Pandora's Cash Box: The Ghost Under Your POS
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Part Number | 17 | |
| Number of Parts | 18 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/32816 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
REcon 201517 / 18
1
2
3
4
10
12
14
15
18
00:00
MereologyPhysical systemMultiplication signSoftwareComputer hardwareGame theoryComputer animation
01:17
Internet der DingeHacker (term)KälteerzeugungPoint (geometry)MereologySocial classAngleQuantum statePhysical systemInternetworkingComputer animation
02:28
Range (statistics)
03:11
Water vaporEvent horizonMoment (mathematics)Spring (hydrology)
03:44
Real numberProcess (computing)Multiplication signComputer clusterPower (physics)Office suiteInterface (computing)
04:05
PlanningMereologyComputer hardwareObservational studyFamilyComputer animation
04:47
Goodness of fitNeighbourhood (graph theory)Process (computing)ChainPerfect groupAnglePhysical systemOrder (biology)SurfacePoint (geometry)Hand fanBeta functionVideo gameComputer animation
06:07
CuboidPhysical systemPlastikkarteHacker (term)Operator (mathematics)NeuroinformatikRadical (chemistry)Wireless LANPoint (geometry)ResultantClient (computing)Interactive televisionPressureEvoluteAngleElement (mathematics)Disk read-and-write headComputer hardwareNumberLevel (video gaming)Operating systemConnected spaceHyperbolischer RaumMobile WebProcess (computing)MereologyCache (computing)Meeting/Interview
08:51
Functional (mathematics)Internet der DingeConnected spaceData storage deviceMicrocontrollerComputer animation
09:15
Web 2.0Information securityWhiteboardCasting (performing arts)Open setData structureSound effect
10:03
Functional (mathematics)MicrocontrollerSerial portTelecommunication
10:27
FirmwareInformation securityComputer configurationVulnerability (computing)Level (video gaming)EmailSensitivity analysisTelebankingSerial portRight angleState of matterInformationComputer animation
11:38
CountingComputer-assisted translationPower (physics)Endliche ModelltheorieLine (geometry)Link (knot theory)EmailFirmwareFile Transfer ProtocolComputer animation
12:05
Reverse engineeringMultiplication signPattern languageSoftware testingFunctional (mathematics)CodeComputer animation
12:36
Data storage deviceInformationCoprocessorAssembly languageArithmetic meanCore dumpBitComputer animation
13:52
Semiconductor memoryRight angleBitLoop (music)MereologyData storage deviceSpacetimeAddress spaceComputer architectureFunction (mathematics)Web pageLevel (video gaming)CodeGraphical user interfaceComputer animation
15:00
Computer architectureString (computer science)Different (Kate Ryan album)Software frameworkComputer animation
15:52
Parameter (computer programming)Neumann boundary condition1 (number)Computer architectureComputer animation
16:11
Information securityAddress spaceCodeComputer programmingStatic random-access memoryString (computer science)MeasurementSpacetimeCuboidOperator (mathematics)RoutingComputer animation
16:49
Order (biology)Semiconductor memoryComputer programmingInformation overloadCartesian coordinate systemString (computer science)AreaReduction of orderAddress spaceDifferent (Kate Ryan album)Computer animation
17:22
String (computer science)Structural loadOpen setComputer animation
17:47
BitAuthenticationQuicksortSurfaceFigurate numberPhysical systemOffice suiteComputer animation
18:08
Functional (mathematics)Software developerCodeOpen setSampling (statistics)Structural loadSystem call
18:41
Point (geometry)Order (biology)Functional (mathematics)Bit rate
19:03
String (computer science)Software bugSurfaceOpen sourceSimilarity (geometry)Vector spaceExploit (computer security)Functional (mathematics)Library (computing)CuboidExpected valueQuicksortComputer animation
19:58
Address spaceCodeExploit (computer security)Functional (mathematics)State of matterDisk read-and-write headElectronic visual displaySpacetimeComputer animation
20:24
LoginPointer (computer programming)Level (video gaming)Principle of maximum entropyFunctional (mathematics)String (computer science)Right angleEmail
20:55
Functional (mathematics)Branch (computer science)Roundness (object)Computer animation
21:16
Multiplication signAuthenticationPhysical system
21:44
Demo (music)Multiplication signProcess (computing)Open setLaptopCircleComputer animation
22:38
Musical ensemblePattern languageShared memoryMultiplication signArea
23:58
Power (physics)
24:19
Computer animation
Transcript: English(auto-generated)
00:17
Hi, I'm Itai, and we'd like to ask you a question.
00:23
How many of you have played GTA 5? Just raise your hands, don't be shy. Cool. So we've spent a lot more time on this game than we care to admit. And for this research, we thought, wouldn't it be cool if we would actually do it as a GTA-style heist
00:41
against a high-value target, a target which could give us the largest amount of money for the least amount of effort? And the target we chose to go against is a hardware device which is a part of many payment systems, some of which are probably found all around you.
01:00
And before we start, I'd like to make a disclaimer that we are not hardware people, we are software people, but we do think that software people should be allowed to get out of their cages every now and then and have some fun, and that's what we did here. So this research is going to be largely about the Internet of Things, and I know what you must be thinking
01:22
that Internet of Things is usually all about stunt hacking and yeah, that's usually true. In the last few years, we've seen researchers attacking weird devices such as coffee machines, light bulbs, and refrigerators. And yes, that's not very interesting.
01:40
I mean, what could you do if you turn out my light bulb? I'll just sit in the dark, boo-hoo. But there's another angle to this story. What the Internet of Things is really about is the fact that there's a whole class of devices that used to be totally dumb and didn't do anything at all with any brains, which now have really complicated functionality
02:04
and connect to the Internet, usually without people knowing anything about it. And this is the kind of attack, that this is the kind of target that we've chose to go out against, and a target which is found in point-of-sale systems, which forms a critical part of those systems, and yet nobody knew that it had any brains of its own,
02:23
and therefore it was not researched at all up to this point. So our research is actually based on a three-day heist. We're going to show GTA style. Our main target is actually a cafe shop that we're going to show. It should be quite cool
02:40
because cafes really steal money from you guys, so if you actually want to do a heist, might be a good target. And the setting for our story is the city we come from, Tel Aviv, which is a lovely sunny city on the shores of the Mediterranean. It really would have been the perfect place to live if it wasn't situated in Israel, which as you probably know,
03:00
has wars breaking out in it every now and then. So many Israelis and Tel Avivis too are used to being shot at by conventional weapons, but last summer we started really having fun when we had some long-range missiles also shot at us. And this led to a famous Tel Aviv trade,
03:20
a famous trade of Tel Aviv people. We really like to have fun. We really like to enjoy the moment because each moment may be our last. That's why we have such crazy events and holidays and occasions, such as the famous annual Tel Aviv Water Fight Day in which girls in bikinis, kimpy bikinis, run around the streets spraying each other with water, and some sexy guys as well.
03:44
And there's been a research recently that people in Tel Aviv spend much more time in cafes, restaurants, and bars than doing their actual jobs in the office. So if you're looking for money, if you're looking for a good high-value target, this is where you want to look. This is the real cash cow in our city in Tel Aviv.
04:06
And we are going to break it into a three-day heist. During the first day, we'll try to hatch the perfect evil plan on how to get some dirty money. On the second day, we'll do some reversing of our chosen hardware target,
04:21
and we have to do that because this is recon. And on the third day, we're going to totally own the target, get lots of cash, and have a really nice win. And we'll have to cut that part a bit short because we have our flight to the Bahamas waiting just at the airport.
04:40
So let's start with day one and look at the plan that we've done to get lots of money. So in order to make the perfect plan, we had to hire a criminal mastermind. And of course, we went to Lester Crest, who's been doing this kind of thing all his life, and we asked him to do three things for us.
05:02
Find a good target for attack, look at a good angle that's not been tried before against the target, and form a perfect chain of attack to let us profit. So let's start the process. The target we've chosen is our glitzy neighborhood cafe in Tel Aviv. It's known as Cafe Anastasia.
05:21
And we have a long-standing account with it. We've been spending our best cash there for over 10 years on overpriced cappuccinos and highly greasy baked goods. And we really wanted to get some of that cash back. So this is the target that we chose to attack. And we went in there, we took some pictures,
05:42
we looked for a good angle, a good target, and of course, our immediate conclusion was that we have to go to where the money is found, and that's the point of sale system, where all payments are received and made. And in order to attack a point of sale system,
06:00
we first have to understand what are the different ingredients, and what is the attack surface we have against those systems. So let's have a go at it and look. So the ingredients of a point of sale system are three major ones. The first one is the terminal. Now this is just a normal computer running a highly advanced operating system,
06:21
normally Windows XP. And we didn't choose to go for this particular target for two main reasons. A, because there's been a lot of high publicity hacks against terminals, and so their protection level has really increased in recent years. And B, because they don't have direct access to the cash. The most you can hope to get is credit card numbers,
06:42
and as I'm sure some of you know, these numbers don't really bring in lots of payment in the black market, unless you have access to millions of them, which we didn't even dream of getting. The second part, the second ingredient, is the card reader, which is probably the most heavily protected
07:00
piece of hardware in the payment industry. It's protected by smart card technology and many hardware mitigations, and we didn't really have the kind of ability to put our heads into this and smash them on the wall. That was just not practical. The third element is the cashier,
07:23
which is normally a hard-working lady doing long hours, getting a small salary, and basically barely getting by. And it seemed like a viable angle to bribe her, get her to work with us, but we didn't want to do that. Why? She's a hard worker and she really loves her job.
07:45
Yeah, and we didn't really want to hurt anybody. So, that's the three main ingredients, but there seems to be something missing. Let's have another look. What is that steel box sitting under the terminal?
08:01
Well, as some of you probably know, this is where they keep all the money. It's basically a drawer. It's not just a cash drawer, this piece of equipment, and it's just a dumb box, a steel box with a lock to hold the money. Or is it? Well, no.
08:20
Point of systems have gone through a major evolution in recent years, and this has been really motivated by pressure from the vendors who didn't really like the fact that once they put in a point of sale system somewhere, it's chained to that particular spot. So, if they want to redesign the store, move stuff around, have their salespeople interact with clients more freely,
08:41
they can't do that because the point of sale system always has to stay in the same place. They wanted to push for more mobility, more wireless connectivity, and the result of that is a wireless cash drawer, which could be positioned anywhere within the store. And it's not only wireless, it not only has connectivity,
09:00
it has a whole microcontroller inside with lots of other functionalities, such as accounting, logging, but most importantly, it connects over Wi-Fi to the internet of things. So, let's look again at Cafe Anastasia,
09:20
our friendly neighborhood target. And let's get a closer look. So, here we see a cash drawer sitting all by itself, not connected to anything, no cables coming out, and yet it's being regularly used by the workers of the cafe. So, I think, bingo, we have a good target.
09:43
And this is a place to mention that there was no serious security research on these targets, which is why we chose them. We couldn't find anything on the web or online at least. So, the first thing we did was crack the device open and look at the board. And we immediately saw two interesting chips.
10:03
The first one was the microcontroller, which is an Atmel Atmega 128 4P. And the second chip is a Wisnet chip, which handles all the Wi-Fi communication. And it interacts with the microcontroller using 80 commands over serial.
10:21
So, the microcontroller doesn't have to handle any Wi-Fi functionality on its own. So, the next stage was to get the firmware so we can reverse it and look for vulnerabilities. So, of course, what everybody does is look online. And we didn't find anything because this is a high security device
10:40
which is supposed to hold money safe. It won't make any sense to keep the firmware online, no more than it would make sense to keep the firmware for safes online, banking safes. So, we didn't expect to find anything and we didn't. So, our second option was to play around with your art, try to get a serial interface, probably pull the firmware from there.
11:01
But we had only three days and we kept this as the last option. Another option was to burn open the microcontroller and try to extract the firmware from within. But it was Sunday and Dimitri and Dostoevsky's lab was just closed. So, we had to give up that option. So, our last remaining option
11:23
was to ask the manufacturer, write to them directly, and ask them for the firmware. But that doesn't make any sense. I mean, why would they give us such sensitive information? That's really weird. But we gave it a try and we crafted our highly social engineered email
11:41
to try and get it. And surprisingly enough, we not only got the firmware, we got a link to their FTP where they keep all their firmware lines for their full models, for all their models. So, that was a nice win. The power of cats, the power of fleet cat.
12:05
And day one ended in victory. So now, it's time for doing some reversing. And for that task, we brought in Paige Harris, a superwoman hacker, and we gave her two tasks. To reverse the binary, reverse the binary blob
12:21
to understand what's going on in there, to understand the pattern of the code. And two, to find the relevant functions. And of course, the function we cared most about is the function that opens the drawer. Why? Because you can't get the money if the drawer is closed. And dealing with a whole new assembly language
12:40
is a tall task, even if you've been doing this for years. And the funny thing about Atmel assembly, and Atmel processors in general, is that there's not a whole lot of info about reversing them. We really had to learn everything on our own. Which is weird, because this is one of the most popular chips in the world. So that's pretty funny. Anyway, we've dealt with some few serious mind fucks
13:02
in dealing with this architecture, and we're going to tackle them bit by bit. The first one is that the register naming is weird. It's inconsistent. And I'll show you what we mean. Of course, we used radar, because we're hardcore. And what we see here, in this snippet, which is really totally similar
13:22
to thousands of other snippets in the code, we're seeing something weird. We're seeing a constant value being loaded into one register. Another meaningless constant value being loaded into the register above it. And then we're seeing a store into something called Z. What is Z? What the fuck did we just see?
13:41
What does Z stand for? Does it stand for a zebra? Does it stand for a zord? Does it stand for Zimbabwe? We didn't know. So we opened IDA to get a hint. Sorry, pancake, we had to switch to a GUI. And this kind of gave us a hint,
14:00
because what you see here is a standard write loop, a loop which writes, then increments. And you see that the same store, to Z, appears all over the place. This is like the main part of the loop. So this means this is a write to memory. So Z refers to memory somehow. So by this stage, there was no escaping it. We had to open the 2,000 page Atmel assembly manual,
14:22
which really depressed us. And after digging, we found this reference. And what's really happening is that the Atmel architecture has to deal with a problem. The chip is eight bit, but the address space is 16 bits. So you need to have a way to address those 16 bits of memory space using eight bit registers,
14:42
which is why they defined register pairs. The way this is implemented is that the top six registers in memory, 26 up to 31, also have different names when you refer to them as pairs. And when you refer to them as pairs, they hold 16 bit addresses. So and the register names are X, Y, and Z.
15:00
And I think now the code will make much more sense. And you can see in the comment that 30 and 31 together make up register Z. And its value is in fact a low byte and a high byte. And we've had to put each of them individually into the registers. And then use Z to refer to that address.
15:21
And once we got that, the binary really made a whole lot of sense. But then we had to deal with something different. The creepy, weird Harvard architecture that the Atmel chip uses. And most of us have heard about the Atmel architecture, but didn't really get a whole lot of chances to reverse it. So let's see what we can do with it. So since we only had three days,
15:42
we wanted to reverse the framework as fast as possible. And the first thing you'd actually do in a framework is to actually find strings. So we did want it to look for them, but we couldn't find any extras for them. So for that we actually wanted to learn more
16:01
about our Harvard architecture, which is different from Von Neumann's, which is x86 based one. So apparently in Von Neumann's, you actually have a program address space, and that address space. And you can only execute code in your program address space, and not in the other one.
16:22
So this is kind of like a security measure, but also for performance and stuff. And what we'd actually see over there is that all the strings which were present, and the APG guys were really kind enough to give lots of strings and lots of debug stuff over there, they were in the program address space.
16:41
But we'd actually see them being copied to the SRAM data address space, and then being operated over there. So we'd actually have to realize how it's actually done, and where are those strings accessed, and how we can add extras to them. So apparently Atmel has two different distinct instructions
17:01
in order to access the data address space and the program address space. They use LPM overload program memory in order to hit the program one, and they use LD in order to hit the data one. So we can actually see an strlen for program memory, and another strlen for the data memory one.
17:23
And once we figured that, we could actually see all the extras being referenced over there. This is just a simple example of eOpenDrawer, which is a really interesting string for us, since we wanted to own the whole cashier itself. So this is the picture of before strings and after strings.
17:42
We got like shitload of more data, and since we only had three days, it was really good for us. So once we figured that, and we got all the extra, we actually wanted to know a bit about all of our attack surface. And since we only had Wi-Fi, it seemed like a really small one. And according to the documentation itself,
18:02
it seemed that there is some sort of authentication or something like it. So we kept on reversing, and we found this function. Now, I'm not really sure if most of you are really aware of what's Hadouken code style, but it's like shitload of ifs, and it really resembles this picture over here.
18:21
So we think the developers had some kind of resembles over here. And this specific function actually interprets all the commands sent to the cashier itself, like open drawer or get accounts, or keep all the credentials for the Wi-Fi and stuff like that.
18:41
So this is the actual function we wanted to exploit. And in order to exploit all the things, we hired Trevor. He's one of those people who can actually get from point A to point B, and do it really, really good. He's the one who can actually exploit everything,
19:01
and do it really good, I guess. But since the attack surface itself was really small, we figured we'd try to look for more bugs, like bugs in their own Lipsy. So we fetched a few open source libraries supported by Atmel, and tried to diff it and see if there is any sort of resembles, but we couldn't find anything.
19:22
So apparently they either used their own custom Lipsy or a really, really old one, but we didn't really care. But what we actually did find was two actually interesting functions for our exploitation vector. One which is really similar one, string learn, which walks up until null is reached,
19:41
which is really good. This is how it should actually be done. But string copy, which doesn't add any null byte once it finished the copy everything. So the fuck? If you look at it. So if you use these two actual functions together,
20:00
and see them used together, we can actually exploit something and get code execution. But we need to write somewhere into, and we need to know where the layout is. So the stack itself is stored in SRAM in really, really low address space, and the data itself is stored in high address space,
20:20
around 300, and stack is around 200x. Our stage coupon was actually sending one packet which has a log header, and right after it the layout itself had a few flags, which weren't zero. We could leverage that to use the string learn function to return a false land,
20:43
and then use the mem copy one to actually copy more than what we needed. We leverage that to find a pointer inside the stack, and wrap all our way out, which was pretty cool. But then Lester came up and said, the fuck, you're doing it wrong?
21:01
Because the APG itself had a money function which basically opens the drawer itself, but there's something fishy here, right? Give me a minute to look. Gosh, I don't believe I see any fail branch here. So apparently they forgot all the authentication checks over there, so you could just send a packet over the network
21:22
and get the cashier open. Actually, this is something really tragic about embedded systems, is that you build a really nice exploit, you put a lot of time into it and effort, and you put your heart into it, and then they make the most annoying fail, and just destroy everything that you've done. I mean, why, people, why?
21:42
Get your act together. And now we come to the main demo. The main demo? Main day. Yeah. And let's look at the heist that we've done once we figured out how to own this device.
22:02
So we're ready for the final job. This is the job of a lifetime, we can't screw it up. And this is our target in the red circle, the APG cash drawer that we're about to open and grab the cash out of. We hired two guns. This is one of our guns, sitting with a laptop, ready to send a packet of death to the cash drawer
22:22
to open it. And we have another gun. We'll innocently walk over to the drawer, wait for it to open, grab the cash, and get out. And now is the time. For the actual demo. Yeah.
22:42
You can see the cashier on the left. So yeah, so you can see behind the gun on the left side, you can see the cashier. Okay, let me, yeah. Now it's muted. Yeah.
23:02
I hope you're enjoying the music. Yeah. We still had our drinks, so we didn't want to give it up. So I just took a sip out of my own because it cost me something like $10. It's a really expensive place. And off we go.
23:23
We couldn't afford to live as Americano there either. That's it.
23:40
So yeah, actually, wait. So this is the whole thing. And now it's time for your questions or whatever. You can also throw stuff at us if you want.
24:02
None whatsoever. Cool. So thank you for your time, everyone. And drink some on us because we have no financial problems.