00:00:00.000,00:00:09.943 >>And you're at Hacking Hotel Keys and Point of Sale Systems >>Sweet >>Can you guys see the 00:00:09.943,00:00:15.482 slides all god? Can everybody hear me good? Perfect, perfect. So I'm Weston Hecker, I'm going 00:00:15.482,00:00:19.453 to be hacking hotel keys and point of sale systems. I had backup videos just in case if 00:00:19.453,00:00:25.859 anything went south so. So hey, uh- funny story uh- starting out uh- a little bit- uh- after I go 00:00:25.859,00:00:29.863 through a little bit about myself. I do a lot of talks, uh- I did Hope this year, I did 00:00:29.863,00:00:34.635 Blackhat, uh- this is my third year at Deacon. It's a privilege to speak here, so. Yeah, I 00:00:34.635,00:00:38.839 basically do pen testing for a living, I do a lot of research on the side. I'm an ATM 00:00:38.839,00:00:42.943 enthusiast and like some of the other stuff, I just like playing around with technology, so. And 00:00:42.943,00:00:47.381 I've got a couple side projects, um- I was working on some car hacking, point of sale system 00:00:47.381,00:00:53.320 hacking, hotel key hacking, and just exploits in property management software. But uh- 00:00:53.320,00:00:59.893 funny story, uh- so when you do a- uh- hotel hacking talk at a hotel, it usually involves the 00:00:59.893,00:01:05.465 staff, pulling you, your PR person and your boss aside, and taking you to the bowels of the 00:01:05.465,00:01:09.870 hotel. And I've seen Casino one too many times because I was a little nervous and uh- you know 00:01:09.870,00:01:13.307 so. but it was something where it all ended really good. They just wanted to know if they were 00:01:13.307,00:01:17.878 vulnerable to this attack, and it is not. They tokenize their, they set it up properly, they 00:01:17.878,00:01:22.082 follow the best practices, so your guys's hotel room keys are safe at all the Caesar's 00:01:22.082,00:01:28.288 properties. So. Just wanted to throw that in there, so. So, I'm going to explain uh- the actual 00:01:28.288,00:01:32.926 Mags- uh MagSpoofer, which is Samy Kamkar's device, uh, this one is a modified version of the 00:01:32.926,00:01:36.496 MagSpoofer. Uh- this one is not the one that is setup for brute forcing, uh but I do have demo 00:01:36.496,00:01:40.400 of the actual brute forcing going on. And then we're gonna actually infect this point of 00:01:40.400,00:01:45.639 sale system with malware, using human interface device injection so. And uh- yeah I'm gonna 00:01:45.639,00:01:50.110 explain a little bit about the point of sale systems and the actual uh- process of how the 00:01:50.110,00:01:54.848 keys are actually made on some of them that really on night audit and batch services. Uh- 00:01:54.848,00:01:59.252 they have to do some some very insecure things to make sure that their database is posted 00:01:59.252,00:02:03.790 and they get charged, so. Uh- I'm gonna do a privileged- uh show you how the privileged 00:02:03.790,00:02:10.030 attacks work, uh- fireman keys, uh- service keys, things like that so. And it's uh- yeah. Some 00:02:10.030,00:02:13.333 of it's uh- I thought it was pretty duty heavy encryption of some kind in uh- most of it is 00:02:13.333,00:02:18.071 just uh- encoded so. They definitely skipped some steps. And the point of sale talk, it's 00:02:18.071,00:02:23.710 gonna go from how I led from doing hotel research into actually attacking point of sale 00:02:23.710,00:02:27.981 systems. Cause like the- i don't know, anybody else when they saw Samy's video, like they thought 00:02:27.981,00:02:32.586 of every single thing that has a uh- magstrip reader on it as now an attack surface and I just 00:02:32.586,00:02:35.522 want to give him a shoutout because that was amazing research and he saved me many 00:02:35.522,00:02:41.862 many hours of reading manuals, so. And yeah, I'm gonna basically go through how it uses 00:02:41.862,00:02:46.166 the magstrip readers, uh- whether- where the fail was in that. and uh- I'm gonna actually 00:02:46.166,00:02:50.237 go with triggering events on the readers and see what it's listening for. Because some of 00:02:50.237,00:02:53.840 the newer uh- point of sales systems, like, they will only power up the reader when x 00:02:53.840,00:02:59.680 happens, and uh, actually I have a tap that you can attach to bypass some of that stuff. So, 00:02:59.680,00:03:03.483 and I'm gonna go over some of the management uh- cards, brute forcing management cards, you 00:03:03.483,00:03:07.521 can actually you know, do refunds, stuff like that. You can actually refund to other 00:03:07.521,00:03:12.893 credit cards uh- using one or the other attacks so, or, yeah, I was- it was one of those 00:03:12.893,00:03:16.096 conceptually doing and it uh-, and it would have been a pretty decent attack, because I never 00:03:16.096,00:03:19.900 knew that you could actually refund to a credit card that it wasn't originally charged on and 00:03:19.900,00:03:22.703 that's something I came across while doing some of the uh- other research I was doing this 00:03:22.703,00:03:28.442 year, so. I do have somebody do a cash tend, check tend attack. So that basically, uh- when you 00:03:28.442,00:03:32.112 inject the F8 key it literally just pops the register open and I'm gonna go over that in a 00:03:32.112,00:03:38.452 little bit here. [laughter] Because everybody pays with checks still, right? And uh- 00:03:38.452,00:03:42.823 attacking OS injection, I'm gonna do a- pop a command shell, and then I'm also gonna demo a 00:03:42.823,00:03:47.461 drive-by attack, as long as the 4g holds up, so. I might have to get Steve Jobs on you guys, have 00:03:47.461,00:03:53.100 you turn your phones off but. No we should be good, so- I had the 4g working earlier, so. And uh- 00:03:53.100,00:03:58.271 some of the actual restaurant attacks and other mag research, like some of the rewards 00:03:58.271,00:04:03.210 programs, uh- I wrote a- one version of it where it cycles through ten cards so, say some 00:04:03.210,00:04:06.713 of those places where you can collect points. They're on to employees, you know, just giving 00:04:06.713,00:04:09.749 the points to themselves, so that actually cycles through like ten accounts, and I'll go 00:04:09.749,00:04:13.019 through that in a little bit here, so. I'm going to go through uh- who here in the room 00:04:13.019,00:04:18.024 knows what a magspoofer is? Who's built one, they're fun. They're very fun things to build 00:04:20.127,00:04:24.865 and uh- yeah. So basically, uh- you guys are gonna see there uh- that's what actually happens 00:04:24.865,00:04:28.435 when you put iron oxide on the uh- credit card. It's gonna actually mag- it has a little 00:04:28.435,00:04:33.640 magnetic uh- field to it so that's when the actual card is swiped through, its actually 00:04:33.640,00:04:36.109 generating a magnetic field and speaking binary data, so 1s, 0s, things like that. So basically 00:04:36.109,00:04:38.111 what Samy Kamkar did was he actually, you know built a version- I think the uh- 00:04:38.111,00:04:43.116 patenting and all, goes back to like 2008 with the LoopPay, which was a system which was 00:04:46.753,00:04:50.624 bought by Samsung, and so basically you just need- all you need to know is that there's a 00:04:50.624,00:04:55.028 EM field being generated that is the same- pretty much the same. Some of the timing is different. 00:04:55.028,00:04:59.366 Uh- but as far as that goes, when you swipe the card it's basically doing the exact same 00:04:59.366,00:05:04.004 thing. So it's able to speak to magnetic head readers uh- using a small little uh- magspoofer, 00:05:04.004,00:05:09.242 so. And uh- how's the- yeah it's secure mag strip transmission, so it's like I said, it's uh- 00:05:09.242,00:05:15.515 something that's been around since 2008. So, back in 2002 and 1997, you know people didn't 00:05:15.515,00:05:18.985 think that this kind of thing was possible. So that's uh- why a lot of these vulnerabilities- 00:05:18.985,00:05:25.158 there's no reason why this keyboard should have a 102 key functionality that you can 00:05:25.158,00:05:27.160 actually inject through the magnetic head reader, so. And yeah, it's not- it's not RFID. 00:05:27.160,00:05:29.162 Um- A lot of people ask me that, like you know, the hotel attacks, like is it on the RFID, 00:05:29.162,00:05:35.635 actual keys? And no it's not. It's actually uh- basically turning a magnetic card into a 00:05:35.635,00:05:40.640 wireless card, so uh. Any idea? How do you handle the overheating. So, basically, uh 00:05:46.913,00:05:50.283 the first thing you did after a bur- uh- got my first magspoofer, built it, ordered 00:05:50.283,00:05:53.553 all the parts from China, waited like a week and a half, and the first thing I did was burned it 00:05:53.553,00:05:59.526 out. Because I tried injecting multiple cards, I pushed like 5 or 6 cards uh- I did my first 00:05:59.526,00:06:03.496 modification just to increase how many cards I could store on it. And then I start actually, 00:06:03.496,00:06:08.535 you know, seeing how many I could do, and after about 18 cards, uh- it burned out, so. So 00:06:08.535,00:06:13.306 I waited another week for all the parts to come from China, and yeah. I basically made uh 00:06:13.306,00:06:18.011 six- six magspoofers in one, with a little bit of a controlled arduino, then it has 00:06:18.011,00:06:23.717 a 3800mA battery instead of a 100mA, so, that thing is heavy duty. I call it big bertha cause 00:06:23.717,00:06:29.289 it is just- it's like a hug coil on an arduino. And I'm going to go into a little bit of what 00:06:29.289,00:06:34.694 property management software is uh. Its a- when I refer to it from PMS- PMS from now on, it is 00:06:34.694,00:06:39.299 not what everyone would think it was. So, it is property management software. And that is 00:06:39.299,00:06:43.003 something where uh- it has actually where your folio data is. Everybody's seen the 00:06:43.003,00:06:46.706 checkout where it says folio. That's basically where the hotel keeps all of your records, uh, 00:06:46.706,00:06:51.177 that's how it actually, you know, what's to charge when they do the night audit process. So 00:06:51.177,00:06:54.781 when they do- run the night audit, it's gonna charge under your bank account. Now a days, 00:06:54.781,00:06:59.185 like, when they're properly proceduralized, it's something where there's lots of security 00:06:59.185,00:07:03.256 mechanisms that people can actually put into place, so. I'm gonna go into a little bit of an 00:07:03.256,00:07:07.661 explanation of what the actual uh- proprietary card readers and the security behind the hotel. 00:07:07.661,00:07:12.899 Uh- so basically, there is your folio number, actually the one I found the weakness in was um- 00:07:12.899,00:07:18.805 after I uh- unencoded the actual cards, I read it in a raw using an MSR605 which is a mag strip 00:07:18.805,00:07:23.510 reader. Basically read the raw data, unencoded it, and it was literally the same as my folio 00:07:23.510,00:07:29.249 number and my room number and the checkout date, so. If you make an assumption that somebody 00:07:29.249,00:07:33.920 is gonna check out in the next week, your space just went down a little bit, and if your hotel 00:07:33.920,00:07:38.525 uses a very- not very old process actually, um they actually weaned away from it in 00:07:38.525,00:07:43.530 2007/2006. So if they do incremental folios and you're in a 50% hotel, it's not a very big 00:07:45.765,00:07:51.571 space, you have 918 options in a 50 key- or uh 50 person hotel so it's something where, yeah 00:07:51.571,00:07:55.041 that's not many options to try, especially with a modified magspoofer, you can actually 00:07:55.041,00:07:59.979 inject 45 cards per minute so, that goes through that space pretty quick, so. And yeah, 00:08:04.784,00:08:08.555 collecting the information, as you can see the, also instead of injecting full credit card 00:08:08.555,00:08:12.726 numbers, your actually injecting uh, just some of the track- most of them is the track 3 data, a 00:08:12.726,00:08:17.230 lot of the track 2 data. So credit cards are broken down into track 1, 2, and 3. Uh track 00:08:17.230,00:08:21.601 3 is the one that hotel chains use mostly. So, and if you've ever noticed, you can put your 00:08:21.601,00:08:25.872 card in upside down. That's because that half of the actual magnetic stripping is only used, 00:08:25.872,00:08:31.111 so. They only use a portion of track 3. And as you can see, I put uh- iron oxide on this one 00:08:31.111,00:08:36.850 also and it just shows that it is actually not, yeah, its not using the full card. Because I 00:08:36.850,00:08:40.053 covered the whole thing, then wiped it down and, yeah. So and then- and- that's one of the 00:08:40.053,00:08:44.657 things too, I travel a lot when I go pen testing so I have like, an entire suitcase, not an 00:08:44.657,00:08:49.396 entire suitcase full of it, but it's got about three layers of actual hotel room keys and as I 00:08:49.396,00:08:52.966 was wondering what was on them so I just got bored one day and started pulling information off 00:08:52.966,00:08:58.705 of them and, yeah. And there were several of them um- that actually were, you know, pretty 00:08:58.705,00:09:03.009 easy to actually break the encoding on them. Because they were using uh- non- uh it was I 00:09:03.009,00:09:09.716 think base64 but a little bit less. Because it was very very simple. I wrote an actual script 00:09:09.716,00:09:15.488 and then uh- most of that script actually worked for like 3 or 4 different kinds of keys, so I'm 00:09:15.488,00:09:21.261 guessing that they are using the same PMS software, so. And yeah, so, how do you uh- how would the 00:09:21.261,00:09:25.698 bad guys go about interacting with uh- say for example, if you were going to brute force that 00:09:25.698,00:09:32.505 918 space, say Weston wanted to get into Hecker's room. Now I know the folio number, I assume 00:09:32.505,00:09:37.410 he's checking out in the next week. I can actually go to an elevator or a pool area and 00:09:37.410,00:09:41.314 it'll actually tell me once I get that uh- when I get valid card numbers. So you don't 00:09:41.314,00:09:43.349 actually have to be sitting in front of the person's door, which is kinda- you know that 00:09:43.349,00:09:45.351 would raise a lot of suspicion, you know, especially if you had to sit in front of his door for 00:09:45.351,00:09:47.353 18 minutes or something like that so. They actual- yeah, that gets kind of creepy, the guy in 00:09:47.353,00:09:49.355 the hallway for 18 minutes, so that's something where, yeah. Uh, I was- like one of the cons- 00:09:49.355,00:09:54.360 that I- I was with permission on this property. It was uh- actually testing it out by the 00:10:00.834,00:10:07.640 pool area, and the actual hotel, cause, it, I also found how the floor restrictions in elevators 00:10:07.640,00:10:11.411 work this way, so. [chuckle] So it's kind of cool, like if uh- somebody wants to go up to the 00:10:11.411,00:10:15.114 26th floor, you can literally just change the room number just change the room number, it 00:10:15.114,00:10:19.285 doesn't actually validate the folio on that, so. And as far as getting maid service keys, um, 00:10:19.285,00:10:23.690 on that property I was on I literally attached my device to the back of the door, and I did 00:10:23.690,00:10:27.994 that from the privacy of my own room. And when people walked by it was uh- you know, just 00:10:27.994,00:10:33.066 randomly beeping here and there, but uh- it was something where it took about 33 minutes to 00:10:33.066,00:10:37.303 actually get a- you know the domain admin of the hotel pretty much. It was one of the maiden 00:10:37.303,00:10:42.275 keys. And you can literally- like, it is crazy the amount of access, especially with some of 00:10:42.275,00:10:47.647 the service keys. And uh- I feel dumb for brute forcing it cause it was uh, pretty much all zeros 00:10:47.647,00:10:52.085 for the maid's keys. And I'm sure you know, some of the guys out there, like, they'd have 00:10:52.085,00:10:56.623 been right away, let's start at zero, instead of you know, the folio numbers. So it's something 00:10:56.623,00:11:01.561 that, once I understood that, I tried all 9s and that was the service keys, and yeah, so. Then 00:11:01.561,00:11:06.766 uh- some of the actual issuing, they issue them monthly, so the folio, once I found out that 00:11:06.766,00:11:10.303 that was the way that they were issued, it was something where I was actually, you know, pretty 00:11:10.303,00:11:15.475 much able to do that. So, and yeah. And yeah, a lot of the elevator and fireman keys, like 00:11:15.475,00:11:20.113 there's some states that are looking at actually uh- luckily they're hid behind metal, so 00:11:20.113,00:11:24.450 there's no way people could interact with them. You know, so that's what I'm saying, that 00:11:24.450,00:11:29.222 heavy duty magspoofer, it can go a pretty good distance, so even if they're blocked off for law 00:11:29.222,00:11:34.227 enforcement or fireman usage, it can actually reach some of those, so. Yes, so the- I'm 00:11:36.696,00:11:40.733 gonna go through some of the raw dumps. Uh some of the tra- uh. The other facilities, they 00:11:40.733,00:11:45.038 actually use like, say for example you go to a theme, theme park, they'll have on track one 00:11:45.038,00:11:50.643 and track two, they'll have other information. Um, track two, on some of the properties, 00:11:50.643,00:11:56.015 keys that I was looking at, they actually uh- basically had my name, and I was like ah, how I 00:11:56.015,00:11:59.452 am I gonna brute force you know, names and stuff. And luckily it wasn't validating it, so. And 00:11:59.452,00:12:03.423 that's one of the things too, is like I always wondered about that, like how often, you know 00:12:03.423,00:12:06.259 because that's one of things like, people always hear in news stories about personal 00:12:06.259,00:12:10.129 information. There's no personal information on any of the keys that I came across. The ones 00:12:10.129,00:12:15.735 that could decode at least. Uh, with the exception of like a name, um and, yeah, to me that's 00:12:15.735,00:12:21.274 not that identifiable i guess, so. And uh, there are limitations to characters that 00:12:21.274,00:12:26.279 can be entered um, due to the limitation- limitations of encoding of the keys only, once 00:12:26.279,00:12:30.984 you introduce the magspoofers, you actually start injecting some illegal characters, which I 00:12:30.984,00:12:35.955 actually found out when uh, I was running pretty hot, like uh- because I was actually measuring 00:12:35.955,00:12:40.360 like uh, how hot it could get before it actually started garbling the messages and stuff 00:12:40.360,00:12:44.464 like that and actually, some of the bit error percentages, like, they would go through the roof. 00:12:44.464,00:12:48.368 If it started overheating, and you know to actually figure out what was safe to run the device 00:12:48.368,00:12:53.139 in. And uh yeah, there were some characters, I'm guessing some bits flipped and thats what led 00:12:53.139,00:12:57.110 me to believe that, you know, some of the research, which uh actually, we'll be demoing at 00:12:57.110,00:13:03.516 the end here, so. And with some readers, they also, yeah, they automatically inject a return 00:13:03.516,00:13:09.656 character. So after a certain amount of digits are entered, there's a way to actually stop 00:13:09.656,00:13:15.028 that automatic return character. So, and I will go, that's with the modified version of the 00:13:15.028,00:13:19.432 magspoofer only. Cause uh, after it does like 46 digits, it will do an automatic return 00:13:19.432,00:13:24.737 character. And, yeah, other than that, um, you just need to know, literally the, your own folio 00:13:24.737,00:13:28.408 number, if you want to uh- when I was actually going to a- like actually uh, breaking the 00:13:28.408,00:13:32.512 encoding, it was something where I actually just had to get my own key issued, and stuff like 00:13:32.512,00:13:36.382 that, twice. And um, yeah. And that gives you a sample to go off of and you can pretty much- 00:13:36.382,00:13:39.686 uh, other keys that are collected, you know, there lots of them where they have the 00:13:39.686,00:13:45.058 return things, I didn't get those ones, but I pretty much just got my own keys. So 00:13:45.058,00:13:51.864 breaking the complex encryption, yeah that was pretty simple. You know I had to rent an Amazon 00:13:51.864,00:13:56.803 server for you know- I literally just booted up my computer uh, wrote a script to- this one was 00:13:56.803,00:14:03.443 actually, this version of it was actually just base64 encoded, so that was kind of irritating. I 00:14:03.443,00:14:08.614 thought it was going to be a lot more harder than this one but... And some of the uh- kiosks, I 00:14:08.614,00:14:11.517 started uh, playing around with some of that stuff. Any time you guys go to a security 00:14:11.517,00:14:15.388 conference, that's always the, you know, first thing they shut off, for good reason, for this 00:14:15.388,00:14:20.193 kind of stuff, so. Cause uh, this is a really good way to issue your cards and uh, if 00:14:20.193,00:14:23.930 you're the bad guy obviously. Uh- it's something where they will, you know, able to get like 00:14:23.930,00:14:30.536 7 cards without being suspicious, so. Cause, yeah, unless, yeah, so. So what led to 00:14:30.536,00:14:35.041 the research after the hotel keys, um, that pretty much was my next step. I was thinking 00:14:35.041,00:14:41.080 everything with a- um pretty much mag reader on it is now a target. So and I actually 00:14:41.080,00:14:45.618 noticed that once I started buying some of these devices, that they were generic HID re- 00:14:45.618,00:14:49.822 HID. And I had done a lot of stuf- uh, HID attacks, human interface device attacks, which 00:14:49.822,00:14:55.628 are basically keyboards, um, with teensy and payloads in the past so it's something where now 00:14:55.628,00:15:00.666 that I was looking auth, the attack surface of point of sale systems, it was, yeah uh 00:15:00.666,00:15:05.438 naturally the next step, so. So how does he use a mag strip reader. This one up here is a 00:15:05.438,00:15:11.844 102 key keyboard, generic human interface device. So basically, anything you can type, you can 00:15:11.844,00:15:16.482 now inject through uh, the magnetic head reader or- card reader, so. And uh, that's one 00:15:16.482,00:15:20.186 of the things too it's like, why not just hit the keys uh, and there are some of these things 00:15:20.186,00:15:24.891 out there literally like, you know, it's this long of uh, text string, like say for example, 00:15:24.891,00:15:30.396 I'm going to be demoing a drive by attack, because uh, yeah. Point of sale systems are a 00:15:30.396,00:15:35.034 little out of date sometimes, so. And, I'm going to actually go through um, yeah, some of 00:15:35.034,00:15:38.304 these methods here in a second. And triggering events like that's one of the things too, 00:15:38.304,00:15:42.742 like, some of the newer ones, they have actual uh, you can test if they are being USB fed, 00:15:42.742,00:15:46.012 so that's something once they're powered on, you can still do some of it, but they have to 00:15:46.012,00:15:51.083 wait for a trigger event or for the remote cable to be toggled, so, uh yeah. So basically you 00:15:51.083,00:15:54.487 can figure out when they're listening, and it's not something where you have to tap 00:15:54.487,00:15:58.324 into it, you can literally just look and see if the green light is on. So that's like one of the 00:15:58.324,00:16:02.295 indicators of it, and I would definitely, if you guys want to start playing with some of this 00:16:02.295,00:16:07.266 stuff, get the MSR uh- the little mag strip reader 103s, I think they're like 15 bucks, so. 00:16:07.266,00:16:10.736 They're really really fun. And you can basically dump anything you want to it into a notepad. 00:16:10.736,00:16:16.008 And uh, yeah. So management keys, that was one of the biggest things too, uh, where I 00:16:16.008,00:16:20.313 was looking for a really hard challenge, and the actual first point of sale system I bought 00:16:20.313,00:16:24.450 which uh, was pulled out of a taco restaurant, and it, when it was disbanded and it was 00:16:24.450,00:16:28.187 auctioned, and uh, yeah, it came with the management key. And that management key, worked on 00:16:28.187,00:16:34.327 the other two point of sale systems that I bought from separate lots. [laughter] So I 00:16:34.327,00:16:39.031 was like ahhh. There's nothing, you know, nothing deep. No crazy, no techno, no 00:16:39.031,00:16:44.403 chain-smoking, it literally was just, pretty much the same admin account used across several 00:16:44.403,00:16:49.141 point of sale systems. So now, uh I'm guessing, uh, cause I know, you can't turn this off 00:16:49.141,00:16:53.012 when you go out in the wild. It's something where uh, I started noticing every single 00:16:53.012,00:16:56.415 point of sale system and I'm like, I wonder if you know, that key would work on that, key 00:16:56.415,00:16:59.785 would work on that. And I actually, one of my buddies owns a restraint that happens to have 00:16:59.785,00:17:04.423 one of those and, you know, you can literally inject the actual management key into it. So 00:17:04.423,00:17:08.861 that's something that is pretty crazy. And like, you can mess with inventory. You can throw 00:17:08.861,00:17:13.766 off inventory you can, yeah some of them need management overrides. You know, for some of 00:17:13.766,00:17:19.405 the electronic check outs and stuff like that, so that's some scary stuff. And here's pretty 00:17:19.405,00:17:24.577 much, what you guys probably can't read, but uh, yeah. Everybody knows how uh, for the 00:17:24.577,00:17:28.347 most part, how keyboards work. And, I think we deal with them on a daily basis so we pretty 00:17:28.347,00:17:31.417 much know all the character sets. So, quite literally anything that you can type on 00:17:31.417,00:17:34.854 that keyboard that I showed earlier, you can pretty much inject. Uh, like I said, 00:17:34.854,00:17:39.725 sometimes you have to strip some of the uh, uh, auto return characters. The enter 00:17:39.725,00:17:46.399 characters, so. And yeah, one of the first attacks I did, uh, was I saw the cash tend button, or 00:17:46.399,00:17:52.571 check tend button. And that was uh, injecting, I was like, okay, I wonder how hard this could be. 00:17:52.571,00:17:56.309 So you know I started uh, playing around with it, and I was getting to the F keys 00:17:56.309,00:18:01.781 functionalities, and I was rolling through and testing it, and, this basically is like, a 00:18:01.781,00:18:05.384 way to like, uh like, for a bad guy to actually, you just walk in and literally rob a store, 00:18:05.384,00:18:08.888 they could literally just put this device on there and that's what kind of made it scary, like 00:18:08.888,00:18:13.893 it's, now people can rob stores that way, so. With the F8 key. It's uh, pretty bad. And uh, 00:18:15.962,00:18:19.865 yeah, behind every strong man, is a strong woman. As you can see I wore my I love my wife 00:18:19.865,00:18:24.470 t-shirt, so. And behind every point of sale system, there is an outdated operating system, 00:18:24.470,00:18:29.141 so. Not every point of sale system, I can't speak for them all but uh, every single one 00:18:29.141,00:18:34.313 that I bought, or I could afford, and that's, kinda the way it goes. So basically what 00:18:34.313,00:18:40.786 you want to do is exit out of the point of sale system and uh, yeah. The next step will be 00:18:40.786,00:18:46.692 popping a command shell and uh injecting the payload. And what kind of payloads would one want 00:18:46.692,00:18:50.763 to run on a point of sale system. Uh I did a talk last year so I had uh, a couple 00:18:50.763,00:18:55.568 malware uh- memory scripting malware lying around, and I was like hey, I will see if I can 00:18:55.568,00:19:01.207 load these o a page. So, it's gonna do one distribution and I uh tested it this morning so 00:19:01.207,00:19:07.046 it's actually gonna do a drive by attack on a actual web server that I have uh loaded, so. And 00:19:07.046,00:19:11.017 this is uh, it's a neutered version of it, uh, it just talks to itself. So it's not gonna 00:19:11.017,00:19:15.454 actually be doing anything illegal. And it's just going to literally visit the webpage and 00:19:15.454,00:19:22.228 uh has a vulnerable version of uh some software running on it Then also you can literally uh 00:19:22.228,00:19:26.866 through the command shell 'cause most of them run uh deprecated operating systems, some of them 00:19:26.866,00:19:31.504 still have functionalities that where you could literally just put URLs and uh downlaod from 00:19:31.504,00:19:37.009 pretty much any source you wanted so. Again like I was saying uh this is the payload 00:19:37.009,00:19:42.214 that the bad guys would use um like the actual memory script in malware so in the past you know 00:19:42.214,00:19:45.418 people had to do these ridiculous supply chain attacks or they had to you know breach a 00:19:45.418,00:19:50.156 vendor account and now it's literally uh you know the bad guys it'd be as easy as you know 00:19:50.156,00:19:54.760 walking up to one of those point of sale systems and actually infecting it so and yeah and 00:19:54.760,00:20:00.499 some of them are devved environments so like they're uh custom they have uh they pretty 00:20:00.499,00:20:04.470 much have their proprietary key functions, they don't have a classic layout but they still 00:20:04.470,00:20:09.008 have magnetic card readers in 'em and I actually uh you know was expecting to have to you 00:20:09.008,00:20:13.946 know map these keys out and do all this crazy stuff but uh they actually we- uh [chuckle] if 00:20:13.946,00:20:17.716 they have the generic driver loaded, they will accept the same ke- key key commands even 00:20:17.716,00:20:23.622 if they don't have the keys on the keyboard so that was like another huge fail so [chuckle] 00:20:23.622,00:20:27.760 Which as first limitations of mag injections uh making a physical card attack limitation 00:20:27.760,00:20:32.398 uh could you make the waiter do the dirty work? Could you like give him your credit card to pay 00:20:32.398,00:20:36.202 and actually have him walk up and do some of that? That's something that was kind of my, 00:20:36.202,00:20:40.940 you know next step after all this was kind of finished up and uh, yeah that's some like I was 00:20:40.940,00:20:42.942 saying there was some illegal characters that you can't actually encode on it so it 00:20:42.942,00:20:44.944 wouldn't work as good but I think that it's something that some people have explored in the 00:20:44.944,00:20:49.949 past, and it's uh definitely something I will be, once I have some free time now that you know 00:20:52.618,00:20:56.555 all the talk and conference season's are done with I'll do some more checking into stuff 00:20:56.555,00:21:00.593 so. But yeah that was kind of the one thing too, it's like, you know how much of a payload 00:21:00.593,00:21:05.364 could you actually put on the credit card? So on track three and uh yeah these devices are 00:21:05.364,00:21:09.702 everywhere, this was literally me me flying to Huntsville uh when I was speaking at uh Take 00:21:09.702,00:21:14.540 Down Con and yeah these mag strip leaders are everywhere like quite literally everywhere 00:21:14.540,00:21:19.445 and uh one of these uh one of the other things that I started looking at, I was like okay, 00:21:19.445,00:21:23.516 aside from being able to you know just pop the register, installing malware, that's not 00:21:23.516,00:21:28.754 bad enough I guess [chuckle] yeah actually attacking player rewards uh systems like say for 00:21:28.754,00:21:32.858 example the- whosoever played slot machines and like you just kind of were bored and just 00:21:32.858,00:21:35.494 wanted to go back to your hotel room so you were going to go play the twenty dollar slots or 00:21:35.494,00:21:39.832 the you know fifty dollar slot and just get it done with? That's one of the things like uh 00:21:39.832,00:21:43.335 every si- every time I went to those higher end uh slot machines, people would always 00:21:43.335,00:21:47.039 leave a card in there and I thought it was by accident at first like I'm like hey this 00:21:47.039,00:21:50.409 person probably left their card there, and I tried to turn it in and they're like no, the people 00:21:50.409,00:21:54.146 do that because they try to squat points, 'cause uh some guy who's just literally you know 00:21:54.146,00:21:57.316 waiting for a plane or something's gonna you know play twenty five hundred dollars 00:21:57.316,00:22:01.220 worth of slots, and they get to collect the player's reward points so they kind of squat 00:22:01.220,00:22:04.690 some of those accounts and uh that was like one of the attack methods that I was thinking of 00:22:04.690,00:22:09.128 it's like, now that you can eject magnetic data uh it's like you can, you can could squat on 00:22:09.128,00:22:14.600 one of these devices and it's another one is like I was saying uh uh like I think when I was in 00:22:14.600,00:22:19.638 high high school I worked at uh uh a actual company that they had like a player's reward 00:22:19.638,00:22:24.076 program and they they told me they were like, yeah, you can't use your own card, people have 00:22:24.076,00:22:27.846 been fired in the past for that, so it's something where they're on to it and uh they'll actually 00:22:27.846,00:22:32.985 have flags go off if more the the same cards used more than once in you know x amount of 00:22:32.985,00:22:38.457 time uh but some of the actual uh like grocery store chains, or there's uh certain electronic 00:22:38.457,00:22:41.894 companies, where you know every five hundred dollars you spend, you get five bucks, or a hundred 00:22:41.894,00:22:45.464 bucks, so this is one of those other methods like uh some of the rewards programs that 00:22:45.464,00:22:50.202 actually be susceptible to this kind of attack so and like I was saying the one about refunds 00:22:50.202,00:22:54.340 like where you can actually refund onto a prepaid card, that should not be [chuckle] possible 00:22:54.340,00:22:58.811 to happen, eh eh- especially you know if it wasn't the original transaction, so, and sometimes 00:22:58.811,00:23:02.047 it has to post overnight, but that was like one of my uh additional attack vectors, I 00:23:02.047,00:23:06.752 didn't have time to wean out all the kinks on it, but it's, it's something that uh seemed 00:23:06.752,00:23:13.492 feasible so. And yeah, injecting into actual uh like what I was saying when you could actually 00:23:13.492,00:23:18.497 tap into the remote signal uh as long as you hit the right wire uh you basically could [chuckle] 00:23:18.497,00:23:22.635 overfill like prepaid cards like that, stuff like that, so, so if a bad guy wanted to get an 00:23:22.635,00:23:28.107 unlimited phone calling card, he could be injecting his own card, and having time added it to it, 00:23:28.107,00:23:32.778 so. And uh not only that but some of the you know gift store cards, stuff like that so and uh 00:23:32.778,00:23:36.415 some of them do lock once they have the original amount loaded on them so they're not reusable, 00:23:36.415,00:23:41.120 but the reuseable prepaid cards, that say reuseable prepaid cards on them you know [chuckle] those 00:23:41.120,00:23:46.125 are the ones that obviously they would attack after, so. And yeah, like I was saying um, 00:23:48.294,00:23:52.665 these actually triggered events, attacks, uh so you'd have to sniff out the actual um powered 00:23:52.665,00:23:56.235 up readers, like som- a lot of the modern ones they don't actually, they send a remote 00:23:56.235,00:23:59.338 signal that hear there's a transaction going on or hey we're going to ta- do some kind 00:23:59.338,00:24:03.008 of interaction, and I don't know if that's because of this kind of attack, or if it's just 00:24:03.008,00:24:07.646 because uh you know they kind of looked into the future of what people might actually be doing 00:24:07.646,00:24:11.250 with these and it's not a good idea to have something not only powered on, some of these things 00:24:11.250,00:24:16.689 are low energy, so yeah, it's something where you can actually uh for some of the rewards 00:24:16.689,00:24:21.193 programs also you have to hit the enter key to accept that it's your account, so yeah, 00:24:21.193,00:24:24.496 that's one of the things too, I was wondering if you know if it'd be possible to actually 00:24:24.496,00:24:28.934 inject that? So and it uh on the actual point of sale system that I tried on that, it worked 00:24:28.934,00:24:32.071 perfectly 'cause that's one of the biggest things is uh there are customers always stealing 00:24:32.071,00:24:36.608 peoples uh you know points uh say somebody didn't have a rewards card they weren't 00:24:36.608,00:24:41.413 actually letting them inject it so. Yeah and uh who's ever used a clock in system? [chuckle] 00:24:41.413,00:24:47.219 yeah who uh you can never be late to work again now so [chuckle] yeah that's one of the 00:24:47.219,00:24:51.724 uh uh as far as the hardware goes, I bought like a hotel key for the back door, I bought a 00:24:51.724,00:24:56.061 couple key boards, I bought a couple point of sales systems, um and I bought a clock in 00:24:56.061,00:25:00.232 system and uh a lot of people are going to the finger prints or some of the actual newer 00:25:00.232,00:25:05.003 method ones so but yeah this is one of my last attack surfaces that I actually looked at so. 00:25:05.003,00:25:10.009 And yeah I'm going to go over the uh video of the brute forcing uh it was on uh just a 00:25:14.813,00:25:19.151 couple times when Windows uh stuff popped up while I was actually doing the demo like 00:25:19.151,00:25:22.421 when I did the video so uh there was actual Windows 10 upgrades 'cause it was like a fresh 00:25:22.421,00:25:28.360 install 'cause I was uh, I lost my original driver disc for my uh MSR 605 and I had to download 00:25:28.360,00:25:31.864 it from a untrusted web page so if you guys wonder what the dialogue boxes popping up all 00:25:31.864,00:25:36.935 the time are so and I'm also going to go into the uh installing actual credit card 00:25:36.935,00:25:42.708 skimming malware off of a web server as long as the internet is still working so and if not 00:25:42.708,00:25:46.512 uh you'll still be able to see that there are injections so. And I'm going to go set up the 00:25:46.512,00:25:50.382 demo and while I'm setting up the demo I'm actually gonna if people want to step up start 00:25:50.382,00:25:56.722 stepping up to the mics too uh you can ask questions while I'm doing the demos so yeah thanks 00:25:56.722,00:26:00.559 for coming, it's Stay Legal and I'm uh going to go into the demonstration portion right now 00:26:00.559,00:26:05.564 so let's see here [applause] thank you [chuckle] let's see here >>Have you messed with any 00:26:20.479,00:26:25.951 of this on uh airplane mag readers on the back of seats? >>Did you uh mention uh if I 00:26:25.951,00:26:30.022 messed with them on airplanes? >>On the back of seats, you know how they have the mag readers to 00:26:30.022,00:26:33.692 like? >>Yeah I've uh I've learned from other people that have messed around on planes 00:26:33.692,00:26:38.730 that it's uh [chuckle] it's not usually uh go- uh one of the things that you guys want to do 00:26:38.730,00:26:42.601 like uh some of the I saw that mag strip reader and I even felt bad like taking a picture you 00:26:42.601,00:26:47.139 know of the MSR that was on the keyboard thing so yeah I haven't tampered with planes any 00:26:47.139,00:26:51.777 [chuckle] and I hope everybody knows that 'cause yeah that was like one of the I see I've saw 00:26:51.777,00:26:54.813 I've seen those and I thought the exact- 'cause you can't once you start doing this kind of 00:26:54.813,00:27:01.587 stuff, you can't like turn that stuff off so. Yeah >>How about the uh like the new like Square 00:27:01.587,00:27:05.757 and uh Paypal and all those things >>Oh Yeah, yeah, the uh some of the I had or- some of 00:27:05.757,00:27:09.161 the original and right now it's actually in I'll I'll come back to your question uh some of the 00:27:09.161,00:27:12.331 Square readers and some of the remote ones, yeah, yeah a lot of the, and that's not a 00:27:12.331,00:27:15.501 vulnerability in them it's anything that uses a mag strip but yeah quite literally 00:27:15.501,00:27:19.972 everything that is affordable that has a mag strip in it, I've bought, and injected stuff into, 00:27:19.972,00:27:24.343 so so yeah yeah that's pretty pretty crazy, that's what I'm saying like if you're making 00:27:24.343,00:27:27.513 your own payment you could be you know presenting a different card I I see where you're 00:27:27.513,00:27:32.985 thinking, that's some clutter thinking, so But uh basically right now it's actually 00:27:32.985,00:27:37.456 injecting the the folio numbers and I'll roll the video back here a little bit there's the 00:27:37.456,00:27:43.495 first Windows 10 upgrade sorry about that and if you guys want this video is online on uh 00:27:43.495,00:27:48.534 youtube already so and so basically I'm gonna read the raw data 'cause it has like I said 00:27:48.534,00:27:53.906 it has uh custom encoding so you have to have a specific reader to actually do the and uh yeah 00:27:53.906,00:27:59.077 you're gonna be reading the you have to switch it to high co and then redraw so yeah there's the 00:27:59.077,00:28:02.714 first transaction and then it's actually you can if you can't see on the actual video it'll 00:28:02.714,00:28:06.084 show because my phone wouldn't focus, but it's actually uh some of the numbers are changing 00:28:06.084,00:28:10.255 because it's rolling through the actual folio revisions. They have the same check out date so 00:28:10.255,00:28:13.091 it's like the end of the conference is happening or something so everyb- I knew that 00:28:13.091,00:28:17.896 they were checking out at that date and uh it literally took about like six minutes but it if 00:28:17.896,00:28:22.267 you guys want to see how the actual device is over my MSR 605 it was actually injecting folio 00:28:22.267,00:28:27.673 data then uh think the end of this I'm gonna let roll again here for you guys so and then 00:28:27.673,00:28:32.778 after this I actually used a chinese made mp3 player to inject a credit card number 00:28:32.778,00:28:37.649 which is kinda cool and it burns the mp3 player out so don't try it at home so [chuckle] go 00:28:37.649,00:28:42.955 ahead, yeah what's your question? >>Um did you ever uh try using the magspoofer as a 00:28:42.955,00:28:48.060 jammer to perhaps like jam uh a transaction that's in place and then play after it's done? 00:28:48.060,00:28:52.497 Anything like that? >>Yeah that was actually uh oh sorry when people ask me like how do you 00:28:52.497,00:28:55.434 protect against this kind of stuff and that that's kind of the exact same thing is you can 00:28:55.434,00:28:59.438 put one of the magspoofers injecting random data on the back of your door and it'll 00:28:59.438,00:29:05.177 actually deauthenticate anybody from uh from actually using it so like it would be a really 00:29:05.177,00:29:08.280 good defense mechanism and you could have like a two form authentication, have it when 00:29:08.280,00:29:12.618 your bluetooth phone comes in it'll actually shut off the jammer so could add two form 00:29:12.618,00:29:15.354 authentication and it might actually drain the battery so you'll get locked out of your 00:29:15.354,00:29:20.993 room if they don't have it hardwired though so [chuckle] so you might actually DDOS yourself 00:29:20.993,00:29:24.630 out of your own room but yeah, what's your question? >>Uh so how might someone defend from 00:29:24.630,00:29:29.134 one of these attacks? >>Uh like I was saying the uh um updating to the latest versions of the 00:29:29.134,00:29:33.038 mag strip readers and the actual uh point of sales systems uh that would be my recommendations 00:29:33.038,00:29:36.775 uh where they send remote coding 'cause that shut off mag strip reader is a one that is not 00:29:36.775,00:29:40.746 responsive to this kind of attack so that would be my biggest recommendation is uh get 00:29:40.746,00:29:44.483 updated to something that is USB 3.o and uh push the latest versions of the actual point of 00:29:44.483,00:29:49.054 sale systems so yeah and yes what's your question? >>So I've seen, I've seen something that 00:29:49.054,00:29:55.260 says you can go around the ship and pin cards by reactivating the mag strip? Or how does that 00:29:55.260,00:30:00.365 work uh? >>Yeah uh uh Sa- Sam at CamCard did a really good job of explaining how magspoofer can 00:30:00.365,00:30:04.136 actually modify some of the flag details on the actual um magnetic card readers >>Uh huh 00:30:04.136,00:30:07.506 >>uh he didn't release it in his code because he's the same way I am, I don't want people to use 00:30:07.506,00:30:12.377 these for illegal purposes but you can actually tell, you can basically send the command that 00:30:12.377,00:30:16.448 hey the pin's damaged on this let me just use my mag card uh some of the magspoofers they're 00:30:16.448,00:30:21.053 modified, like this one has uh two payloads on it and uh I have like I said I had the six 00:30:21.053,00:30:26.525 magspoofers in one was my actual uh big bertha which is like a huge magnetic coil and I uh let 00:30:26.525,00:30:29.995 press take a bunch of pictures of it but that's like my brute forcing one and that thing took 00:30:29.995,00:30:34.433 me like six hours to build [chuckle] so I didn't want it to break but yeah this one's 00:30:34.433,00:30:38.003 basically a modified version of uh a magspoofer here and I'm gonna actually how much time do 00:30:38.003,00:30:43.842 we got for demo? We're doing really good? Okay if you want to ask some more questions do. 00:30:43.842,00:30:47.546 >>Did you write any fuzzers for any of the embedded systems hooked up to these mag swipe 00:30:47.546,00:30:51.783 readers and did you find any memory corruption issues? >>Ha ha yeah that was actually my 00:30:51.783,00:30:55.554 next uh I was kinda kind thinking some something along the same lines but I uh 00:30:55.554,00:30:59.991 literally ran out of time 'cause I got kind of obsessed with my ATM attacks that I was doing and 00:30:59.991,00:31:04.763 some of the uh actual relaying portions and stuff so I'm gonna actually I'm gonna get get the 00:31:04.763,00:31:07.999 actual mag strip demo kicked off, if anybody has any questions at all uh feel free to 00:31:07.999,00:31:13.004 come up to the podium so. So can everybody see the point of sale system? Two, on the screens? 00:31:29.488,00:31:34.493 Awesome. Here we go and I'm gonna check to see if I have internet connectivity here 00:33:01.746,00:33:06.751 [chuckle] ... Here you go, one second ... And it is now visiting the right page, so I 00:33:35.547,00:33:40.552 have to, I'm going to try the second payload, I'm going to try to pop the command right now, so 00:33:52.764,00:33:57.769 ... And if anybody has any questions, I can answer these while I'm doing this, so. >>Hey 00:34:19.057,00:34:23.695 Weston? >>Yeah? >>Obviously Samy's done a lot of research in siri also have you, have you 00:34:23.695,00:34:30.235 done anything with with uh BLE using like the coin to rewrite or done any track uh research on 00:34:30.235,00:34:36.374 how coin rewrites the data or in elastic? >>Uh no, no I haven't actually >>Using it- that as an 00:34:36.374,00:34:41.112 attac- attack method? >>Uh no, no I haven't I was looking into some of the other research that 00:34:41.112,00:34:45.650 Samy had done then like I said I I did shift ah about half way through this 'cause this was 00:34:45.650,00:34:49.387 done like very very early in the year >>Right >>And, yeah that was something that I I thought 00:34:49.387,00:34:52.791 some of the stuff that Sam was doing is amazing and I was wanting to read some more of his 00:34:52.791,00:34:56.227 research so >>Okay, cool >>But yeah no I didn't look into some of that but I did uh get some of 00:34:56.227,00:35:02.834 the NFC working but I burned my original uh a uh HTC phones uh near failed communication out 00:35:02.834,00:35:06.071 trying to do stuff with it so >>Was it radios out? >>Yeah what's that? >>You burned the 00:35:06.071,00:35:09.674 radios out on 'em? >>Yeah burned the radios out on it so, so that was like the end of it 'cause I 00:35:09.674,00:35:13.979 had like just broke a six hundred dollar phone so that ended my curiosity pretty quick 00:35:13.979,00:35:18.984 so >>Cool, thanks >>Just one more second, I'm gonna try to unplug in the hit >>I know it's 00:35:38.103,00:35:43.375 very different approach [cough] but uh do you have any interest in looking into NFC and other 00:35:43.375,00:35:47.579 technologies that hotels are now using? 'Cause a lot of hotels are phasing out the mag strips? 00:35:47.579,00:35:51.549 >>Yeah those are um most of the ones that use RFID ones are actually tokenized so they 00:35:51.549,00:35:55.553 reflect the folio number instead of having uh actual data in there so you can do some of the 00:35:55.553,00:36:01.559 classic attack methods, but it wouldn't actually, uh wouldn't actually work so as good so and 00:36:01.559,00:36:04.729 that's why I was saying if you're root fuzzing those that's something where your key space 00:36:04.729,00:36:09.734 would be a lot bigger and like you're able to and it's a truly random sixteen digit number so 00:36:32.724,00:36:37.729 ... same page... I well I apologize the demo blew up on me but I will put a Youtube video 00:37:12.764,00:37:17.569 up uh of it actually working and if you guys want to come and uh I'm going to try to demo it here 00:37:17.569,00:37:21.106 until I actually get kicked off stage but I'll still answering questions so if you guys have 00:37:21.106,00:37:25.410 any questions, feel free to ask too so >>Yeah I was just curious if you'd done any uh playing 00:37:25.410,00:37:29.981 around with the new tabletop devices that are in restaurants and stuff have you looked at any 00:37:29.981,00:37:33.184 of those? >>Yeah everytime I sit at uh one my favorite restaurants down the street 00:37:33.184,00:37:36.521 that's like my first thing that I would love to but I don't have access to them I think it would 00:37:36.521,00:37:39.591 be kind of breaking the law, but I would love to actually order some of those >>right >>because 00:37:39.591,00:37:45.930 I've seen a lot of fun things that people do with the- some of the pager systems and stuff so 00:37:45.930,00:37:52.303 >>Nice >>Yes >>So a bit of a comment on uh running on old operating system I ran uh um 00:37:52.303,00:37:58.710 around with a war driver down town and I found a lot of uh uh WEP wifi and uh went into the 00:37:58.710,00:38:03.281 the the restaurants that are using that, asked permission of course, because we all ask 00:38:03.281,00:38:07.952 permission and um got the handshake from WEP real quick you know with wifi, did- did 00:38:07.952,00:38:13.057 some sniffing and found out they're all running old XP, 0867 gets to it old uh POS on there 00:38:13.057,00:38:18.730 uh dump memory and I found even on there a uh admin account with back door back door so I wasn't 00:38:18.730,00:38:24.536 the first one there but I found that they provided WPA2 to the customers but because the uh the 00:38:24.536,00:38:29.674 uh old point of sale couldn't authenticate 'em the old XP couldn't authenticate to WPA2 00:38:29.674,00:38:33.678 they even run on WEP and so you don't even have to get very close at all I wanted to know if 00:38:33.678,00:38:38.149 if that's been your experience or not as well? >>Yeah no that's what I'm saying like uh for as 00:38:38.149,00:38:44.289 far as actual using uh third third party inputs on this kind of stuff >>Yeah yeah and and I 00:38:44.289,00:38:48.393 mean like don't even have to get that close to it that if if they're already networked with 00:38:48.393,00:38:52.764 with WEP then you know, it it it goes in there, but yeah, all that default cred and and uh old 00:38:52.764,00:38:57.502 OS uh I've seen the same thing >>Yeah there's tons of other ways that I could see people 00:38:57.502,00:39:02.440 actually attacking these yeah this is like my main attack surface on this so >>So shifting 00:39:04.876,00:39:08.813 gears a little from mag strips to chip readers have you ever gone into something like that? 00:39:08.813,00:39:13.184 As chip readers start to get more and more popular and maybe hotels start to use that instead 00:39:13.184,00:39:19.090 of mag strips? Do you think this attack factors that you have kind of really researched might 00:39:19.090,00:39:25.530 be able to shift and transition into the same way you could you could apply it to chip readers? 00:39:25.530,00:39:30.168 >>Yeah some of the chip readers uh they'll still be using some of the uh like uh magnetic track 00:39:30.168,00:39:34.138 data for the most part on some some of the stuff but some of the challenging in the 00:39:34.138,00:39:39.143 encryption they can do, I could see it being able to block a lot of it so >>Okay >>What about uh 00:39:44.582,00:39:51.289 looking into the serial programming on the actual door itself? >>I yeah I haven't dug 00:39:51.289,00:39:55.393 too deep into some of that stuff like after I got some of this attack service and then I broke 00:39:55.393,00:40:00.098 my phone like I said it kind of disheartened a little bit so but yeah that was like uh I I was 00:40:00.098,00:40:04.002 I'm still curious about a lot of attack surfaces that was out there but I just yeah didn't 00:40:04.002,00:40:09.707 have the some of the stuff to to get it into it so >>'Cause >>As far as, especially time was my 00:40:09.707,00:40:13.011 biggest constraint on that so >>'Cause if you have a key to your door and you're able to 00:40:13.011,00:40:18.917 reprogram the lock to your door, or you could spoof your key, >>Yeah >>Then you >>Yeah that's 00:40:18.917,00:40:23.121 uh the biggest thing too is like uh are you asking about if you can ... I'm sorry I might've 00:40:23.121,00:40:27.959 reask the question >>So a lot of the doors have uh like a barrel serial connector on the bottom, 00:40:27.959,00:40:32.630 uh two point one jack >>Oh yeah, yeah >>And then if you could reprogram that door over serial, 00:40:32.630,00:40:37.335 and if this is the kind of security that the keys are using are the locks really using that 00:40:37.335,00:40:42.140 kind of security? >>That's what I was saying like even the the most recent hotel attack like 00:40:42.140,00:40:46.210 where they had the little uh bing er the not the dinglehopper but the actual marker at the 00:40:46.210,00:40:50.048 bottom, those are newer systems those have two way interfacing so they can blow the keys away 00:40:50.048,00:40:56.087 uh so a lot of these low energy old ones, or older ones like as old as in like 2008, 2006, those 00:40:56.087,00:41:00.091 ones uh have two two way functionality but it's in fifteen minute increments so 00:41:00.091,00:41:05.096 some of the full blown ones uh they're they're got a little bit different method of actually you 00:41:08.666,00:41:14.806 know protecting themselves so. Thank you. >>Did you have to use any kind of proprietary um 00:41:14.806,00:41:19.344 reader for your mag strips? I noticed a lot of like credit cards, driver's licenses all 00:41:19.344,00:41:24.248 used uh normal standard one two three tracks but a lot of hotels that aren't readable by those 00:41:24.248,00:41:27.885 standard readers, did you have to use anything special for that or? >>I did have to modify the 00:41:27.885,00:41:33.691 MSR like a little bit to be able to read some of the raw data at the same time as the uh other 00:41:33.691,00:41:38.096 information 'cause they use like a portion of the card and uh actually raw read it I to to 00:41:38.096,00:41:41.799 read their proprietary format you do need an actual driver from the property management 00:41:41.799,00:41:47.572 software but if you can rip the raw encoding, like uh a majority of them you can actually reverse 00:41:47.572,00:41:52.243 it from the raw encoding it just takes it a lot of extra time if you do the the raw read through 00:41:52.243,00:41:55.480 the property management software if you were to get the property management software you would be 00:41:55.480,00:41:59.150 reading entirely different character sets so >>Right. So that's how you did it for most 00:41:59.150,00:42:02.253 of what you're showing here was, was it to dump it to actual keys? Was it to dump it to raw 00:42:02.253,00:42:06.758 and then >>Dumping to raw then I had to reencode it as raw like if if you went up to your room 00:42:06.758,00:42:11.596 and did a MSR and just read it in raw and then copied that to another card that raw would work 00:42:11.596,00:42:17.602 across the board so >>Alright thanks >>Yeah, thank you >>Just curious if you looked into you 00:42:17.602,00:42:23.174 uh trying to do SQL injection into like POS systems or other systems using this method? 00:42:23.174,00:42:27.245 >>Yeah, I was actually, the demo that I had was literally going to do a uh a java or a flash 00:42:27.245,00:42:31.783 drive by attack so I and there as far as SQL injections that's something that would definitely 00:42:31.783,00:42:35.520 be possible uh especially for some- yeah quite literally if it would be able to get to 00:42:35.520,00:42:41.292 something as back end or internal, that would be a huge attack surface so, yeah. 00:42:41.292,00:42:46.230 >>Thanks >>Uh some of the card readers that are slide ins either have a mechanical or an 00:42:46.230,00:42:50.034 optical sensor, does how does that is that just an- >>Slot machines? >>Yeah >>Like the slot 00:42:50.034,00:42:53.004 machine ones, yeah, they actually turn green when something's inserted into 'em 00:42:53.004,00:42:56.474 and you could use a very low profile piece of seventy pound paper and it will actually 00:42:56.474,00:43:01.412 trigger that event so. yep! ... How we doing on time guys? [chuckle] where's my goon? Oh 00:43:27.805,00:43:32.410 we're- two minutes? Okay awesome, yeah, any last questions? I really do apologize 00:43:32.410,00:43:37.982 for this, I'm gonna try to get a demo going in the hallway I guess it- I need to check on 00:43:37.982,00:43:42.053 some of the connectivity issues uh should- shoulda still popped the command shell and injected 00:43:42.053,00:43:46.290 though, so. I'm having some kind of interface issues so if anybody wants to see this if not 00:43:46.290,00:43:51.929 I'll actually put a uh camera demo online so and I'll make sure that my camera focuses this 00:43:51.929,00:43:56.033 time but if you guys want to look into the actual injection with the m- chinese mp3 player, 00:43:56.033,00:44:00.138 if you want to burn out a six dollar mp3 player injecting credit cards you can feel free 00:44:00.138,00:44:04.942 to uh and then also a lot of the uh actual payload injections, I'll be putting uh demos up 00:44:04.942,00:44:08.980 online so quite literally as soon as I get back to North Dakota, which I have to drive, 00:44:08.980,00:44:15.686 so, but yeah, if there's no other questions? I just want to thank you guys for staying 00:44:15.686,00:44:19.090 [applause] thank you.