Espress Yourself: Turning Conference Swag into Pentesting Tools

Published on January 17, 2026 - 12 min read

The Heart of the Project

Have you ever looked at a piece of conference "badge-ware" and wondered if it was good for anything more than collecting dust on a shelf? As it turns out, that plastic badge might actually be the heart of your next IoT project.

In a recent exploration of some old conference hardware, I discovered that these devices are often packed with more potential than you'd think - specifically, the ESP32S3 WROOM-1 microcontroller. With built-in Wi-Fi, Bluetooth, and USB capabilities, these little chips are the perfect jumping-off point for everything from productivity tools to "evil" penetration testing gadgets.

Step 1: Identifying Your Components

The first rule of hardware hacking is to know what you're working with. We'll methodically catalog the components while disassembling the device, paying special attention to the Microcontroller unit (MCU) and input, output, and storage components.

Board Layout

Figure 1: The disassembled conference badge layout.

Observations on the Board:

  • Input: Visible light sensor, tactile buttons, and a USB-C port.
  • Output: An SSD1306 OLED screen and several LEDs.
  • Storage: No visible storage on the board.
  • MCU: ESP32S3-WROOM-1 (Supports USB HID "masquerading").

Step 2: Finding the Pins

To write code for the device, you need to know which physical pins connect to which components. We're interested in General Purpose Input/Output (GPIO) pins. A simple multimeter continuity test (the "beep" test) allowed us to trace these connections:

// SSD1306 OLED Data and Clock

#define I2C_SDA 8

#define I2C_SCL 9


// Input Buttons

Pins: 35 and 36


// LED Array

Pins: 1, 2, 17, 18, 21, 40, 41, 42, 47, 48

Step 3: Write (or Steal) Your Code

We'll use the Arduino IDE, which serves as a wrapper for C++. A typical 'Sketch' consists of:

  • Header and Global Definitions: Include libraries and define variables visible to the whole program.
  • setup(): Code that runs once at startup.
  • loop(): Code that repeats indefinitely.

Practical & Pentesting Projects

1. Hardware Password Manager

High-entropy 64-character passwords are impossible for humans to remember, but a computer handles them with ease. One button cycles through a preconfigured array on the OLED; the second button "types" it via USB HID.

2. The "Remote Evil Keyboard"

By creating a Web Server directly on the badge, you can access it from a separate device (Computer A) and type commands into the victim machine (Computer B). To the OS, it looks like a physical hardware keyboard is simply doing its job.

3. Stealthy Data Snatching

Using smaller modules like the Seeed Studio Xiao ESP32S3, you can hide this tech anywhere - even in a fake USB-enabled sandwich. These can be used for battery-powered NFC card snatchers that capture card data silently at a door.

Where to Start?

If you're looking for inspiration, the ESP Home project and its dedicated subreddits are fantastic resources. Whether you want to automate your lights based on your heartbeat or build a remote-access pentesting tool, the ESP32 proves that the "world is your oyster" when it comes to IoT development.