Pandora's Cash Box: The Ghost Under Your POS

Video in TIB AV-Portal: Pandora's Cash Box: The Ghost Under Your POS

Formal Metadata

Pandora's Cash Box: The Ghost Under Your POS
Title of Series
Part Number
Number of Parts
N. N. (Shift Reduce)
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
We're all used to seeing the ubiquitous cash drawer - that steel box, usually under the point-of-sale terminal, which holds the money received from sales - without giving it a second thought. But in recent years, the cash drawer has imploded in complexity into a full-blown appliance: From USB and Bluetooth support to on-board accounting and verification firmware, this innocuous box has quietly turned itself into a central component of the POS. And unsurprisingly, the security of these devices has not improved in lockstep with their feature set. In this talk, we will take apart the design and features of a modern cash drawer, and show why these devices are the proverbial chink in the armour of a POS system. We will discuss how we reverse engineered the firmware and the proprietary protocols used by several cash drawer models, and provide the tools for other reversers interested in following up. Finally, we will demonstrate how, by exploiting several security and design vulnerabilities, we can cause cash to disappear without a trace from a targeted business.
Multiplication sign Mereology Physical system
Computer animation Angle Kälteerzeugung Internet der Dinge
Point (geometry) Quantum state Internetworking Range (statistics) Internet der Dinge Mereology Physical system Social class
Spring (hydrology) Process (computing) Interface (computing) Multiplication sign Real number Moment (mathematics) Office suite Event horizon Power (physics)
Observational study Planning Mereology Family
Point (geometry) Goodness of fit Beta function Process (computing) Surface Neighbourhood (graph theory) Video game Physical system Hand fan
Cache (computing) Radical (chemistry) Hyperbolischer Raum Hacker (term) Operating system Energy level Plastikkarte Mereology Disk read-and-write head Number Neuroinformatik
Point (geometry) Mobile Web Radical (chemistry) Process (computing) Angle Cuboid Client (computing) Pressure Evolute Physical system Element (mathematics) Connected space
Web 2.0 Functional (mathematics) Casting (performing arts) Data storage device Sound effect Microcontroller Internet der Dinge Data structure Open set Information security Connected space
Functional (mathematics) Serial port Information State of matter Computer configuration Telecommunication Microcontroller Right angle Telebanking Information security
Email Link (knot theory) Multiplication sign Counting Endliche Modelltheorie Line (geometry) Computer-assisted translation Power (physics)
Functional (mathematics) Assembly language Pattern language Software testing Bit
Arithmetic mean Core dump Data storage device
Web page Loop (music) Semiconductor memory Data storage device Bit Right angle Function (mathematics) Mereology Address space Computer architecture Spacetime
Neumann boundary condition String (computer science) 1 (number) Parameter (computer programming) Computer architecture
Code Operator (mathematics) String (computer science) Reduction of order Cuboid Cartesian coordinate system Measurement Information security Routing Address space Computer programming Spacetime
Area Computer animation Semiconductor memory Information overload String (computer science) Order (biology) Open set Computer programming
Computer animation String (computer science) Structural load Office suite Quicksort Figurate number Physical system
Functional (mathematics) Software developer Structural load Order (biology) Sampling (statistics) Open set System call
Point (geometry) Bit rate Open source Surface Cuboid Quicksort Software bug Library (computing)
Expected value Functional (mathematics) Vector space String (computer science)
Email Functional (mathematics) Pointer (computer programming) State of matter Electronic visual display Right angle Disk read-and-write head Spacetime
Functional (mathematics) Roundness (object)
Authentication Laptop Process (computing) Meeting/Interview Multiplication sign Maxima and minima Circle Open set Physical system
Area Meeting/Interview Shared memory Pattern language Musical ensemble
Multiplication sign Power (physics)
and the and the and and and and the you you you you know and you have gone up and find maneuver and then I would like to ask a question how many of you have about the G. K 5 just raise your hand don't be shy so we'll spend a lot more time on this that green care to admit and for this research we thought wouldn't it be cool if we would actually do it as the GTA style heist against a high value target a target which could give us the largest amount of money for the least amount of effort and the target we chose to go against is our horror device which is a part of many payment systems some of which are probably found all around you and before we started like to make a disclaimer that we are not hard people we're suffer people but we do think that stuff people should be allowed to get out of the cages every now and then and have some fun and that's what we did here so this is it is going to be largely
about the Internet of Things and I know what you must be thinking that Internet of Things is usually are about understand hacking and
yet that's usually true in last in the last few years we've seen researchers attacking where devices such as coffee machines light bulbs and refrigerators and yes that's not very interesting I mean what could you do if you turn out my light on so I just sit in the dark blue he but there's another angle to the story
what the Internet of Things is really about is the fact that there's a whole class of devices that used to be totally Don and then do anything at all with any brains which are now have which now have really complicated functionality and connect to the Internet usually without people knowing anything about it and this is the kind of attack that this is the kind of targeted features to guard against the target which is found in point-of-sale systems which forms a critical part of those systems and yet nobody knew that it had any rays of its own and therefore it was not research at all up to this point
so for research is actually based from the 3 heights we're going to show GTA style on all main target is actually a friendship but we're going to show should be quite cool because prefers release to money from the ghost of ejection 1 of the highest the good target and the setting for a story is the city come from that of the of which is a lovely sunny city on the shores of the Mediterranean it would have been the perfect place to live it situated in Israel which as you probably know as wars breaking out in it every now and then so many Israelis and that there is 2 are used to being shot at by conventional weapons but last summer research really having fun when we had some range missiles also
showed us and this is this led to to a famous that of the of the of the of trade off from a state of of these people really like to have fun we like to enjoy the moment because each moment may be our last that's I have such crazy events and holidays and occasions such as the famous annual Tel-Aviv modified day in which goes in Burkina skimpy became is run on the streets spring each other important and some sexy guys as well and there's been a recent recently that people
spend much more time interface restaurants and bars than doing the actual jobs in the office the so if you're looking for money if you're looking for a good high-value target this is where you want to look this is the real cash power in our city interview well known to break into a three-day
heist have been the 1st day we try to hedge the perfect evil plan on how to get somebody money the on the 2nd day with the some reversing for a chosen family harder target and we have to do that because this is the crown and on the 3rd day they don't to totally on the target gets up get lots of cash and have are really nice when and you have to fact that part of it short because we have our flight to the Bahamas just at the airport so in this study
they won and look at out at the plan that we've done to get lots of money so how
we another 2 to make the perfect and they had to hire a criminal mastermind and of course you want less repressed I was reading this kind of thing all his life and we asked him to do the things for us find a good target for attack look at the good and that's not been tried before against the target and form a perfect enough at that to those profits so let's start the process the target is chosen Is our glitzy neighborhood to think of it was known as the fans stars and we have a long-standing account for that I will be spending our best guess there for over 10 years on overpriced the was and highly breezy beta and they do it and we really wanted to get some of that cash back so this is the target that we chose to that and we want and then we took some pictures look for a a good and the target and our 1st of course immediate conclusion was we have to go to where the money is found and that's the point of sale system for all payments are received and made and in other to attack attack point of sale system we 1st have to understand what the different ingredients and what is the attack surface we have against those systems so
that's ever going so the ingredients of a point of sale system are the major was the first
one is the thermal now this is just a normal computer running a highly advanced operating system anomaly Windows XP and then choose to go for this particular target of for 2 main reasons 8 because there's been a lot of hyperbolicity hacks against terminals and so the protection level has been increase in recent years and me because I don't have direct access to the cache the most you can hope to get is that it's got numbers and as I'm sure some of you know these these numbers don't really being our being and lots of payment in the black market unless you have access to millions of them which wouldn't even dream of getting the
2nd the 2nd part the 2nd ingredient is the card reader which is probably the most heavily protected R. B. cefotetan down In the payment industry is protected based on smuport ecology and many how the mitigation is and it until you have the kind of the the kind of ability to what are and put our heads into this and I'll smash them on the wall that was just not practical the 3rd the
3rd day of the 3rd element is the cashier which is normally a hard-working lady doing long our is getting getting a small salary and basically barely getting by and Simic a viable angle to bribery get to work with us but didn't want to do that why the she's a hard worker and she really loves her job some of them yeah and didn't really want to hurt anybody so that's that's the 3 main ingredients but there seems to be something missing let's have another look what is that steel box sitting under the terminal as well as some of you probably know this is where they keep all the money it basically uproar it's known as the cash for this piece of equipment and this gives damn box a steel box with a lot to all the money or is it well known wonder systems have gone
through a major evolution in recent years and it has been really motivated by pressure from the vendors within the like the fact that once they put in a point of sale system somewhere it's changed to that particular spot so if they want to designed to store more stuff around have the sales people interact with clients more feeling they can do that because the point of sale system always has to stay in the same place they wanted to push mobility more wireless connectivity and the result of that that is a
wireless arediscussed or it could be positioned anywhere within the store it is not only wireless it not only has connectivity it has a whole Michael it has a micro controller inside without a father functionalities such as accounting lobbying but most importantly it connects over Wi-Fi to the Internet of Things and so let's look again at the
feminist us in our friendly neighborhood and as the Articles of so here see here is yet a cast for a sitting all by itself not connected to anything no cables coming out and yet this is being in red it's in regularly used by the are workers of the effect so I think bingo we have a good target and this is the place to mention that there was no secure serious security research on these targets which is why we chose them we couldn't find anything on the web or online interest so the 1st thing we did the structure device open and look at the border and we immediately so to interesting chips uh the
first one was done on microcontroller which is in fact that up 128 for p and the 2nd ship is with is was chip which handles all the Wi-Fi communication and it interacts with the microcontroller using AT commands over serial so the microcontroller doesn't have to handle any wife the functionality on its own
so the next stage was to get the femur so we can reverse that and look for in abilities so of course what everybody does is look online and we don't find anything because this is a high security device which is supposed to hold money saved it won't make any sense give the femur online no more than it would it would make sense to keep the femur for a safe online banking states so we don't expect to find anything in we didn't so a 2nd option was to play around with your right to get a serial interface out of the people that they must shimmer from them but he had only 3 days and we get this is the last option and other option was to burn open the microcontroller and try to extract the from a from a then but it was are standing in the middle of the that was just goes so we had to give up that option so our last remaining option was to ask the manufacturer right indirectly and ask them for the femur about that doesn't make any sense and why would they give us such such sensitive information that's really where but to give it a try and we crafted are highly
social engineered e-mail to find it and surprisingly enough we not only got the thing where you got a link to the FTP where they keep all the similar lines for the full models for the models so there was a nice win the power of cats and and powerfully count and they won and ended
in victory so now it's time for doing some reversing and for that as the running
mate Harris a supplement had and gammatone test to reverse the binary reversed a binary blob understand what's going on in understand a pattern of the quote and you to find a relevant functions and of course the function we care most about is the function that opens the door wide because you can get the money if the door is closed and you know what dealing with a whole
new assembly language is a total as even for even if you've been doing this for years and the funny thing about at assembly and that but processes in general is that there's not a whole lot of things about reversing them we really had to learn everything on our own which is really because this is 1 of the most popular chips in the world so that's funny anyway women that with some few serious mindful sending this architecture and we're going to tackle them bit by bit the first one is that the
register naming is it's inconsistent and I'll show you what we mean of course we use rather because they're hard core and what what we see here in this snippet which is really Dudley similar to others 2000 the father snippets in the court missing something where we're saying that constant value being loaded into 1 register another meaning this constant value being that it into the register above it and then reducing the store into something called z what is the what the fuck did
we just see what he stand for those some for as the wrong this and on that stand for Zimbabwe we don't know so
we open died down to get a hint sorry pancake you have to switch link and and this kind of gave us a hand because what you see here is a standard right so a low pitch rights in increments and you see that the same store to use appears all over the place this is like the main part of the of the loop so this means this is a right to memory so z refers to memory somehow so by this stage there was no escaping if we had to open the 2000 page output of semi-manual which really depressed US after digging we found this reference and what what's really happening is that an atom that architecture has to be with a problem that ship is a bit but the other spaces 16 bits so you have a way you need to have a way to address those 16 bit bits of memory space using a bit registers which is why the defined register pairs vertices implemented is at the top 6 bit registers and memory 26 up to 31 also have different names when you when you refer to them as pairs manure for there's the old 16 bit addresses so and the register names are x y and z and i think now the code and make much more
sense and you can see in the comments that 30 and 31 together make up registers z and its value is inferred in fact ILO by and a high by and you had to put each of them individually into the into the registers and then use the z 3 further that others and once you get that the binary really made a whole lot of
sense but then we have to deal with something different the creepy weird Harvard architecture that the upmanship users and most of us what about the architecture but this really get a whole lot of chances to reverse so let's see what we can do it so since we only have 3 days but I want to reverse the framework as fast as possible and the 1st and the 1st thing 1st thing you'd actually do anything more structured find strings
so we did want to look for them we couldn't find any extras for them so for that reaction what want to and more more about the Harvard architecture which is different from von Neumann ones which is the status expressed 1 so apparently in von Neumann's you actually have a parameter
space and that adjustments and you can actually you can only act execute code in your program address space and not in Delaware 1 so this is kind of like a security measure but also for for performance and stuff and what you what you that's what would actually see over there is that all the strings which are present and they beat you guys were really kind enough to give lots of strings and lots of the box the the there there in the important justice but would actually see them being copied to a s when they're routes and then being operator over there so you'd actually have to
reduction have to realize how it's actually done and where are those strings axis and how can add extra to them so apparently
small has 2 different stink instructions in order to access the data adjustments in the program just the use LP and overload program memory in order to heat the problem 1 and the use in order to heat that they 1 so we can actually see similar for program memory in this area another for the data memory 1 and once we figured that we could
actually see all the axes being referenced over there this is just a simple example of the Open draw which is really interesting thing in string from us says 1 all the whole tissue itself
so this is the picture of before for strings and after since they got like shit load of more data and says we only have 3 days it was really good for us so once you
figure that we got all the x roof they actually wanted to know a bit about of all of our tax office and system we only had Wi-Fi it seemed like a really small 1 and according to the documentation so it seemed that there is some sort of vindication of something like it so we couple reversing and from this
function a much richer for most of you are really aware of what had been can call style it's like a shit load of gifts and through samples this picture over here so we think there is that the developers had some some kind of resembles of our and this specific function actually interprets all the commands scientific issues so like open draw or and get accounts or keep all the credentials for the Wi-Fi and stuff like that sorry this is the
this is the actual function we want to exploit and in order to exploit all the things we had
Trevor is 1 of those people who can actually get from point a to point B and rate illegal he's the 1 who can actually exploit everything and do it really good just
but since surfaces itself was really small we figured we try to look for more bugs like box and the only so the 1st if few open source libraries are supported by optimal and try to different and see if if there isn't any sort of resembles but we couldn't find anything from you so apparently Bayesian is use their own cost 22 you're really really old 1 but we don't really care but what we actually did find
was to actually interesting from function for expectation vector 1 which is really similar 1 which what's up up until now is reached which is really good this is how much it should that actually done but string copy which doesn't enter now byte once it finished the copy everything so so the following if you look at
its so if you use this to actual functions
together we can actually go and see them used together we can actually exploit something and it could execution but need to write siren tone and we need to see we need to know where the layout is so the spec itself restoring as from indeed really really long at space and the that itself is stored in higher displays a wrong 300 stock is around 200 heads and are state should poem was actually
sending 1 packet which has a long header and right after it had that that the layout itself had a few flights which 1 0 wicked leverage that to use the 3 function to return a false there a full as false land and then use them copy 1 to actually copy more than what we will ever urged us to find a pointer inside the star and referral rope already out which was pretty cool but then lesser came up and
said the fuck you doing it wrong because
there is a and they PG itself had in mind function which basically opens draw itself but the suffocation fishing here right you can make gosh I don't believe see any round here so
apparently they forgot all the authentication checks over the so if you just send a packets over the network and that the catcher open I see this is something really tragic about what embedded systems is that you build a really nice explained with a lot of time into it and therefore it and you put your heart into it and then they make the most annoying sale and just you know destroy everything if you've done I mean why people wide get your act together and now we come to main the and the main them on the minimum mean did and let's look at the highest that we done once we figured out on this device so
we're ready for the final jobs this is the job of a lifetime against screwed up and this is our target and the red circle the APG Castro that fear about to open and where the cash out of we had to dance this is 1 of our guns sitting with a laptop ready to send a packet of death that on to that Castro open and we have another gun or will innocently walk over to the drama which for to open grab the cash and you know now is the time but should
we considered here on the left but yeah so you can see behind them there and then on the left side the Pacific share pattern greatly then I hope you're enjoying the music the pH of we still don't think through it in front of you up so I just took a of my own because it cost me something like that and dollars that's expensive place end of but we don't it can't afford to live as Americana area per but etc. so yeah
actually where but this is the whole thing now it's time
for your questions or whatever but it can also 1st offered us if you on this
none whatsoever called so thank you for using our run and doing so us power because they have nothing ever the testes of