Hacking Hotel Keys and POS systems
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 93 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/36299 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Hacker (term)Point (geometry)System programmingInformation securitySoftware testingReverse engineeringMathematical analysisCategory of beingData managementSoftwareEnterprise architectureAsynchronous Transfer ModePhysical systemSlide ruleVideoconferencingCASE <Informatik>Point (geometry)Perfect groupBitTurbo-CodeProjective planeSystem programmingSoftware testingHacker (term)Computer animation
00:53
EncryptionSystem programmingDifferent (Kate Ryan album)Service (economics)MereologyRAIDProbability density functionMultiplication signRevision controlCategory of beingCycle (graph theory)Maxima and minimaMemory cardSymbol tablePhysical systemVideoconferencingBitEvent horizonEncryptionGastropod shellStaff (military)Demo (music)Boss CorporationProcess (computing)Service (economics)User interfaceSystem programmingInjektivitätHacker (term)DatabaseSurfacePower (physics)MalwareStapeldateiComputer programmingOpen setData managementPlastikkartePoint (geometry)Forcing (mathematics)CausalityRootCache (computing)Surjective functionComputer animation
04:10
Field (computer science)PlastikkarteBitMaxima and minimaLoop (music)Multiplication signSpeech synthesisRevision controlDisk read-and-write headSystem programmingBinary codeGoodness of fit
05:05
RAIDField (computer science)Vulnerability (computing)Functional (mathematics)Disk read-and-write headRadio-frequency identificationMagnetic stripe cardGoodness of fitMaxima and minimaData transmissionPlastikkarteKeyboard shortcutComputer animation
05:43
MereologyCausalityMemory cardBit
06:29
PlastikkarteInformation securityProcess (computing)Mechanism designInformation securityRow (database)Procedural programmingVulnerability (computing)Memory cardSpacetimeMagnetic stripe cardNumberBitPlastikkarteComputer configurationMaxima and minimaComputer animation
08:03
InformationNumberMemory cardPlastikkarteTrailInformationChainSoftwareMetropolitan area networkDifferent (Kate Ryan album)BitSoftware testingScripting languageComputer animation
09:19
Validity (statistics)NumberAreaCategory of beingForcing (mathematics)SpacetimePlastikkarteCausality
10:17
Service (economics)Data managementRoutingNumber9 (number)State of matterService (economics)Category of beingDomain nameSystem administratorInformation privacyGoodness of fitDistanceMaxima and minimaComputer animation
11:34
TrailSample (statistics)PlastikkarteInformationPlastikkarteBitInformationDigitizingRevision controlLimit (category theory)Codierung <Programmierung>EncryptionMessage passingBit error rateCategory of being1 (number)Core dumpComplex (psychology)TrailNumberSampling (statistics)Forcing (mathematics)CausalityComputer animation
13:46
EncryptionInteractive kioskNeuroinformatikScripting languageRevision controlInteractive kioskServer (computing)Multiplication signMemory cardInformation security
14:29
Point (geometry)System programmingMagnetic stripe cardPhysical systemSurfaceUser interfacePoint (geometry)Computer wormString (computer science)Type theoryEvent horizonDisk read-and-write headPlastikkarteKeyboard shortcutGeneric programming
15:37
Event horizonData managementMagnetic stripe cardOperator (mathematics)1 (number)Event horizonPrice index
16:11
Data managementPlastikkarteTouchscreenSystem programmingData managementSystem administratorSingle-precision floating-point formatPhysical systemTelecommunicationFunction (mathematics)CausalityChainPoint (geometry)Flow separation
17:19
ASCIIKeyboard shortcutMagnetic stripe cardDiscrete element methodConvolutional codeBinary fileBasis <Mathematik>Type theoryMereologyKeyboard shortcutCache (computing)Functional (mathematics)
17:58
Data storage deviceMetropolitan area networkSystem programmingOperating systemPoint (geometry)
18:34
SoftwareComputer wormSystem programmingPoint (geometry)Gastropod shellWeb pageComputer wormPhysical systemStructural loadSoftwareRevision controlDistribution (mathematics)Web 2.0Server (computing)Functional (mathematics)Uniform resource locatorSemiconductor memorySource codeMalware
19:34
Structural loadComputer wormLarge eddy simulationComputer wormMalwareChainSemiconductor memoryPhysical systemIntegrated development environmentPoint (geometry)Device driverMagnetic stripe cardKeyboard shortcutFunctional (mathematics)Level (video gaming)Limit (category theory)
20:23
PlastikkartePlastikkarteLimit (category theory)InjektivitätCodePhysicalismMultiplication signComputer wormTrailComputer animation
21:03
Point (geometry)Physical systemVirtual machinePlastikkarteMalwarePlanningInjektivitätCausalityMultiplication signComputer animation
22:11
Moving averagePlastikkarteWorkstation <Musikinstrument>Data storage deviceChainDatabase transactionPlastikkarteComputer programmingFlagMemory cardMultiplication signVector spaceAdditionComputer animation
23:08
PlastikkarteSystem programmingMemory cardPlastikkarte1 (number)Multiplication signData storage deviceEvent horizonComputer animation
23:46
InjektivitätCausalityPoint (geometry)PurchasingEvent horizonSystem programmingPoint (geometry)PlastikkarteComputer programming1 (number)Database transactionInteractive televisionFood energy
24:37
System programmingSoftwareMemory cardVideoconferencingForceSystem programming1 (number)Computer hardwarePhysical systemFingerprintVideoconferencingPoint (geometry)Multiplication signServer (computing)WindowInternetworkingDemo (music)InjektivitätWeb 2.0PlastikkarteCuboidDevice driverMiniDiscMagnetic stripe cardWeb pageComputer animation
25:55
Memory cardSoftwareVideoconferencingForceLevel (video gaming)1 (number)Rule of inferenceVulnerability (computing)NumberBitVideoconferencingFocus (optics)Magnetic stripe cardPlanningRevision controlSquare numberWindowYouTubeDifferent (Kate Ryan album)Database transactionKeyboard shortcutCausalityFlow separationMoving averagePlastikkarteComputer animation
28:26
NumberPlastikkarteDatabase transactionGoodness of fit1 (number)Magnetic stripe cardPhysical systemPersonal identification numberMemory cardProcess (computing)FlagMathematicsRevision controlCodeAuthenticationDigitizingMechanism designForm (programming)Classical physicsRoutingSpacetimeDemo (music)Semiconductor memoryLine (geometry)Multiplication signComputer wormMaxima and minimaCode2 (number)TrailRadio-frequency identificationConnected spaceWeb pageSystem programmingRight angleTouchscreenInternetworkingCausalityMP3Field (computer science)TelecommunicationPoint (geometry)AreaRootConditional-access moduleRemote procedure callComputer animation
36:51
TrailBitMultiplication signReading (process)Computer wormMemory cardDifferent (Kate Ryan album)Information securityPhysical system1 (number)Computer programmingService (economics)Functional (mathematics)Demo (music)Process (computing)Physical lawFlash memorySequelMagnetic stripe cardWhiteboardInjektivitätPlastikkarteInformationFocus (optics)Operating systemYouTubeLevel (video gaming)File formatDevice driverCodeEvent horizonÄquivalenzprinzip <Physik>Default (computer science)SurfaceConnected spaceExistential quantificationProfil (magazine)System administratorAuthenticationClosed setReal numberSlide ruleSemiconductor memoryIntelligent NetworkSerial portGreatest elementEncryptionFood energyMP3Barrelled spaceVector spaceGastropod shellGroup actionInterface (computing)MereologyPoint (geometry)Backdoor (computing)outputCausalityConstraint (mathematics)Virtual machineStandard deviationJava appletSet (mathematics)Codierung <Programmierung>
Transcript: English(auto-generated)
00:03
and point of sale systems. Thank you man. Sweet. Can you guys see the slides all good and everybody hear me good? Perfect. Perfect. So uh Westin Hecker, I'm gonna be hacking hotel keys and point of sale systems. I had backup videos just in case if anything went south so. So yeah funny story uh starting out a little bit uh after I go through a
00:26
little bit about myself I do a lot of talks uh I did Hope this year, I did uh Black Hat. Uh this is my third year at Def Con. It's a privilege to speak here so yeah basically do pen testing for a living uh do a lot of research on the side. I'm uh ATM enthusiast and like some of the other stuff I just like playing around with like
00:42
technology so. And I got a couple side projects um I was working on some car hacking uh point of sale system hacking, hotel key hacking and uh just exploits in uh property management software so. But uh funny story uh so when you do a uh hotel hacking talk at a hotel it usually involves the staff uh pulling you, your PR person and
01:03
your boss aside. And taking you into the bowels of the hotel. And I've seen casino one too many times cause I was a little nervous on uh you know so. But it was something where it all ended really good they just wanted to know if they were uh vulnerable to this attack and it is not. Uh they tokenized their stuff, they did it set up properly, they followed the best practices. So you guys' hotel room keys are safe uh at all
01:22
the Caesar's properties so. Just wanted to throw that in there so. So uh I'm gonna explain uh the actual mags uh mags poofer which is Sammy Kamkar's device. Uh this one's a modified version of the mags poofer. Uh this one is not the one that is set up for brute forcing. Uh but I do have the demo of the actual brute forcing going on. And then we're gonna actually uh infect this point of sale system with malware. Using
01:43
uh human interface device injection so. And uh yeah I'm gonna explain a little bit about the point of sale systems and the actual uh process of how the keys are actually made on some of them that rely on night audit and batch services. Uh they have to do some very insecure things to make sure that their database is post and they get charged. So uh I'm gonna do a privileged uh show you how the privileged attacks work.
02:05
Uh fireman keys uh service keys things like that so. And it's uh yeah. Some of it's uh I thought it was a pretty duty heavy encryption of some kind and uh some most of it's just uh encoded. So they uh definitely skipped some steps. And the point of sale talk it's gonna uh go from how I led from doing hotel research into actually attacking
02:23
point of sale systems. Cause like the I don't know anybody else when they saw Sammy's video like they thought of every single thing that has a uh mag strip reader on it as now an attack surface. And I just wanna give him a shout out cause that was uh an amazing research. And he uh saved me many many hours of reading manuals. So. And yeah. I'm gonna basically go through how it uses the mag strip readers uh whether
02:43
where the fail was in that. And uh I'm gonna actually go with triggering events on the readers and see what it's listening for. Cause some of the newer uh point of sale systems like they will only power up the reader when X happens. And uh I actually have a tap that you can attach to uh uh bypass some of that stuff. So and I'm gonna go through some
03:01
of the management uh cards. Root forcing management cards you can actually you know do refunds and stuff like that so. You can actually refund two other credit cards uh using one of the other attacks so or yeah I was it was one of that I was conceptually doing and it was uh it would have been a pretty decent attack cause I never knew that you could actually refund to a credit card that it wasn't originally charged on. And that's something I came across while doing some of the other research I was doing this
03:23
year so. And yeah so I'm gonna do a cache tend, check tend attack. So that basically uh when you inject the F8 key it literally just pops the register open and I'm gonna go over that in a little bit here so. Cause everybody pays a check still right? So yeah. And uh attacking OS injection I'm gonna do a pop a command shell and then I'm also gonna
03:42
demo a drive by attack as long as the 4G holds up so. I might have to get Steve Jobs on you guys, have you turn your phones off but. No he should be good so I did a 4G working earlier so. And uh some of the uh actual restaurant attacks and other mag research like some of the rewards programs uh I I wrote a one version of it where it cycles through 10
04:02
cards so same as some of those places where you can collect points. They're onto employees you know just giving the points to themselves so it actually cycles through like 10 accounts and I'll go through that in a little bit here so. I'm gonna go through uh who in the room knows what a magspoofer is? Who's built one? They're fun. They're they're very fun things to build and uh yeah. So basically uh as you can see there that's what
04:24
actually happens if you put iron oxide on a credit card it's gonna actually mag it has a little magnetic uh field to it so that's when the actual card is swiped through it's actually generating a magnetic field and speaking binary data so one zeros things like that. So basically what Sam McCammar did was he actually you know built a version I
04:42
think the uh patenting all goes back to like 2008 with the loop pay which is a system that was bought by Samsung and so basically you just need all you need to know is that there's a EM field being generated that is the same uh pretty much the same uh some of the timing is different uh but as far as that goes when you swipe the card it's basically doing the exact same thing. So it's able to speak to magnetic head readers uh using a
05:02
small little uh magspoofer so. And uh how's the yeah it's good mag strip transmission so it's like I said it's uh something that's been around since 2008 so back in 2002 and 1997 you know people didn't think that this kind of thing was possible so that's uh why a lot of these vulnerabilities um there's no reason that this keyboard
05:21
should have a 102 key functionality that you can actually inject through the actual magnetic head reader so and yeah it's not it's not RFID um a lot of people ask me that like you know the hotel attacks like is it on the RFID um actual keys and no it's not it's actually uh basically turning a magnetic card into a wireless card so and yeah how do
05:45
you handle the overheating? So basically uh the first thing I did after a burp uh got my first magspoofer built it ordered all the parts from China waited like a week and a half and the first thing I did was burned it out cause I tried uh injecting multiple cards I pushed like five or six cards onto I did my first modification just to
06:00
increase how many cards I could store on it and then I started actually you know seeing how many I could do and after about 18 cards uh it burned out so so I waited about another week for all the parts to come from China and yeah I basically made uh six six magspoofers in one uh with a little bit of a controlled Arduino and then it has a 3800 milliamp battery instead of 100 milliamp so I think it's heavy duty I call it Big Bertha cause it
06:24
is just it's like huge coil on an Arduino so and I'm gonna go into a little bit of what property management software is uh it's uh uh when I refer to it from PMS from now on it is not what everyone would think it was so it is property management software and that is something where uh it is actually where your folio data is everybody's you know seen the
06:43
checkout where it says folio that's basically where the hotel keeps all your records uh it's how it actually you know what's to charge when they actually do the night audit process so when they do run the night audit it's gonna charge under your uh bank account nowadays like uh when they're properly proceduralized it's something where uh there's lots of security mechanisms that people can actually put into place so I'm gonna go
07:03
into a little bit of explanation of what the actual uh proprietary card readers and the security behind the hotel uh so basically uh there's your folio number uh actually the one that I found the weakness in was um after I uh unencoded the actual cards I read it in a raw using an MSR 605 which is a mag strip reader basically read the raw data
07:21
unencoded it and it was literally the same as my folio number and my room number and the checkout date so if you make an assumption that somebody's gonna check out in the next week uh your space just went down a little bit and if your hotel uses a very uh not very old process actually um they actually weaned away from it in 2007 2006 so if they do
07:41
incremental folios and you're in a 50 person hotel it's a not very big space you have 918 options in a 50 key or a 50 person hotel so it's something where yeah that's not many options to try especially with a modified mags you can actually inject uh 45 cards uh per minute so that goes through that space pretty quick so and yeah uh collecting the
08:05
information as you can see the also instead of injecting full credit card numbers you're actually injecting uh just some of the track most of them is the track 3 data a lot of the track 2 data so credit cards are broken down into track 1 2 and 3 uh track 3 is the one that hotel chains use mostly so and if you've ever noticed you can put your card in
08:22
upside down that's because that half of the actual magnetic stripping is only used so they only use a portion of track 3 and as you can see I put uh iron oxide on this one also and it just shows that it is actually not yeah it's not using the full card because I covered the whole thing then wiped it down and yeah so and that and that's one of the
08:40
things too I travel a lot when I go pen testing so I have like an entire suitcase not an entire suitcase full of it but it's uh got about 3 layers of uh actual hotel room keys and I was always wondering what was on them so I just got bored one day and started pulling information off of them and yeah and there were several several of them um that actually were you know uh pretty easy to actually break the encoding on them because they
09:01
were using uh non uh it was like I think base 64 but a little bit less because it was very very simple uh I wrote a actual script and then uh most of that script actually worked for like 3 or 4 different kinds of keys so I'm guessing that they're using the same PMS software so and yeah so how do you uh how would the bad guys go about uh
09:22
interacting with uh say for example if you were going to brute force that 918 space say uh Westin wanted to get into Hecker's room it's you know now I know the folio number I assume he's checking out in the next week I can actually go to an elevator or the pool area and it will actually tell me once I get that uh when I get valid card
09:40
numbers so you don't have to actually be sitting in front of the person's door which is kinda you know that would rise a lot of suspicion you know especially if you had to sit in front of his door for 18 minutes or something like that so the actual yeah that gets kind of creepy the guy in the hallway for 18 minutes so that's something where yeah I was like one of the concepts I was and with I was with permission on this property it was uh actually testing it out by the pool area and the actual uh hotel cause it uh I also
10:05
found out how the floor restrictions in elevators work this way so so it's kinda cool like if uh somebody wants to go up to the 26th floor you can literally just change the room number it doesn't actually validate the folio on that so and yeah and as far as getting maid service keys um on that property that I was on I literally attached my
10:22
device to the back of the door and I did that from the privacy of my own room and when people walked by it was uh you know just randomly beeping here and there but uh it was something where it took about 33 minutes to actually get a you know the domain admin of the hotel pretty much it was one of the maiden keys and you can literally want like it is crazy the amount of uh access especially with some of the
10:42
service keys and uh I feel dumb for route forcing it cause it was uh pretty much all zeros for the maids keys and I'm sure you know some of the guys out there like that have been right away it's like let's start at zero instead of you know the folio numbers so it's something that once I understood that I tried all nines and that was the service keys and yeah so and then uh some of the actual issuing um they issue a monthly so
11:05
the folio uh once I found out that that was the way that they were issued it was something where I was actually you know pretty much able to do that so and yeah and uh a lot of the elevator and fireman keys like there's some states that are looking at actually uh luckily they're hid behind metal so there's no way people could interact with them
11:23
you know so that's what I'm saying like uh that heavy duty mags poofer it can go a pretty good distance so that's even if they're blocked off uh for law enforcement or uh fireman usage uh it can actually reach some of those so yeah so the I'm gonna go through some of the raw dumps uh some of the track uh the other facilities they actually
11:41
use like say for example if you go to uh theme theme park they'll have on track one and track two they'll have other information um uh track two on some of the properties uh keys that I was looking at they actually uh basically had my name and I was like oh how am I gonna brute force you know names and stuff and luckily it wasn't validating it so and that's one of the things too is like I always wondered about that like how
12:02
often you know cause that's one of the things like uh people always heard news stories about personal information there's no personal information on any of the keys that I came across um the ones that I could decode at least uh with the exception of like a name um and yeah that's to me that's not that well identifiable I guess so and uh there are limitations to characters that can be entered um due to the limitations of
12:24
encoding of the keys only uh once you introduce the mags poofer you can actually start injecting some illegal characters which I actually found out when uh I was running pretty hot like uh cause I was actually uh measuring like uh how hot it could get before it actually started uh garbling the messages and stuff like that and actually uh some of the bit
12:42
error percentages like they would go through the roof if it started overheating and uh you know to actually figure out what was safe to run the device at and uh yeah there were some characters uh I'm guessing some bits flipped and that's what led me to believe that you know some of the research which I actually will be demoing at the end here too. Um and with some readers they also yeah they automatically inject a return character after
13:05
the card is swiped so after a certain amount of digits are entered um there is a way to actually uh stop that automatic return character so and I will go uh that's with the modified version of the mags poofer only cause uh after it does like forty six digits it'll do a automatic return character so and yeah other than that um you just need to
13:23
know literally the your own folio number if you wanna uh when I was actually going to like actually uh breaking the encoding it was something where I actually you know just had to get my own key issued and stuff like that twice and um yeah then that gives you a sample to go off of and you get pretty much uh other keys that are collected you know there's lots of them where they have the return things I didn't get those ones but
13:42
I pretty much just got my own uh keys so so breaking the complex encryption yeah that was pretty simple. You know I had to rent an Amazon server for no no I literally just booted up my computer uh wrote a script uh yeah this one was actually this version of it was actually just base 64 encoded so that was kind of uh kind of irritating I thought it was
14:04
gonna be a lot more harder on this one but and some of the uh kiosks I started playing around with some of that stuff and anytime you guys go to security conference that's always the you know first thing they shut off for a good reason for this kind of stuff so cause uh this is a really good way to like issue your cards and uh if
14:20
you're the bad guy obviously uh it's something where they will you know you're able to get like 7 cards without being suspicious so cause yeah unless yeah so. So what led to the research after the hotel keys um that pretty much was my next step I was thinking everything with a um pretty much a mag reader on it is now a target so and I actually
14:41
noticed that once I started buying some of these devices that they were generic hid uh hid and I'd done a lot of hid attacks uh human interface device attacks which are basically keyboards um with uh tinsies and payloads in the past so it's something where now that I was uh looking at the attack surface of point of sale systems it was yeah
15:01
naturally the next step so so how does it use a mag strip reader? This one up here is a 102 key keyboard uh generic uh human interface device and so basically anything you can type you can now inject through the uh magnetic uh head or card reader so and uh that's one of the things too it's like oh why not just hit the keys uh yeah there's some of these
15:20
things uh uh literally like you know it's this long of uh text string like say for example I'm gonna be demoing a drive by attack because uh yeah point of sale systems are a little out of date sometimes so and I'm gonna actually go through um yeah some of these methods here in a second and triggering events like that's one of the things too like some of the newer ones they have actual uh uh you can test if they're being
15:42
USB fed so that's something once they're powered on you can still do some of it but they have to wait for a trigger event or for the remote cable to be toggled so uh yeah so basically you can figure out when they're listening and it's not something where you have to you know tap into it you can literally just look and see if the green light's on so that's like one of the indicators of it and uh I would definitely if you guys
16:00
want to start playing with some of this stuff get the MSR uh the little mag strip 103's I think are like 15 bucks so they're really really fun and you can basically dump anything you want to into a notepad and uh yeah so management keys that was one of the biggest things too where I was looking for a really hard challenge and the actual first point of sale system I bought which uh was pulled out of a taco restaurant and it
16:23
when it was disbanded and it was auctioned and uh yeah it came with a management key and that management key worked on the other two point of sale systems that I bought from separate lots so I was like ah there's nothing you know nothing deep you know crazy no techno no chain smoking it literally was just uh pretty much the same admin account used
16:43
across several point of sale systems so now uh I'm guessing uh cause I now you can't turn this off when you go out in the wild it's something where uh I started noticing every single point of sale system and I'm like I wonder if you know that key would work on that key would work on that and I actually uh one of my buddies owns a restaurant that happened to have one of those and you know you can literally inject the uh actual
17:03
management key into it so that's something that is pretty crazy and like you can mess with inventory you can throw off inventory you could yeah some of them need uh management overrides you know for some of the uh electronic checkouts and stuff like that so that's some scary stuff and yeah here's pretty much uh which you guys
17:20
probably can't read but uh yeah you get everybody knows how uh for the most part how keyboards work and I think we deal with them on a daily basis so we pretty much know all the character sets so quite literally anything that you can type on that keyboard that I showed earlier you can pretty much inject uh like I said sometimes you have to uh strip some of the uh uh auto return characters the enter characters so and yeah one of the
17:43
first attacks I did uh was I saw the cash tend button or check tend button and that was uh injecting I was like okay I wonder how hard this could be so you know I started uh playing around with it and I was getting into the F F key functionalities and I was going through and testing it and this basically is like a way to like uh like for a bad guy to
18:04
actually just walk in and literally rob a store they could literally just put this device on there and that's what kind of made it scary like it's you know now people can rob stores that way so with the F A key it's uh pretty bad uh and uh yeah behind every strong man is a strong woman as you can see I'm wearing my I'm wearing my wife t-shirt so and behind every uh point of sale system there's an outdated operating
18:24
system so not every point of sale system I can't speak for them all but uh every single one that I bought or I could afford and that's kind of the way it goes um so basically what you're going to do is you want to exit out of the point of sale system and uh yeah the
18:40
next step will be popping a command shell and uh injecting the payload and what kind of payloads would one want to run on the point of sale system uh I did a talk last year so I had uh a couple mal uh memory skipping malware laying around and I was like hey I will see if I can uh load these on a page so it's going to do one distribution and I uh tested it
19:01
this morning so it's actually going to do a drive by attack on uh actual web server that I have uh loaded so and this is uh it's a neutered version of it it uh just talks to itself so it's not going to actually be doing anything legal and it's just going to literally visit the web page and uh has a vulnerable version of uh some software running on it and then also you can literally uh do the command shell because most of them run uh
19:25
deprecated operating systems some of them sell functionalities that where you could literally just put URLs and uh download from pretty much any source you wanted so yeah like I was saying this is the payload that the bad guys would use um like the actual memory skipping malware so uh in the past you know people had to do these ridiculous supply
19:44
chain attacks or they had to you know breach a vendor account and now it's literally uh you know the bad guys it'd be as easy as walking up to one of those point of sale systems and actually infecting it so and yeah and some of them are dev environments so like they're uh custom they have um yeah but they pretty much have their proprietary key
20:02
functions they don't have a classic layout but they still have magnetic card readers in them and I actually uh you know was expecting to have to you know map these keys out and do all this crazy stuff but uh they actually uh if they have the generic driver loaded they will accept the same key commands even if they don't have the keys on the keyboard so that was like another huge fail so but yeah as far as limitations of mag
20:25
injection uh making a physical card attack limitation uh could you make the waiter do the dirty work could you like give him your credit card to pay and actually have him walk up and do some of that that's something that was kind of my you know next step after all this was kind of finished up and uh yeah that's um some like I was saying
20:42
there's some illegal characters that you can't actually encode onto it so it wouldn't work as good but I think that um it's something that some people have explored in the past and it's uh definitely something I will be once I have some free time now that you know all the talk and conference seasons are done with I'll do some more checking into stuff soon but yeah that was kind of the one thing too it's like you know how much of a
21:00
payload could you actually put on a credit card so on track three and uh yeah these devices are everywhere this was literally me flying to Huntsville uh when I was taking at uh Takedown Con and yeah these mag strip readers are everywhere like quite literally everywhere and uh one of these uh one of the other things that I started looking at it was like okay uh aside from being able to you know just pop the
21:21
register installing malware that's not bad enough I guess yeah actually attacking player rewards uh systems like say for example the who's ever played slot machines and like you just kind of were bored and just wanted to go back to your hotel room so you're going to go play the twenty dollar slots or the you know fifty dollar slot and just get it done with that's one of the things like uh every time I went to those higher end uh slot
21:43
machines people would always leave a card in there and I thought it was by accident at first like I'm like hey this person probably left their card there and I tried to turn it in and they're like no people do that cause they try to squat points cause uh some guy who is just literally you know waiting for a plane or something is gonna you know play twenty five hundred dollars with the slots and they get to collect the players rewards points so they kind of squat some of those accounts and uh that was
22:03
like one of the attack methods that I was thinking of it's like now that you can inject magnetic data uh it's like you can you can squat on one of these devices and it's another one is like I was saying uh uh I think when I was in high school I worked at uh actual company that uh they had like a players reward program and they they told me
22:22
they were like yeah you can't use your own card people have been fired in the past for that so it's something where they're onto it and uh they'll actually have flags go off if more the same cards used more than once in you know x amount of time uh but some of the actual uh like grocery store chains or there's uh certain electronics companies where you know every five hundred dollars you spend you get five bucks or a hundred bucks so this
22:43
is one of those other methods like uh some of the rewards programs that actually be susceptible to this kind of attack so and like I was saying that one of the refunds like we can actually refund onto our prepaid card that should not be possible to happen especially you know if it wasn't our original transaction so and some of the times it has to post overnight but that was like one of my additional attack vectors I
23:02
didn't have time to wean out all the kinks on it but it's it's something that uh seemed feasible so and yeah and injecting into actual uh like what I was saying when you can actually tap into the remote signal uh as long as you hit the right wire uh you basically could overfill like prepaid cards like that stuff like that so so if a bad guy
23:22
wanted to get an unlimited phone calling card he could be injecting his own card and having time added to it so and uh not only that but some of the you know gift store cards stuff like that so and uh some of them do lock once they have the original amount loaded on them so they're not reusable but the reusable prepaid cards that say reusable prepaid cards on them you know those are the ones that obviously they would attack
23:42
after so and yeah uh like I was saying um these actually triggered events attacks uh so you have to sniff out the actual uh powered up readers like some a lot of the modern ones they don't actually they send a remote signal that here there's a transaction going on or hey we're gonna take do some kind of interaction and I don't know if that's
24:01
because of this kind of attack or if it's just because uh you know they kind of uh looked into the future of what people might actually be doing at these and it's not a good idea to have something uh not only powered on some of these things are low energy so yeah it's something where you can actually uh for some of the rewards programs also you have to hit the enter key to accept that it's your account so yeah that's one of the
24:22
things too I was wondering if you know if it'd be possible to actually inject that so and it uh on the actual point of sale system that I tried on that it worked perfectly because that's one of the biggest things is uh there were customers always stealing people's uh you know points uh say somebody didn't have a rewards card they were actually letting them inject it so yeah and uh who's ever used a clock in system
24:42
yeah who you can never be late to work again now so yeah that's one of the uh uh as far as the hardware goes I bought like a hotel key for the back door I bought a couple keyboards I bought a couple point of sale systems um and I bought a clock in system and uh a lot of people are going to the fingerprints or some of the actual newer
25:00
method ones so but yeah this is one of my last attack surfaces that I actually looked at so and yeah I'm gonna go over the uh video of the brute forcing uh it was on uh there's a couple times when Windows uh stuff popped up while I was actually doing the demo like when I did the video so uh there was actual Windows 10 upgrades because it was
25:22
like a fresh install so I was uh I lost my original driver disk for my uh MSR 605 and I had downloaded it from an untrusted web page so if you guys wonder what the dialog box is popping up all the time are so and I'm also gonna go into the uh installing actual credit card skimming malware off of a web server as long as the internet is still
25:40
working so and if not uh you'll still be able to see that there are injections so and I'm gonna go set up the demo and while I'm setting up the demo I'm actually gonna if people wanna step up start setting up to the mics too uh you can ask questions while I'm doing the demos so yeah thanks for coming and stay legal and I'm uh gonna go into the demonstration portion right now so. Have you messed with any of this on uh
26:21
airplane mag readers on the back of seats? Did you uh mention uh if I messed up with them on airplanes? On the back of seats you know how they have the mag readers to like yeah I've uh I've learned from other people that have messed around on planes that it's uh it's not usually uh one of the things you guys wanna do like uh some of the I saw that mag separator and I even felt bad like taking a picture you know of an MSR that
26:44
was on the keyboard thing so yeah I haven't tampered with planes in here and I hope everybody knows that cause yeah that was like one of the I see I've saw I've seen those and I thought the exact cause you can't once you start doing this kind of stuff you can't like turn that stuff off so yeah. How about the uh like the new like Square and
27:02
the Paypal and all those? Oh yeah yeah the uh some of the I had some of the original and right now it's actually and I'll come back to your question uh some of the Square readers and some of the remote ones yeah yeah a lot of the and that's not a vulnerability in them it's anything that uses a mag strip but yeah quite literally everything that is affordable that is a mag strip and that I've bought and injected stuff into so so
27:21
yeah yeah that's pretty pretty crazy and that's what I'm saying like if you're making your own payment you could be you know presenting a different card I see what you're thinking that's some clever thinking so but uh basically right now it's actually injecting the folio numbers and I'll roll the video back here a little bit and there's the first Windows 10 upgrade sorry about that and if you guys want this video
27:41
it's online on uh YouTube already so and so basically I'm gonna read the raw data because it has like I said it has uh custom encoding so you have to have a specific reader to actually do the and uh you're gonna be reading the you have to switch it to HiCo and then read raw so yeah there's the first transaction and then it's actually you can if you
28:02
can't see on the actual video it'll show cause my phone wouldn't focus but it's actually uh some of the numbers are changing because it's rolling through the actual folio revisions they have the same checkout date so it's like the end of the conference is happening or something so everybody I knew that they were checking out at that date and uh it literally took about like six minutes but if you guys wanna see how the actual device is over my MSR 605 it was actually injecting folio data and then uh I think the
28:24
end of this I'm gonna let roll again here for you guys so and then after this I actually used a Chinese made MP3 player to inject a credit card number which is kinda cool and it burns the MP3 player out so don't try it at home so but yeah what's your question? Um did you ever uh try using the mag spooper as a jammer to perhaps like jam
28:45
a transaction that's in place and then play after it's done anything like that? Yeah that was actually uh oh sorry when people ask me like how do you protect against this kind of stuff and that that's kind of the exact same thing is you can put one of the mag spooper as injecting random data on the back of your door and it'll actually deauthenticate anybody from uh from actually using it so like it would be a really
29:05
good defense mechanism and you could have like a two form authentication and have it when your bluetooth phone comes in it'll actually shut off the jammer so you can add two form authentication and it might actually drain the batteries so you'll get locked out of your room if they don't have it hardwired though so so you might actually DDoS yourself out
29:21
of your own room but yeah what's your question? Uh so how might someone defend from one of these attacks? Uh like I was saying the uh um updating to the latest versions of the mag strip readers in the actual uh point of sale systems uh that would be my recommendations on where they send remote coding cause a shut off mag strip reader is the one that is not responsive to this kind of attack so that would be my biggest recommendation is uh get update to something that's USB 3.0 and uh push the latest
29:44
versions of the actual point of sale systems so yeah and yes what's your question? So I've seen I've seen something that says you can go around the chip and pin cards by reactivating the mag strip uh how does that work uh? Yeah uh sammy cam card did a really good job of explaining how mag spooper can actually modify some of the flag details
30:02
on the actual uh magnetic card readers uh huh I didn't release it in his code because he's the same way I am I don't want people to use these for illegal purposes but you can actually uh tell you can basically send the command that hey the pins damaged on this let me just use my mag card uh some of the mag spoofers they're modified like this one has uh two payloads on it and uh I have like I said I had the six mag
30:21
spoofers in one was my actual uh big Bertha which is like a huge magnetic coil and I uh let press take a bunch of pictures of it but that's like my brute forcing one and that thing took me like six hours to build so I didn't want it to break but yeah this one's basically a modified version of the uh mag spooper here and I'm gonna actually how much time do we got for demo? We're doing really good? Okay if you want to ask some more
30:43
questions too. Did you write any fuzzers for any of the embedded systems hooked up to these mag swipe readers and did you find any memory corruption issues? Ha ha yeah that was actually my next uh I was kind of thinking something along the same lines but I uh literally ran out of time cause I got kind of obsessed with my ATM attacks that I was doing and some of the actual relaying portions and stuff so I'm gonna
31:03
actually I'm gonna get the actual mag strip demo kicked off if anybody has any questions at all uh feel free to come up to the podium so so can everybody see the point of sale system? Two on the screens? Awesome here we go I'm gonna check to see if I have
31:45
internet connectivity here here you go one second and it is not visiting the right page
33:35
so I have to I'm gonna try the second payload I'm gonna try to pop the command right now so
33:40
if anybody has any questions I can answer these while I'm doing this so. Hey Weston?
34:20
Yeah? Obviously Sammy's done a lot of research in this area also have you have you done
34:24
anything with with uh BLE using like the coin to rewrite or done any track uh research on how coin rewrites the data or any of the plastic? Uh no no I haven't actually. Using that as an attack attack method? Oh no no I have I was looking into some of
34:40
the other research that Sammy had done and then like I said I I did shift uh about halfway through this cause this was done like very very early in the year. Right. And yeah that was something that uh I thought some of the stuff that Sammy was doing was amazing and I was wanting to read some more of his research so. Okay. But yeah I didn't look into some of that but I did uh get some of the NFC working but I burned my original uh HTC phones uh near field communication out trying to do stuff
35:04
with it. Put the radios out? Yeah. What's up? You burned the radios out on it? Yeah burned the radios out on it so so that was like the end of it cause I like just broke a $600 phone so that ended my curiosity pretty quick so. Cool thanks. Just one more
35:34
second I'm gonna try to unplug in the hit. I know it's a very different approach but
35:40
uh do you have any interest in looking into NFC and other technologies that hotels are now using cause a lot of hotels are phasing out the mag strips? Yeah those are uh most of the ones that use RFID ones are actually tokenized so they reflect the folio number instead of having uh actual data in there so you could use some of the classic attack methods but it wouldn't actually uh wouldn't actually work so as good and
36:02
that's what I'm saying if you're root posting those like that's something where uh your key space would be a lot bigger and like you're able to it's a truly random 16 digit number so same page. Well I apologize the demo blew up on me but I will put a
37:12
YouTube video up uh of it actually working and if you guys wanna come and uh I'm gonna try to demo it here until I actually get kicked off stage but I'll still answer any questions so if you guys have any questions feel free to ask too so. Yeah I was
37:23
just curious have you done any uh playing around with the new tabletop devices that are in restaurants and stuff have you? Oh yeah. Have you done any of those? Yeah now every time I sit at uh one of my favorite restaurants down the street that's like my first thing that I would love to but I don't have access to them I think it would be kind of breaking the law but I would love to actually order some of those cause I've seen a
37:40
lot of fun things people do with some of the pager systems and stuff so. So a bit of a comment on uh running on old operating systems I ran uh um around with a uh ward driver downtown and I found a lot of uh uh WEP Wi-Fi and uh went into the the restaurants that are using that and asked permission of course because we all asked
38:03
permission and uh got the handshake from WEP real quick you know with Wi-Fi and did some sniffing found out they were all running old XP 0867 gets to it old uh POS on there uh dumped memory and I found even on their uh admin account with backdoor backdoor so I wasn't the first one there but I found that they provided WPA2 to the
38:23
customers but because the uh the uh old point of sale couldn't authenticate and the old XP couldn't authenticate to WPA2 they even run on WEP and so you don't even have to get very close at all I want to know if if that's been your experience or not as well. Yeah. For as far as actual. Inputs on this kind of stuff? Yeah yeah and and I
38:44
mean like don't you have to get that close to it that if if they're already networked with with WEP then you know it it it goes in there but yeah all that default cred in in old OS uh I've seen the same thing. Yes. Yeah there's tons of other ways that I can see people actually attacking these and this is like my main attack
39:00
surface on this so. So shifting gears a little from mag strips to chip readers have you ever gone into something like that as chip readers start to get more and more popular and maybe hotels start to use that instead of mag strips do you think this attack vectors that you have kind of really researched might be able to shift and transition into the same
39:23
way you could you could apply it to chip readers? Yeah some of the chip readers uh they'll still be using some of the uh magnetic track data for the most part on some some of the stuff but uh some of the challenging and the encryption they can do I would see it being able to block a lot of it so. Okay. What about uh looking into the serial
39:46
programming on the actual door itself? Oh there. I I I haven't dug too deep into some of that stuff like uh after I got some of this attack surface and then I broke my phone like I said it kind of disheartened a little bit so but yeah that was like uh I was I
40:01
still curious about a lot of the attack surface that was out there but I just yeah I didn't have the some of the stuff to to get into it so. Especially time was my biggest constraint on that. Cause if you have a key to your door and you're able to reprogram the lock to your door or you could spoof your key. Yeah. Then you. Yeah that's the biggest thing too is like uh are you asking about if you can I'm
40:23
sorry I might re-ask the question. So a lot of the doors have a like a barrel serial connector on the bottom a 2.1 jack. Oh yeah yeah. And then if you can reprogram that door over serial and if this is the kind of security that the keys are using are the locks really using that kind of security? And that sounds like even though the the
40:40
most recent hotel tech like where they had the little uh thing or the not the bingo dauber but the actual marker at the bottom those are newer systems those have two way interfacing so they can blow the keys away uh so a lot of these low energy old ones or older ones like as old as in like 2008 2006 those ones uh have two two way functionality but it's in fifteen minute increments. So some of the full blown
41:01
ones uh they're they're got a little bit different method of actually you know protecting themselves so. Yeah. Thank you. Did you have to use any kind of a proprietary um reader for your mag strips? I noticed a lot of like credit cards, driver's licenses all used uh normal standard one two three tracks but a lot of
41:22
hotels aren't readable by those standard readers. Did you have to use anything special for that or? I did have to modify the MSR like a little bit to be able to read some of the raw data at the same time as the uh other information cause they use like a portion of the card and uh actually raw read it uh you do to read their proprietary format you do need an actual driver from the property management software but if you can rip the raw
41:44
encoding like a a majority of them you can actually reverse it from the raw encoding it just takes a lot of extra time if you do the the raw read through the property management software if you were to get the property management software you would be reading entirely different character sets so. Alright so that's how you did it for most of what you're showing here was it wasn't to dump it to actual keys but to dump it
42:02
to raw and then. Dumping to raw then I had to re-encode it as raw like if you went up to your room and did MSR and just read it in raw and then copied that to another card that raw would work across the board so. Alright thanks. Yeah thank you. Just curious if you looked into uh trying to do SQL injection into like POS systems or
42:21
other systems using this method. Yeah I was actually the demo that I had was literally going to do a uh a Java or a flash drive by attack so I and there as far as SQL injections that's something that would definitely be possible uh especially for some quite literally if it would be able to get to something that's back end or internal that would be a huge attack surface so yeah. Thanks. Uh some of the card readers that are
42:45
slide ins either have a mechanical or an optical sensor does how does that is that just an ASCII character? Like the slot machine ones yeah they actually turn green once something's inserted into them and you can use a very low profile piece of 70 pound paper and it'll actually trigger that event so yep. How we doing on time guys? Is my
43:27
goo and over 2 minutes? Okay awesome. Yeah any last questions? I really do apologize for this I'm gonna try to get a demo going in the hallway. I guess it I need to check on some of the connectivity issues uh it should have still popped the command shell and
43:41
inject it though so I'm having some kind of interface issues so if anybody wants to see this if not I will actually put a uh camera demo online so and I'll make sure that my camera focuses this time but if you guys want to look into the actual injection with the um Chinese MP3 player if you want to burn out a $6 MP3 player injecting credit cards you can feel free to uh then also a lot of the uh actual payload injections I'll be
44:04
putting uh demos up online so quite literally as soon as I get back to North Dakota which I have to drive so but yeah if there's no other questions I just want to thank you guys for uh staying. Thank you.