture of letters and numbers, and so it might be that the plaintext is 'hidden in plain sight', which would be a terrible pun, but exactly the sort of cheeky misdirection that I often include in my puzzles. The box on the second left in the lower row contains another 'raster' diagram, which actually looks like 'NL' spelt out in vectors. But it isn't immediately obvious what the vectors mean...

The third box from the left an the lower row is the 6x11 set of what look like binary numbers, except that they are 11 digits long, which is unusual for binary. If you are thinking 'misdirection' at this point, then you would be completely correct. Thinking of old raster based visual displays, then one of the common techniques used to process images on the screen was to use 'masks' that determined if a pixel in the image would be displayed in the raster, and thus on the screen. So the first, second and third boxes from the left on the top row are actually clues to this being a 'raster'-influenced puzzle...

The third box from the left on the lower row is indeed a mask. It is actually just the second box from the left on the lower row, but mapped onto a 6x11 'raster' or grid. The ones and zeroes do not mean 1 and zero - the 1s are place-holders for the characters that will be displayed, and show where they will be placed on the screen. So the three boxes from the left on the lower row are all indicating the same thing - how the characters in the first box are placed in the final box on the right. 

If you take the NL vector diagram from the second box on the left on the lower row, and use it to 'parse' the characters in the first box from the left on the lower row, and place them in the right hand box according to the mask (using just the 1s), then you get: 'HARDWE' reading upwards from top to bottom as you follow the upwards vector on the first stroke of the 'N'. As you continue, ti spells out a slightly different order of the parts that made up the contents of the top, right hand box - and this is what those twisty arrows connecting the two right hand boxes indicates - the contents are not exactly the same in their layout.

The Solution


Which brings us to the solution:


The solution is thus either:

Hardwear.IO Netherlands 2021 (in all Capitals)

or

Hardwear.IO2021 Netherlands (again in all Capitals)

But, why are they different? To see why, take the top row solution and apply it to the reverse of the process used for the lower row. The bottom row of the contents of the left hand box will end up like this:

HN2021

Which kind of gives away too much...

For the reason behind that, think about how the puzzle was designed. The top row was done first, then the lower row. When the problem was noticed, then the top row could have been reworked, but it was already done, and so I took the easy way out - I used the twisty arrows to indicate that the contents of the two right hand boxes were similar, not the same. And this is exactly what happens in real-world hardware and software - unexpected problems can arise after a lot of work has been done, and the quickest fix is often not ideal. 

So one of the 'tools' that should be in the hardware (or software) reverse engineer's toolbox is the 'unexpected consequences often get fixed very badly' thought. Do you really change the whole design because of a minor mistake and do a total rework, or do you find a smart, quick fix that might compromise some of the security - but who is ever going to find it? Just about every project that I have ever seen will go for the easy fix, not the total rework. And that's one way that vulnerabilities get into hardware - or software. 

In a single puzzle, you have learnt about non-ASCII encoding, how to find ASCII encoding, how to vectorise and mask matrices, and the consequences of not going back and properly fixing mistakes that were unforeseen. This wasn't puzzle solving - it was actually training!

Thanks to Hardwear.IO for their support, and for using my puzzles!

To save you time, searching for more of my puzzles - there's a list here and another puzzle here

---

If you find my writing helpful, informative or entertaining, then please consider visiting the following  link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):










 



 


No comments:

Post a Comment

Note: only a member of this blog may post a comment.

NULLCON 12, Berlin, April 2022

Here's the badge that I designed for the NULLCON 2022 Berlin security conference (and highly recommended training!).  The NULLCON 2022 b...