and point of sale systems. Sweet, thank you man. Yeah. Sweet. You guys see the slides all
good and everybody hear me good? Perfect, perfect. So uh Weston Hecker I'm gonna be hacking
hotel keys and point of sale systems. I had backup videos just in case if anything went south
so. So yeah funny story uh starting out a little bit uh after I go through a little bit about
myself I do a lot of talks uh I did Hope this year, I did uh Black Cat uh this is my third year
Def Con. It's a privilege to speak here so yeah basically do pen testing for a living uh do a
lot of research on the side. I'm a ATM enthusiast and like some of the other stuff I just like
playing around with like technology so. And I got a couple side projects um I was working on
some car hacking uh point of sale system hacking, hotel key hacking and uh just exploits
in uh property management software so. But uh funny story uh so when you do uh when you do a
uh hotel hacking talk at a hotel it usually involves the staff uh pulling you, your PR person
and your boss aside. And taking you into the bowels of the hotel. And I've seen Casino One too
many times cause I was a little nervous on uh you know so. But it was something where it all
ended really good they just wanted to know if they were uh vulnerable to this attack and it is
not. Uh they tokenized their stuff, they did it set up properly, they followed the best
practices. So your guys' hotel room keys are safe uh at all the Caesars properties so. Just
wanted to throw that in there so.
So uh I'm gonna explain uh the actual mags uh mag spoofer which is Samy Kamkar's device uh
this one's a modified version of the mag spoofer uh this one is not the one that is set up for
brute forcing uh but I do have the demo of the actual brute forcing going on. And then we're
gonna actually uh infect this point of sale system with malware. Using uh human interface
device injection so. And uh yeah I'm gonna explain a little bit about the point of sale
systems and the actual uh process of how the keys are actually made. On some of them that rely
on night audit and batch services. Uh they have to do some.
Very insecure things to make sure that their databases post and they get charged so. Uh I'm
gonna do a privileged uh show you how the privileged attacks work. Uh fireman keys uh service
keys things like that so. And it's uh yeah. Some of it's uh I thought it was pretty duty heavy
encryption of some kind and uh some most of it's just uh encoded so. They uh definitely skipped
some steps. And the point of sale talk it's gonna uh go from how I led from doing hotel
research into actually attacking point of sale systems. Cause like the I don't know anybody else
who's ever seen Sam A's video. Like they thought of every single thing that has a uh mag strip
reader on it as now an attack surface. And I just wanna give him a shout out cause that was uh an
amazing research. And he uh saved me many many hours of reading manuals so. And yeah I'm gonna
basically go through how it uses the mag strip readers. Uh whether where the fail was in that.
And uh I'm gonna actually go with triggering events on the readers and see what it's listening
for. Cause some of the newer uh point of sale systems like they will only power up the reader
when x happens. And uh I actually have a tap.
That you can attach to uh bypass some of that stuff. So and I'm gonna go through some of the
management uh cards. Root forcing management cards. You can actually you know do refunds and
stuff like that. So you can actually refund to other credit cards uh using one of the other
attacks. So or yeah I was it was one of that I was conceptually doing and it was uh it would've
been a pretty decent attack. Cause I never knew that you could actually refund to a credit card
that it wasn't originally charged on. And that's something I came across while doing some of the
other research I was doing this year. So. And yeah so I'm gonna do a cache tend. Uh I'm gonna do a
check tend attack. So that basically uh when you inject the F8 key it literally just pops the
register open. And I'm gonna go over that in a little bit here soon. Cause everybody
pays a check still right? So yeah. And uh attacking OS injection. I'm gonna do a pop a command
shell. And then I'm also gonna demo a drive by attack as long as the 4G holds up. So. And I
might have to get Steve Jobs on you guys have you turn your phones off but. No he should be
good. So I did have 4G working earlier so. And uh some of the uh actual restaurant attacks.
And other mag research. Like some of the rewards programs. Uh I I wrote uh one version of it
where it cycles through 10 cards. So same as some of those places where you can collect points.
They're on to employees. You know just giving the points to themselves. So it actually cycles
through like 10 accounts. And I'll go through that in a little bit here. So. I'm gonna go
through uh who in the room knows what a mag spoofer is? Who's built one? They're fun. They're
they're very fun things to build. And uh yeah. So basically uh you guys you can see there
they that's what actually happens if you put iron oxide on uh. Uh. Uh. Uh. Uh. Uh. Uh. Uh. Uh.
Uh. Uh. Um. Uh Uh. Eh. Uh. Yeah. Oh I think that's
actually great no
there's something that he's tilt isn at the back here. leaves
and uh system here. There's apelled-I think it's a developed by uh someone to problem
but as far as that goes when you swipe the card it's basically doing the exact same thing. So
it's able to speak to magnetic head readers uh using a small little uh mag spoofer so. And
uh how's the yeah it's secure magstrap transmission so it's like I said it's uh something
that's been around since 2008 so back in 2002 and 1997 you know people didn't think that this
kind of thing was possible so that's uh why a lot of these vulnerabilities um there's no
reason that this keyboard should have a 102 key functionality that you can actually
inject through the actual magnetic head reader so and yeah it's not it's not RFID um a lot of
people ask me that like you know the hotel attacks like is it on the RFID um actual keys and
no it's not it's actually uh basically turning a magnetic card into a wireless card so. And
yeah how do you handle the overheating? So basically uh the first thing I did after burp uh
got my first mag spoofer, built it, ordered all the parts from China, waited like a week and
a half and the first thing I did was burned it out. Because I had tried to
injecting multiple cards I pushed like five or six cards onto I did my first modification just
to increase how many cards I could store in it and then I started actually you know seeing how
many I could do and after about 18 cards uh it burned out so so I waited about another week
for all the parts to come from China and yeah I basically made uh six six mag spoofers in one uh
with a little bit of a controlled Arduino and then it has a 3800 milliamp battery instead of
100 milliamp so I think it's heavy duty I call it Big Bertha because it is just it's like huge
coil on an Arduino so. And I'm gonna go into a little bit of what property management software
is uh it's uh uh when I refer to it from PMS from now on it is not what everyone would think it
was so it is property management software and that is something where uh it is actually where
your folio data is everybody's you know seen the checkout where it says folio that's basically
where the hotel keeps all your records uh it's how it actually you know what's to charge when
they actually do the night audit process so when they do run the night audit it's gonna charge
under your uh bank account nowadays like the
uh when they're properly proceduralized it's something where uh there's lots of security
mechanisms that people can actually put into place so. I'm gonna go into a little bit of
explanation of what the actual uh proprietary card readers and the security behind the hotel
uh so basically uh there's your folio number uh actually the one that I found the weakness in
was um after I uh unencoded the actual cards I read it in a raw using an MSR 605 which is a
mag strip reader I basically read the raw data unencoded it and it was literally the same as my
folio number and my room number and I read it in a raw using an MSR 605 which is a mag strip reader
and the checkout date so if you make an assumption that somebody's
gonna check out in the next week uh your space just went down a little bit and if your hotel uses a
very uh not very old process actually um they actually weaned away from it in 2007 2006 so if
they do incremental folios and you're in a 50 person hotel it's a not very big space you have
918 options in a 50 key or a 50 person hotel so it's something where yeah that's not many options
to try especially with a modified mag spoofer you can actually
inject uh 45 cards uh per minute. So that goes through that space pretty quick so. And
yeah uh collecting the information as you can see the also instead of injecting full credit
card numbers you're actually injecting uh just some of the track most of them is the track 3
data a lot of the track 2 data. So credit cards are broken down into track 1, 2 and 3. Uh
track 3 is the one that hotel chains use mostly. So and if you've ever noticed you can put your
card in upside down that's because that half of the actual magnetic stripping is only used. So
they only use a portion of track 3 and as you can see I put uh iron oxide on this one also and
it just shows that it is actually not. Yeah it's not using the full card cause I covered the
whole thing then wiped it down and yeah. So and that and that's one of the things too I travel a
lot when I go pen testing so I have like an entire suitcase not an entire suitcase full of it
but it's uh got about 3 layers of uh actual hotel room keys and I was always wondering what was
on them. So I just got bored one day and started working on it and I was like okay I'm gonna
start pulling information off of them and yeah. And there were several several of them um that
actually were you know uh pretty easy to actually break the encoding on them cause they were
using uh non uh it was I think base 64 but a little bit less. Cause it was very very simple.
Uh I wrote a actual script and then uh most of that script actually worked for like 3 or 4
different kinds of keys. So I'm guessing that they're using the same PMS software. So and yeah
so how do you uh how would the bad guys do it? Uh I don't know. I don't know. I don't know.
So the bad guys go about uh interacting with uh say for example if you were gonna brute
force that 918 space. Say uh Weston wanted to get into Hecker's room. It's you know now I know
the Folio number, I assume he's checking out in the next week. I can actually go to an elevator or
the pool area and it'll actually tell me once I get that uh when I get valid card numbers. So
you don't actually have to be sitting in front of the person's door which is kinda you know that
would rise a lot of suspicion especially if you had to sit in front of his door for 18 minutes
or something like that. So the actual heh yeah that gets kinda complicated. Uh all right. Uh
creepy the guy in the hallway for 18 minutes so that's something where yeah uh I was like one of
the concepts that was and with that was with permission on this property it was uh actually
testing it out by the pool area and the actual uh hotel cause it uh I also found out how the
floor restrictions in elevators work this way so so it's kind of cool like if uh somebody wants
to go up to the 26th floor you can literally just change the room number it doesn't actually
validate the folio on that so and yeah and as far as getting maid service keys um on that
property that I was on I literally attached my device to the back of the door and I did that
from the privacy of my own room and when people walked by it was uh you know just randomly
beeping here and there but uh it was something where it took about 33 minutes to actually get a
you know the domain admin of the hotel pretty much it was one of the maiden keys and you can
literally want like it is crazy the amount of uh access especially with some of the service keys
and uh I feel dumb for brute forcing it cause it was uh pretty much all zeros for the maids keys
so
and I'm sure you know some of the guys out there like that have been right away it's like let's
start at zero instead of you know the folio numbers so it's something that once I understood that I
tried all nines and that was the service keys and yeah so then uh some of the actual issuing um
they issue a monthly so the folio uh once I found out that that was the way that they were issued
it was something where I was actually you know pretty much able to do that so and yeah and uh a
lot of the elevator and fireman keys like there's some states that are looking at actually uh
luckily they're hid behind the uh the uh the uh the uh the uh the uh the uh the uh the uh the uh the
metal so there's no way people could interact with them you know so that's what I'm
saying like uh that heavy-duty mag spoofer it can go a pretty good distance so that is- even if
they're blocked off uh for law enforcement uh uh fireman usage uh it can actually reach
some of those so
yeah so the I'm gonna go through some of the raw dumps uh some of the track uh the other
facilities they actually use like say for example if you go to uh the theme theme park they'll
have on track one or track two they'll have other information uh track two on some of the
properties uh keys that I was looking at they actually uh basically had my name and I was like
aww how am I gonna brute force you know names and stuff and luckily it wasn't validating it so
and that's one of the things too is like I always wondered about that like how often you know
cause that's one of the things like uh people always heard news stories about personal
information there's no personal information on any of the keys that I came across um the ones
that I could could decode at least uh with the exception of like a name um and yeah that's
to me that's not that identifiable I guess so and uh there are limitations to characters that
can be entered um due to the limitations of encoding of the keys only uh once you introduce
the mag spoofer you can actually start injecting some illegal characters which I actually found
out when uh I was running pretty hot like uh cause I was actually uh measuring like uh how
hot it could get before it actually started uh garbling the messages and stuff like that and
actually uh some of the bit error percentages like if they would go through the roof if it
started getting like uh uh uh uh uh uh uh uh uh uh uh uh uh uh uh uh uh uh uh uh uh uh uh uh uh uh
uh uh uh uh uh you know to actually figure out what was safe to run the device at and uh
yeah there were some characters I'm guessing some bits flipped and that's what lead me to
believe that you know some of the research which I actually will be demoing at the end here
so and with some readers they also yeah they automatically inject a return character after the
card is swiped so after a certain amount of digits are entered um there is a way to actually uh
stop that automatic return character so and I will go uh that's what the modified version
version of the mag spoofer only cause uh after it does like 46 digits it'll do an automatic
return character so and yeah other than that um you just need to know literally the your own
folio number if you wanna uh when I was actually going to a like actually uh breaking the
encoding it was something where I actually you know just had to get my own key issued and
stuff like that twice and um yeah then that gives you a sample to go off of and you could
pretty much uh other keys that are collected you know there's lots of them where they have
the return things I didn't get those ones but I pretty much just got my own uh keys so
so breaking the complex encryption yeah that was pretty simple you know I had to rent an
amazon server for no uh I literally just booted up my computer uh wrote a script to yeah this
one was actually this version of it was actually just base 64 encoded so that was kind of uh
kind of irritating I thought it was gonna be a lot more harder on this one but and some of
the uh kiosks I started uh playing around with some of that stuff and anytime you guys go to
security conference that's always the you know first thing they shut off
for a good reason for this kind of stuff so because uh this is a really good way to like issue your
cards and uh if you're the bad guy obviously uh it's something where they will you know you're
able to get like seven cards without being suspicious so because yeah unless yeah so
So what led to the research after the hotel keys um that pretty much was my next step I was
thinking everything with a um pretty much a Mag reader on it is now a target so and I actually
noticed that once I started buying some of these devices uh I was able to get my own keys and then a
that they were generic HID, uh, HID. And I've done a lot of, uh, HID attacks, uh, human
interface device attacks, which are basically keyboards, um, with, uh, TNC's payloads in the
past. So it's something where, now that I was, uh, looking at the attack service of point of
sale systems, it was, yeah, naturally the next step, so. So how does it use a mag interpreter?
This one up here is a 102 key keyboard, uh, generic, uh, human interface device. And, so
basically anything you can type, you can now inject through the, uh, magnetic, uh, head, or
card reader, so. And, uh, that's one of the things, too, it's like, oh, why not just hit the
keys? Uh, yeah, there's some of these things that, uh, literally, like, you know, it's this
long of a text string. Like, say, for example, I'm gonna be demoing a drive-by attack because,
uh, yeah, point of sale systems are a little out of date sometimes, so. And I'm gonna actually
go through, um, yeah, some of these methods here in a second. And triggering events, like,
that's one of the things, too. Like, some of the newer ones, they have actual,
uh, uh, you can test if they're being USB fed, so that's something, once they're powered on,
you can still do some of it, but they have to wait for a trigger event or for the remote cable to
be toggled. So, uh, yeah. So, basically, you can figure out when they're listening, and it's
not something where you have to, you know, tap into it, you can literally just look and see if
the green light's on. So, that's, like, one of the indicators of it. And, uh, I would
definitely, if you guys want to start playing with some of this stuff, get the MSR, uh, the
little mag interpreter 103s, I think they're, like, 15 bucks, so. They're really, really fun.
And you can basically dump anything you want into the device, uh, and, uh, you can, uh,
get anything you want to into a notepad. And, uh, yeah. So, management keys, that was one of
the, the biggest things, too, uh, where I was looking for a really hard challenge. And the
actual first point of sale system I bought, which, uh, was pulled out of a taco restaurant,
and it, when it was disbanded, and it was auctioned. And, uh, yeah, it came with a
management key, and that management key worked on the other two point of sale systems that I
bought from separate lots. So, I was like, ah, there's nothing, you know, nothing
deep, no crazy, no techno, no chain smoking.
It literally was just, uh, pretty much the same admin account used across several point of
sale systems. So, now, uh, I'm guessing, uh, cause I, now, you can't turn this off when you go
out in, out in the wild. It's something where, uh, I started noticing every single point of
sale system, and I'm like, I wonder if, you know, that key would work on that. Key would work on
that. And I actually, uh, one of my buddies owns a restaurant that happened to have one of those,
and, you know, you can literally inject the, uh, actual management key into it. So, that's
something that is pretty crazy. And, like, you can mess with inventory, you can throw off
inventory, you can, yeah, some of them need, uh, management overrides, you know, for some of the
electronic checkouts and stuff like that. So, that's some scary stuff. And, yeah, here's pretty
much, uh, what you guys probably can't read. But, uh, yeah, everybody knows how, uh, for the
most part, how keyboards work, and I think we deal with them on a daily basis. So, we pretty
much know all the character sets. So, quite literally anything that you can type on that
keyboard that I showed earlier, you can pretty much inject. Uh, like I said, sometimes you have
to, uh, strip some of the, uh, uh, auto-return characters. Uh, and, uh, you can, uh, uh,
enter characters, so. And, yeah, one of the first attacks I did, uh, was I saw the cache tend
button, or check tend button, and that was, uh, injecting, I was like, okay, I wonder how hard
this could be. So, you know, I started, uh, playing around with it, and I was getting into the
F, F key functionalities, and I was rolling through it and testing it, and this basically is,
like, a way to, like, uh, like, for a bad guy to actually just walk in and literally rob a
store. They could literally just put this device on there, and that's what kind of made it scary.
Like, it's, you know, now people can rob stores that way. So, with the F8 key, it's, uh,
pretty bad, uh. And, uh, yeah, behind every strong man is a strong woman. As you can see, I'm
wearing my, I'm wearing my wife t-shirt, so. And behind every, uh, point of sale system,
there's an outdated operating system, so. Not every point of sale system, I can't speak for
them all, but, uh, every single one that I bought, or I could afford, and that's kind of the
way it goes. Um, so basically what you're going to do is you want to exit out of the point of sale
system, and, uh, yeah. The next step will be popping a command shell, and, uh, injecting the
payload. And what kind of payloads would one want to run on a point of sale system? Uh, I did a
talk last year, so I had, uh, a couple mal- uh, memory-scraping malware laying around, and I
was like, hey, I will see if I can, uh, load these on a page. So, it's going to do one
distribution, and I, uh, tested it this morning, so it's actually going to do a drive-by attack
on, uh, an actual web server that I have, uh, loaded, so.
And this is a, it's a neutered version of it, it, uh, just talks to itself, so it's not going to
actually be doing anything illegal. And it's just going to literally visit the webpage and, uh,
has a vulnerable version of, of, uh, some software running on it. But then also, you can
literally, uh, through the command shell, because most of them run, uh, uh, deprecated
operating systems, some of them still have functionalities that where you could literally
just put URLs and, uh, download from pretty much any source you wanted, so. Yeah, like I was
saying, uh, this is the payload that the bad guys would use, um, like the actual memory
skipping malware. So, uh, in the past, you know, people had to do these ridiculous supply chain
attacks, or they had to, you know, breach a vendor account, and now it's literally, uh, you
know, the bad guys, it would be as easy as walking up to one of those point of sale systems and
actually infecting it, so. And, yeah, and some of them are dev environments, so, like, they're,
uh, custom, they have, um, yeah, but they pretty much have their proprietary key functions.
They don't have a classic layout, but they still have magnetic card readers,
and, um, and I actually, uh, you know, was expecting to have to, you know, map these keys
out and do all this crazy stuff, but, uh, they actually, uh, if they have the generic driver
loaded, they will accept the same key commands, even if they don't have the keys on the
keyboard, so. That was, like, another huge fail, so. But, yeah, as far as limitations of
mag injection, uh, making a physical card attack limitation, uh, could you make the waiter do the
dirty work? Could you, like, give him your credit card to pay and actually have him walk up and
do some of that? That's something that was kind of my, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh, uh,
you know, next step after all this was kind of finished up, and, uh, yeah, that's, um, some,
like I was saying, there's some illegal characters that you can't actually encode onto it, so it
wouldn't work as good, but I think that, um, it's something that some people have explored in
the past, and it's, uh, definitely something I will be, once I have some free time, now that,
you know, all the talk and conference seasons are done with, I'll do some more checking into
stuff soon. But, yeah, that was kind of the one thing, too, it's like, you know, how much of a
payload could you actually put on a credit card, so. On track three, and, uh, yeah, these devices
are everywhere. This was literally me, me flying to Huntsville, uh, when I was speaking at, uh,
Takedown Con, and, yeah, these magster breeders are everywhere, like, quite literally everywhere.
And, uh, one of these, uh, one of the other things that I started looking at, I was like,
okay, uh, aside from being able to, you know, just pop the register, installing malware,
that's not bad enough, I guess. Yeah, actually attacking player rewards, uh, systems. Like,
say, for example, the, who's ever played slot machines, and, like, you just kind of were bored
and just wanted to go back to your hotel room, so you were going to go play the $20
slots or the, you know, $50 slot and just get it done with. That's one of the things, like, uh,
every single, every time I went to those higher end, uh, slot machines, people would always leave
a card in there. And I thought it was by accident at first, like, I'm like, hey, this person
probably left their card there and I tried to turn it in. And they're like, no, the people do
that because they try to squat points. Because, uh, some guy who is just literally, you know,
waiting for a plane or something is gonna, you know, play $2500 with the slots and they get to
collect the player's rewards points. So they kind of squat some of those accounts, and, uh, that
was, like, one of the attack methods that I was thinking of. It's like, you know, you're
like, now that you can eject magnetic data, uh, it's like, you can, you can squat on one of
these devices. And it's, another one is, like, I was saying, uh, uh, when I was in high, high
school, I worked at, uh, uh, actual company that, uh, they had, like, a player's reward
program. And they, they told me, they were like, yeah, you can't use your own card. People
have been fired in the past for that. So it's something where they're onto it and, uh, they'll
actually have flags go off if more, the, the same cards are used more than once in, you
know, X amount of time. Uh, but some of the actual, uh, the, the, the, the, the, the, the, the,
the, the, the, the actual, uh, like, grocery store chains or there's a, certain electronics
companies where, you know, every $500 you spend you get 5 bucks or 100 bucks. So this is one of
those, uh, other methods like, uh, some of the rewards programs would actually be susceptible to
this kind of attack. So, and like I was saying, that one of the refunds, like, where you can
actually refund onto a prepaid card, that should not be possible to happen, especially, you know,
if it wasn't the original transaction, so. And sometimes it has to post overnight but that was,
like, one of my additional attack vectors. I didn't have time to, we know all the kinks on it
but it's.
it's something that uh seemed feasible so and yeah and injecting into actual uh like I was saying
when you can actually tap into the remote signal uh as long as you hit the right wire uh you
basically could overfill like prepaid cards like that stuff like that so so if a bad guy wanted to
get an unlimited phone calling card he could be injecting his own card and having time added to
it so and uh not only that but some of the you know gift store cards stuff like that so and uh
some of them do lock once they have the original amount loaded on them so they're not reusable but
the reusable prepaid cards that say reusable prepaid cards on them you know those are the ones
that obviously they would attack after so and yeah uh like I was saying um these actually
triggered events attacks uh so you have to sniff out the actual uh powered up readers like some a
lot of the modern ones they don't actually they send a remote signal that here there's a
transaction going on or hey we're going to take do some kind of interaction and I don't know if
that's because of this kind of attack or if it's because of this kind of attack or if it's because
uh you know they kind of uh looked into the future of what people might actually be doing at
these and it's not a good idea to have something uh not only powered on some of these things are
low energy so yeah it's something where you can actually uh for some of the rewards programs
also you have to hit the enter key to accept that it's your account so yeah that's one of the
things too I was wondering if you know if it'd be possible to actually inject that so and it uh
on the actual point of sale system that I tried on that it worked perfectly because that's one of
the biggest things is uh there were customers always stealing people's uh their uh their
uh you know points uh say somebody didn't have a rewards card they were actually letting them
inject it so yeah and uh who's ever used a clock in system yeah who that you can never be late to
work again now so yeah that's one of the uh uh as far as the hardware goes I bought like a
hotel key for the back door I bought a couple keyboards I bought a couple point of sale
systems um and I bought a clock in system and uh a lot of people go into the fingerprints or
some of the actual newer method ones so but yeah this is one of my last attack surfaces that I
actually looked at so and yeah I'm gonna go over the uh video of the brute forcing uh it was on
uh there's a couple times when windows uh stuff popped up while I was actually doing the demo
like when I did the video so uh there was actual windows 10 upgrades cause it was like a fresh
install cause I was uh I lost my original driver disk for my uh MSR 605 and I had to download it
from an untrusted webpage so if you guys wonder what the dialog box is popping up all the time
I so and I'm also gonna go into the uh installing actual credit card skimming malware off of a
web server as long as the internet is still working so and if not uh you'll still be able to
see that there are injections so and I'm gonna go set up the demo and while I'm setting up the
demo I'm actually gonna if people wanna step up start stepping up to the mics too uh you can ask
questions while I'm doing the demos so yeah thanks for coming and stay legal and I'm uh I'm
gonna go into the demonstration portion right now so let's see thank you
Have you messed with any of this on uh airplane mag readers on the back of seats?
Did you uh mention uh if I messed up with them on airplanes?
On the back of seats?
You know how they have the mag readers to like
Yeah I've uh I've learned from other people that have messed around on planes that it's uh
it's not usually uh one of the things you guys wanna do like some of the I saw that mag
strip reader and I even felt bad like taking a picture you know of an MSR that was on the
keyboard thing so yeah I haven't tampered with planes any and I hope everybody knows that
cause yeah that was like one of the I see I saw I've seen those and I thought the exact cause
you can't once you start doing this kind of stuff you can't like turn that stuff off so yeah.
How about the uh like the new like square and the paypal and all those things?
Oh yeah yeah the uh some of the I had some of the original and right now it's actually in I'll
come back to your question uh some of the square readers and some of the remote ones yeah
yeah a lot of the and that's not a vulnerability in them it's anything that uses a mag strip but
yeah quite literally everything that is affordable that has a mag strip in it I've bought and
injected stuff into so so yeah yeah that's pretty pretty crazy and that's what I'm saying like if
you're making your own payment you could be you know presenting a different card I see what you're
thinking. That's something. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah.
Yeah, yeah, yeah. Yeah. Yeah, yeah. Yeah. Yeah, yeah. Yeah. That's pretty pretty
clever thinking so but uh basically right now it's actually injecting the the folio numbers
and I'll roll the video back here a little bit and there's the first Windows 10 upgrade so
sorry about that and if you guys want this video is online on uh YouTube already so and so
basically I'm gonna read the raw data cause it has like I said it has uh custom encoding so
you have to have a specific reader to actually do the and uh you gonna be reading the you have
to switch it to high code and then read raw so so uh you wanna do less than 70 so this is
yeah there's the first transaction and then it's actually you can if you can't see on the
actual video it'll show because my phone wouldn't focus but it's actually uh some of the
numbers are changing because it's rolling through the actual folio revisions they have the
same checkout date so it's like the end of the conference is happening or something so
everybody I knew that they were checking out at that date and uh it literally took about like
six minutes but if you guys want to see how the actual device is over my MSR 605 it was
actually injecting folio data and then uh I think the end of this I'm gonna let rule again
here for you guys so and then after this I actually used a Chinese made mp3 player to inject
a credit card number which is kind of cool and it burns the mp3 player out so don't try it at
home so but yeah what's your question? Um did you ever uh try using the Magsbooper as a jammer
to perhaps like jam a transaction that's in place and then play after it's done anything like
that? Yeah that was actually uh oh sorry when people ask me like how do you protect against
this kind of stuff and that that's kind of the exact same thing is you can put one of the
Magsboopers injecting random data on the back of your door and it'll actually deauthenticate
anybody from uh from actually using it so like it would be a really good defense mechanism and
you could have like a two form authentication have it when your bluetooth phone comes in it'll
actually shut off the jammer so you can add two form authentication and it might actually drain
the batteries so you'll get locked out of your room if they don't have it hardwired though so
so you might actually dot DDoS yourself out of your own room but yeah what's your question?
Uh so how might someone defend from one of these attacks? I don't know I don't know I don't know
like I was saying uh uh um updating to the latest versions of the mag strip readers and the
actual uh point of sale systems uh that would be my recommendations uh where they send remote
coding cause a shut off mag strip reader is the one that is not responsive to this kind of attack
so that would be my biggest recommendation is uh get update to something that's USB 3.0 and uh
push the latest versions of the actual point of sale systems so yeah and yes what's your
question? So I've seen I've seen something that says you can go around the chip and pin cards
by reactivating the mag strip. Yeah. Uh how does that work? Uh I don't know I don't know.
Yeah uh uh Sam at Camcard did a really good job of explaining how mag spoofer can actually modify
some of the flag details on the actual uh magnetic card readers. Uh huh. He didn't release it in his
code because he's the same way I am. I don't want people to use these for legal purposes but you
can actually uh tell you can basically send the command that hey the pin's damaged on this let me
just use my mag card. Uh some of the mag spoofers they're modified like this one has uh two payloads
on it and uh I have like I said I had the six mag spoofers in one was my actual uh big bertha
which is like a huge magnetic coil. Yeah. Uh and uh I don't know if you guys are familiar with the
magic coil and I uh let press take a bunch of pictures of it but that's like my brute forcing one
and that thing took me like six hours to build. Hmm. So I didn't want it to break but yeah this
one's basically a modified version of the uh mag spoofer here and I'm gonna actually how much time
do we got for demo? We're doing really good? Okay. If you want to ask some more questions too.
Did you write any fuzzers for any of the embedded systems hooked up to these mag swipe readers
and did you find any memory corruption issues? Haha yeah that was actually my next uh I was
kinda kinda thinking some something along the same lines but I uh literally
ran out of time because I got kind of obsessed with my ATM attacks that I was doing and some of
the actual relaying portions and stuff so I'm gonna actually I'm gonna get get the actual mag
strip demo kicked off. If anybody has any questions at all uh feel free to come up to the
podium so. So can everybody see the point of sale system too on the screens? Awesome.
Here we go. And. I'm gonna check to see if I have internet connectivity here. Haha.
I'm gonna check to see if I have internet connectivity here. Haha.
This is a good one.
Here we go, one second.
And it is not visiting the right page, so I have to, I'm gonna try the second payload,
I'm gonna try to pop the command right now, so.
If anybody has any questions, I can answer these while I'm doing this, so.
Hey Weston. Yeah.
Obviously Sammy's done a lot of research in this area also. Have you, have you done anything
with, with uh,
the BLE using like the coin to rewrite, or done any track uh, research on how coin rewrites
the data, or any of the plastic? Uh no, no I haven't actually.
Using it, that as an attack, attack method? Oh no, no I have, I was looking into some
of the other research that Sammy had done and then, like I said I, I did shift uh, about
halfway through this, cause this was done like very, very early in the year. Right.
And yeah, that was something that uh, I thought some of the stuff that Sammy was doing was
amazing and I was wanting to read some more of his research, so. Okay.
But yeah, no I didn't look into some of that, but I did uh,
get some of the NFC working, but I burned my original uh, HTC phones, uh, near field
communication out, trying to do stuff with it, so. Are the radios out? Yeah. What's up? You
burned the radios out on them? Yeah, burned the radios out on it, so. So that was like the end
of it, cause I like, just broke a $600 phone, so. That ended my curiosity pretty quick, so.
Cool, thanks.
I'm gonna try and plug in the HID. I know it's a very different approach, but uh, do you have any
interest in looking into NFC and other technologies that hotels are now using? Cause a lot of
hotels are phasing out the mag strips. Yeah, those are um, most of the ones that use RFID ones
are actually tokenized, so they reflect the folio number instead of having uh, actual data in there. So you
could use some of the classic attack methods but it wouldn't actually uh wouldn't actually
work so as good and that's what I'm saying if you're root posting those like that's
something where uh your key space would be a lot bigger and like you're able to it's a
truly random 16 digit number so. Just pop in the same page. Okay, so I'm going to
just pop in the same page and I'm going to go ahead and I'm going to go ahead and I'm
I apologize, the demo blew up on me, but I will put a YouTube video up, uh, of it actually
working, and if you guys wanna come in, uh, I'm gonna try to demo it here until I actually get
kicked off stage, but I'll still answer any questions, so if you guys have any questions, feel
free to ask, too, so. Yeah, I was just curious, have you done any, uh, playing around with the new
tabletop devices that are in the restaurants and stuff? Have you looked at any of those? Yeah,
no, every time I sit at, uh, one of my favorite restaurants down the street, that's like my first
thing that I would love to, but I don't have access to them, and I think it would be kind of
breaking the law, but I would love to actually order some of those. Right. Because I've seen a
lot of fun things people do with some of the pager systems and stuff, so. Nice. So, a bit of a
comment on, uh, running on old operating systems. I ran, uh, um, uh, uh, uh, uh, uh, a
while ago, I was running around with a, uh, a war driver downtown, and I found a lot of, uh, uh,
WEP Wi-Fi, and, uh, went into the, the, the restaurants that were using that and asked
permission, of course, because we all ask permission, and, uh, got the handshake from WEP
real quick, you know, with Wi-Fi, and did some sniffing, found out they were all running old
XP, 0867 gets to it, old, uh, POS on there, uh, dump memory, and I found, even on there, uh,
an admin account with backdoor, backdoor, so I wasn't the first one there, but I found that they
provided WPA2 to the customers, but because the, the, uh, old point of sale couldn't authenticate,
and the old XP couldn't authenticate to WPA2, they even run on WEP, and so you don't have to get
very close at all. I want to know if, if that's been your experience or not as well. Yeah.
So that's, I'm saying, like, uh, for as far as actual using, uh, third, third-party inputs on
this kind of stuff? Yeah, yeah, and, and, I mean, like, don't even have to get that close to it,
that if, if they're already networked with, with WEP, then, you know, it, it, it, it goes
in there, but yeah, all that default cred in, in old, uh, OS, uh, I've seen the same thing.
Yeah, there's tons of other ways that I can see people actually attacking these. Yeah, this is,
like, my main attack surface on this, so. So, shifting gears a little from mag strips to chip
readers, have you ever gone into something like that, as chip readers start to get more and more
popular, and maybe hotels start to use that instead of mag strips? Do you think this attack
vectors that you have, kind of, really researched might be able to shift and, you know,
transition into the same way you could, you could apply it to chip readers? Yeah, some of the chip
readers, uh, they'll still be using some of the, uh, magnetic track data, for the most part, on
some, some of the stuff, but, uh, some of the challenging and the encryption they can do, I
would see it being able to block a lot of it, so. Okay. So. What about, uh, looking into the
serial programming on the actual door itself? Uh, the, I, yeah, I haven't dug too deep into some of
that stuff, like, uh, after I got some of this attack surface, and then I broke my phone, like I
said, it kind of disheartened a little bit, so. But, yeah, that was, like, uh, I, I was, I was
still curious about a lot of the attack surface that was out there, but I just, yeah, I didn't
have the, some of the stuff to, to get into it, so. Right. As far as, especially time was my
biggest constraint on that. Because if you have a key to your door, and you're able to reprogram
the lock to your door. Yeah. And, and, and, and, and, and, and, and, and, and, and, and, and, and, and,
and, and, and, or you can spoof your key, then you. Yeah. Oh yeah, that's what the biggest
thing, too, is like, uh, are you asking, about if you can, I'm sorry, I might, I already asked
the question. No, so, a lot of the doors have, like, a barrel serial connector on the
bottom, that 2.1 jack. Oh yeah, yeah. And then, if you can reprogram that door over
serial, and if this is the kind of security that the keys are using, are the locks really
using that kind of security? And that's what I'm saying, like, even the, the, the most
recent hotel attack, like where they had that the little, uh, bingo, not the Bingo Dauber, but
the actual lock. Right. Yeah. I think that's cool. Right? I think we're doing ready Puerto Rico,
marker at the bottom those are newer systems those have two way interfacing so they can blow
the keys away uh so a lot of these low energy old ones or older ones like as old as in like
2008 2006 those ones uh have two two way functionality but it's in 15 minute increments so
some of the full blown ones uh they're they're got a little bit different method of actually
you know protecting themselves so yeah thank you. Did you have to use any kind of a
proprietary um reader for your mag strips I noticed a lot of like credit cards driver's
licenses all used a normal standard one two three tracks but a lot of hotels aren't readable
by those standard readers did you have to use anything special for that or? I did have to
modify the MSR like a little bit to be able to read some of the raw data at the same time as
the uh other information cause they use like a portion of the card and uh actually raw read
it uh you do to read their proprietary format you do need an actual driver from the property
management software but if you can rip
the raw encoding like uh a majority of them you can actually reverse it from the raw encoding it
just takes a lot of extra time if you do the the raw read through the property management
software if you were to get the property management software you would be reading entirely
different character sets so. Right so that's how you did it for most of what you're showing
here was it wasn't to dump it to actual keys but to dump it to raw and then encode it. Dumping
to raw then I had to re-encode it as raw like if you went up to your room and did MSR and just
read it in raw and then copied that to another card that raw would work across the board so.
Alright thanks. Yeah.
Thank you. Just curious if you looked into uh trying to do SQL injection into like POS
systems or other systems using this method. Yeah I was actually the demo that I had was literally
gonna do a uh a a Java or a Flash drive by attack so I and there as far as SQL injections
that's something that would definitely be possible uh especially for some yeah quite literally
if it would be able to get to something that's backend or internal that would be a huge attack
surface so yeah. Thanks. Uh some of the things that I've learned over the last couple of years
that I've learned over the last couple of years is that some of the card readers that are slide
ins either have a mechanical or an optical sensor does how does that is that just an ASCII
character? Slot machines. Yeah. Like the slot machine ones yeah. They actually turn green
when something's inserted into them and you can use a very low profile piece of 70 pound paper
and it'll actually trigger that event so. Yep.
How we doing on time guys? My goo and oh we're two minutes? Okay awesome. Yeah any last
questions? I really do apologize for this I'm gonna try to get a demo going in the hallway I
guess it I need to check on some of the connectivity issues uh it should have still popped
the command shell and injected though so I'm having some kind
of interface issues so if anybody wants to see yes if not I will actually put a uh camera demo
online so and I'll make sure that my camera focuses this time but if you guys want to look into
the actual injection with the m Chinese mp3 player if you want to burn out a 6 dollar mp3
player injecting credit cards you can feel free to uh then also a lot of the uh actual payload
injections I'll be putting uh demos up online so quite literally as soon as I get back to North
Dakota which I have to drive so but yeah if there's no other questions I just want to thank
you guys for uh staying.
Thank you.