>>My name is Salvador Mendoza and I’m here to talk about how exploit old mag stripe information with new technology. The idea behind this talk is how to implement audio waves on bluetooth connections. A little bit about myself, I’m a security researcher I lecture- I present Samsung pay, tokenized numbers, flaws and issues here in Def Con. At noon today we’re going to use Samsung pay tokens yeah it’s for the demos. What exactly is mag stripe information? Well, any kind of capability to store mag stripe information, they have this item where its magnetic particles that could be changed implementing magnetism. But how we can relate mag stripe information with audio files? To do that, we need to, in this case in order to transmit mag stripe information into audio we need to be able to mimic the audio waves from the magnetic field changes when you swipe a card. This kind of waves are F2F signals and they contain zeros and ones that the character can interpret like any kind of character. These characters are of course account numbers, names on the cards, all of that kind of information that you’re going to have on the cards. This how it looks an audio spoof or audio file we have many different kind of spikes on them, but what that really means? From Major Malfunction Def Con 14 more than 10 years ago, he talked about magstripe madness, and that presentation he said that depending of the space there’s going to be zeros and ones and these zeros and ones represent the characters. But of course, how we can transmit this kind of information to the card reader? Last year  Weston Hecker present how to brute force hotel keys foils implementing mp3 player. But also, he-he present how to send raw magstripe data with an mp3 player too. So I start researching what kind of technology we need to do that kind of thing. If you try to transmit audio files implementing just the audio by itself you’re not going to get anything in the card reader or you’re going to get some kind of errors. The key in this attack is the amplifier sounds kind of funny get an amplifier to amplify the signal. So the first demo is scout to use Raspberry Pi and uh one coil from this is the cheapest one, 3 dollars from ebay this has a range for 5 volts to 12 volts how you can transmit magstripe information. The set up is very is basic, you connect the audio to the Raspberry output and connect directly to the amplifier, I’m using an external power source to the amplifier so I don’t want to damage my Raspberry Pi and I’m using a coil from my last mag spoof that I used for my last talk at here in Def Con I connect a credit card reader directly to my laptop so basically when I run a a audio spoof or audiofile, I get directly the magstripe information into my terminal. So you can see, the credit card reader how the lights detect the signal and send directly to the terminal. So, after this approach, I was thinking about portability, how we can do some kind of thing like that but to be used in different kind of things. Um, the main idea was, what kind of technology we have that can support audio and could be closed platform? Well, we have bluetooth technology I start buying many different kind of speakers try to implement in this kind of attack and this one specifically has a amplifier built on so we don’t need a separate amplifier. So I design a tool I call it BlueSpoof. The BlueSpoof is a tool very not kind of similar to the zamykam carmax spoof because that one implements an i-type 85 microchip and also a motor controller, this one implements a bluetooth speaker board and implements audio files and of course a coil. So, the characteristics of this tool it's cheap, bluetooth supported, 3.7 volts, very portable and accurate. So, what about the demo? So, it can be charged directly from 5 volts like any kind of charger that you have for your cell phones. So, in this presentation I’m creating a well file implementing a track 2 form, the the magstripe information I’m using is a Samsung pay token from my Chase account, please don’t use it you're not going to be able to it, I hope so. In this case, I’m clearing the Chase spot well file, I’m connecting to the BlueSpoof like normal, uh blue bluetooth speaker after I connect it I’m going to open Audacity, so I can see the well files from the file I just create. After I open the file, what I’m going to do is I’m going to select the output of Audacity to send the data to the BlueSpoof too. So, you can see the waves in this file, how it looks like. Name of the BlueSpoof registered in my computer is Taken. So, I play like loop play in this attack, what I’m, what I’m trying to do is I’m approaching the BlueSpoof to my credit card reader to get some kind of information. So, you can see how its start detecting the signals when I approach this kind of uh tool. What about on other kind of devices? What about a Huawei cheap smartphone? I’m talking about 20 dollars smartphone. It’s already connected to a BlueSpoof tool, so I approach this one to the credit card reader and what happened is it started detecting the signals momentarily and after that it just start regis registering like the other kind of tracks. Uh after this, I'm going to implement an Iphone 6 because all them support blue uh bluetooth connection, we can implement on all kind of devices. Uh, it's kind of cool how the iphone sends a magstripe signal because almost all are not detected in the credit card reader. So, I’m going to play the same well file uh I’m implementing a loop to get a better result in the attack. So, you can see how the text signals the credit card reader. What about the Samsung Galaxy’s? Well, they work the same, implementing the blue bluetooth connection to and uh like the iphone's result I can detect almost all the tracts sending by the audio spoof. Well, the question is, how can I implement this kind of attack without downloading any kind of file to my computer or my device. So, the sign in I pro- I call violent mag dot com, I was able to create audio spoof from the web browser so thanks to [inaudible] for this idea. The main point here is to create audio files from the, in the bout server and after that, we can create oh to play the well files from the web server without the necessity of allowing any kind of file. So let's say I have uh I’m using an iphone 6 and example, I’m going to play from the web browser implementing html file support, and you can see in the program how the magstripe is detected by the credit card reader. So let’s do it to make a payment, I mean that the main idea of this kind of attack? Let’s see it really works in the real time on the life, so I’m going to make a payment in this kind of terminal, it’s all ready to take the signal very quickly and I can select the product after that it's going to validate it using a Samsung Pay token, that they say they dont they dont cant use on any other device than Samsung Pay devices. But I get a notification from Samsung that I’m using one of his tokens. Of course, after that you’re tired of spoofing, you can connect directly to your original speaker and use it like normal [applause]. So, the question is, how we can use this kind of tool to attack different targets? Let’s say, let's put the scenario of Weston Hecker that he was trying to put forward different kind of uh doors, door locks on the hotels. How we can send data, let’s say we have two locks on the hotel, we have two BlueSpoofs that we can put one in one lock and the other one in another card reader, so we can send data to both of them simultaneously, so we can see which one can open. Um, in the example I’m using, one of the programs from my laptop called audio media set up in my mac, I’m, I’m going to create a multi output device, I already have two devices, two bluespoofs connected to my computer so I can route them to this multi output device. After that, and the output selection in the sound settings, I select the output. So, let’s see a demo, of this one. So in this example, I have two computers, with two credit card readers, I have two BlueSpoofs already connected, and I have my laptop that I, that has the same settings I present today. Uh, I’m going to play an audio spoof file, and you will see in the background uh uh these two computers that take a- t the signal simultaneously. Yeah, play again, I’m using a windows one machine, I’m using a Ubuntu on the other one. So, I’m playing the audio and you can see data tags that tracked in two computers simultaneously. Now, the big question is how we can send different data to different BlueSpoofs. It’s kinda challenging. First, I try to use salts from terminal to select the output device, but it didn't work in my computer. So, I started searching and I use Python Sound Device library. You’re able to connect to multiple devices, and you can control them, implementing python. So, let’s tell you a little bit about the background on Samsung Pay Tokens, where you are making a payment in Samsung Pay, your um, you put the cell phone in offline mode, all of the tokens, some of the part tokens are going to incremental and by the cryptogram is going to be studied. The last part of the  token is going to be random numbers three digits. How we can brute force these three digits? Because I know they the tok- um the transaction IDs going to incremental so the next one instead of ten is going to be eleven. So, let’s try to make a brute force attack. So, in this example, I’m implementing three different BlueSpoofs simultaneously. I’m connecting to my computer, your laptop, in this case the mac, you can connect uh up to seven, but in this particular case I’m connecting three, but yet I’m going to use two of them.  I’m going to put them close to the credit card readers, so you can see oh I think I got they don’t occur in my windows computer. So, I’m going to put close to the credit card readers and I’m going to play, I’m going to check the output first, the sound device library, to show you the outputs of the sounds-sounds uh boards. So I have three outputs but I’m just going to use it ID’s three and five for this time because they have my BlueSpoof tools. So I want to, I’m going to generate a brute force attack. In this case I’m going to use this token sample, that I mentioned, I’m going to create it a wild files from that. So if the token transaction ID is ten in this one, then, the next one has to be eleven and the random numbers I’m going create is from zero to twenty just an example. After that it’s going to generate the wi the well files and it's going to start sending depending on the idea of the speakers, different kind of mag stripe information to one another one. You can see in the background how it going to attack the signal as one and the next one. So, they are different tokens in one terminal and the nother one, one has to be even numbers and they random, and the next one has to be odd numbers. So, after is running this attack, I’m going to approach the camera so you can see the tokens to show you the even numbers are the different between one token and the nother one. I’m giving like two seconds of a slip just to not be too fast. So you can see in- in the back part of the token we have threes, ones, fives, sevens; and these ones are fours, sixes, eights, tens, twelves. So they are different tokens, for different kind attacks. A part for the brute force attacks. And this part of the base that we are making in the attack, we have the track numbers, frequency, padding, base, maximum beats and the name of the well file they are implementing. Of course you can see what kind of speaker we are sending any kind of token. After it's completed, you can see how you get the last token is going to be twenty because that was my last part of the token, the last part of the tech. So, uh this Saturday, I’m going to present demo labs this took I call zamykam and our zamykam card. It’s about mag stripe information and how to implement BlueSpoof together with this tool, so you are welcome to be there. Thank you to all these guys for support. Please, you have any questions, feel free to ask me. [applause]