 Good afternoon, I'm Steve Jobs, and this is the new iPod. It's wafer-thin. OK, that was a lame joke. Anyway, hi, I'm Strom Carlson, and this talk is called Hacking FedEx Kinkos, How Not to Implement Stored Value Smart Cards. So just by a show of hands, how many of you have seen some version of this talk before? OK, how many of you have seen the video that went around on the internet? How many of you work for FedEx and or Kinkos? OK, how many of you who I know, who I don't know? All right, two chicken to say hello. Anyway, so first off, let's get into some theory. What is a smart card? Great, I just turned off a, what is a smart card? Well, basically, a smart card is a small plastic card. Typically, it's credit card size, and it has a little microchip on it. There's several different types of smart cards. They can use a contact pad, a built-in antenna to communicate with a computer, or both. There's something called a Combi card, where instead of this contact pad, you have the contact pad, and you have the little antenna. So you see those in applications where, for example, I've seen them in transit applications, where you refill the card by putting it into a kiosk. And then when you get on the train, you just have the card in your wallet or whatever. You swipe it across a reader, and the contact list just says, OK, hey, you're you, and debit your card. So they're called smart cards because they're more intelligent, more versatile than the MagStripe cards. How many of you stayed for major's MagStripe talk? Cool, so similar interest. So they're a bit smarter than MagStripe cards, and they're actually almost smarter than a lot of script kitties. There's two varieties of smart cards. Not all smart cards are created equal. The first one is a microprocessor card. And these typically include a small microprocessor, some random access memory, some ROM. They're often optimized for cryptographic functions. And one example are the SIM card and GSM phone. And the way these work is to authenticate your phone, what happens is the network, your phone powers up and it says, hi, I'm a phone. And the network says, OK, if you're claiming to be this phone, here's a challenge. And the SIM card computer responds and sends it back to the network. And the network says, OK, it seems that you've gotten the challenge right, so I'm going to assume it's you. Then there is memory cards, which are simple double E problems. They sometimes have a microcontroller for some logic on them. But typically, they're just basic simple memory cards. And they can sometimes perform some basic security functions like locking you out from writing the card unless you present a simple code to the chip itself. So meet this chip, which is going to be the subject of our talk called the SLE 4442. And actually, this chip, from what I understand, has been discontinued and replaced with the SLE 4542, which is essentially the same chip only in a different casing. It operates exactly the same for, so for all intents and purposes, it doesn't make a difference. There's only 256 bytes of storage space on this chip. And the first 32 bytes can be irrevocably right protected. So the first 32 bytes simply contain a header for the manufacturer of the card, the specific application of the card, and so on and so forth. And the other 224 bytes are changeable at any time. And I think they can be right protected, but I'm not sure. But for the most part, the other 224 bytes are for applications. The whole thing is readable at any time. There's no security against reading the card. And you can only write to the card after presenting a specific three byte code to the microcontroller on the card. If you present the wrong code three times with this microcontroller, the card becomes unwriteable and it's pretty much dead. But I mean, the card's cheap, so it doesn't really make that much of a difference if you screw one up. And if you're willing to get to burn up a lot of cards and you want to brute force this code, and you've got 5.6 million cards lying around, you can do it. If you've got lots of time, stick in the reader. This is a chip I took off of one of the cards. I took it apart and pulled the chip off from the back of the contact pad. And that's it. It's this little tiny, there's a dime for comparison, so a little teeny chip. Now, why use this chip? It's really cheap. In quantities of $200,000 I did a search in April or so, 36 cents each. And if you're buying them, the kind of quantities that say FedEx can go as buying them, which is greater than $200,000, they're probably a quarter each, maybe, probably less. The security function does prevent the casual attacker from altering the data. And they tend to be more durable and secure than a Magstripe card, so for example, you can kind of imagine this as a Magstripe on a chip rather than a Magstripe, so you will never have that problem with, oh, I accidentally put it next to a magnet and now my credit card doesn't work anymore. So, obviously, FedEx Kinko's uses this chip. How many of you have been into a FedEx Kinko's recently? Okay, how many of you are familiar with the way their system works? Okay, so basically, when you walk into a FedEx Kinko's, you're issued a little card like this. You walk up to a kiosk and you press a button on the screen and it spits this card out at you. And you stick the card back into the machine and it says, your balance is $0, please insert money. So you put cash in and once you put it in as much as you want, you up to $100, you press another button, the card comes back out at you, and then you take this card and you walk around the store and stick it in the machines and you can use to make Xeroxes or you can use the computers and debit the amount off the card. And so it's a basic stored value function. There's nothing fancy going on. It's not storing any personalized data and you can add value to the card again. And if you decide that you've done enough and you want some of your money back, you can go up to the kiosk and give them a card back and say, hey, I've made my copies and I'm done and I'd like my remaining cash back, please. So pretty simple stuff. It wasn't developed by Kinko's, it was developed by this little company in Toronto called N-Track Technologies. Seems to be a little tiny company that have like this one product. That's it. And Kinko started playing with this five years ago and I think it went system wide in 2003 or 2004 or so. So after going to Kinko's a couple of times and making some Xeroxes, I had some questions. My first question was, is there any personally identifiable information stored on the card? Because, I mean, okay, it's cash, so there shouldn't be, but I thought maybe there was. Is there a transaction history stored on the card? When you go to Kinko's and you make your copies and you're done, you can stick the card back in the kiosk and you can say, I'd like a receipt. It'll print up a receipt of everything you've done at the store right at the kiosk. So you never have to interact with a human to get your receipt. So that leads me to the question, well, is this stuff stored on the card or is it stored on a backend system of some such? And how secure is the data stored on the card? The card offers no cryptographic function built into it and they could theoretically encrypt the data before storing it on the card and that would, it wouldn't prevent people from figuring out what's on the card, but it would certainly take the random curious person who just buys a card reader and sticks the card in and looks at a dozen of them or so from figuring out what the patterns are. And is value even stored on the card? I mean, it could be that because all these things are networked and you can get a receipt, if the receipt step is stored on the backend, then maybe the value is stored backend as well. And so it could just be like a serial number token. It could be the illusion of something cool and wonderful and fantastic, but it's just serial numbers on microchips. And what else is stored on the card? There are 206 bytes and a dollar value is not that big a deal. So maybe there's extra space, what are they doing with it? So there's some ISO standards when you're dealing with smart cards that you have to deal with. The first, it's the ISO 7816 group of standards. And the basic standard for the microprocessor cards is up to and including 7816-4. So dash one is the physical characteristics, the shape, the thickness, the durability. 7816-2 is the dimension and locations of the contact points on the card. 7816-3 are the electrical characteristics and class indication and basically just tells how the cards are supposed to act under certain voltage conditions. And these cards conform to those standards. They don't conform to ISO 7816-4. And this is actually a set of standards for interfacing with the card. So command response contents, data structures, applications, retrieval of data, access methods, security, and so on and so on and so on. So the protocol for these cards is proprietary. And most of the card readers that you get will pretty much any card reader you get will read the 7816-4 cards, but a lot of them won't read anything else. So sometimes it's a bit of a pain to find one that works with these cards. Do any of you remember the American Express smart card readers that they sent out to anyone who asked a while back? How many of you got those? Okay, a few people. I had one as well, and I was trying to get it to read these cards, and those will not read these cards for love of money. So I had to go out and find one that does work with these cards. Here, so I bought one of these. This is the ACR30U. I've got one of these here. It's a cheap little thing, 30 bucks. Smartcardsupply.com is where I got mine. And it works under Windows, and supposedly it works under Linux, but there's a Windows application that comes with the reader to read and write these cards, and I figured, well, why reinvent the wheel when I've just got this application I can work with? So, all right, I went to Kinko's, and I got a bunch of cards, and I noted their values and took them home with me, and started reading the cards. And so this is a dump of a standard Kinko's Express Bay cash card. Simple 256 bytes. The important bits on the regular cards I've highlighted in red, the rest are incidental data. The change is a little bit, but for the most part they're unimportant. So, first off, there's this 32 byte header. It's the same across all cards. It's right protected. You can't change it. This pretty much just identifies it at the system as a Kinko's card. Because every, and I'm not sure on the specific data structure of this header, but there's, part of this is like this says, this is an SLE 4442 type chip. And then the rest of it says, this is the specific application of that chip. This is where the dollar value is stored. And this one I think is a $1 card. And so I first looked at this, I couldn't figure out what the dollar value was. I'll get to that in a minute. The next one is the date and time the card was first issued. So, this bit, I'm not sure whether this byte is important, the two zero at the beginning of the date. Because on some cards I ran across, that byte was set to zero zero. And it didn't seem to make any difference at all. So, but this is the date and time the card was first issued. And you'll see it's also down here at the bottom. And this does not change through the life of the card. So, it doesn't seem to be used for anything on the regular cash cards. There's a serial number stored on the card, which it consists of the four digit store number the card was issued at. And then the cards are just sequentially numbered after that. So, this is I think 1163 is a store in West Los Angeles somewhere and this is 32309. And there's another timestamp down at the bottom there. And it seems to be a duplicate of the other one. I'm not sure why there are two timestamps. They don't seem to be used. There's also this byte, which I discovered later is the type of card. There's three types of card. There's these regular cash cards. There's the blue ones, which are these convenience cards, where I haven't seen them used in the California stores, but someone in a different state, and I'll be kind of vague about this, who works for FedEx Kinko said, saw the video and said, hey, I'll send you some cards. So, they sent me some cards and I got the convenience cards and the employee cards. So, what the convenience cards are, they have either 10 or 25 copies on them. And these are, I'm not sure what they're used for, but I'm pretty sure they're the kind of thing that the customer has trouble or whatever, or they, for whatever reason, the store wants to give them some copy value. They can just give them one of these cards and say, hey, here's 10 copies and here's 25 copies. So, that's a different type of card. And then there's the employee cards, which the way I'm told they work is an employee gets this card and sets it up at the beginning of the day, and they work for 24 hours for unlimited use of the services. So, unlimited copies, unlimited use of the internet kiosks, and so on and so forth. Did you have a question? Okay. So, this is a convenience card and if you can see this, this by changes to zero, one. The convenience card. It's pretty bear, there's a serial number, there's no date stamp at all. Actually, there is the date stamp over here, but the date stamp on this part of the card goes away. And there's only a few significant bytes. There's this byte, which is the number of copies available with the card in hex. So, this is 10. And then this one is the number of copies that you've made on the cards. This is one copy used on the card. And this is the employee card. So, as you can see this byte over here changes from one to two. That right there. And the employee ID number is stored on these cards. In this case, this is, I think, RR555555. No, this is not any real employee I made this person up. To protect the innocent, supposedly. And so, there's the employee ID number and there's the date stamp, which is important. Yeah, there's the state stamp and the card only works for 24 hours after the state stamp. But, as I'll get into later, it turns out that you can modify this really easily and there's no checking of any source. So, getting back to the value, right? So, here's a $1 card. And all of the stuff is really easy because now, you know, 2005, September 21, you know, 1605 and 45 seconds in the afternoon. And here's the sort of number 1163, you know, 0332309. And these are really simple just to look at and go, oh, okay, that makes sense because they print the serial number right there on the receipt, for example. But, the dollar value, I couldn't figure out. I mean, it's F03F, what is that? That's not one, that doesn't make any sense to me. So, it turns out that this is like the one part of the system that's over engineered because, so like, here's some values. You know, here's $1, one cent, five cents, 20 bucks. So, I mean, looking at it basically, I couldn't figure it out. I went to friends, I'm like, does this look like anything to you? I spent months racking my brain over what could this possibly be? And then finally I said, oh yeah, Google. And I took, I think it was the $1 value and I plugged it into Google. And it turns out that, oh, it's IEEE 754, double precision floating point format. Yeah, why they're using double precision floating point values for dollar amounts is beyond me when it's just integers. But supposedly, you can store 99, what is this? 99,000 centillion, $100,000 centillion is what this is. And just to give you an idea of what this number is, you take a Google and you cube it and then you multiply it by like 100 million or some such and you get this number. And so there's, I don't think there's a Google of subatomic particles in their own universe, but you can store more than that in dollars on this card. Yeah. When you try to cash that out, I guess maybe they'll look at you kind of a scans like, I don't know, maybe you're the Nigerian government or something, trying to cash this out. You're the finance minister of Nigeria. So yeah, 308 decimal places. In practice, of course, this is totally useless, but yeah, this is the one part of the system that is completely over-engineered. Everything else is not. I'm sorry? Repeat the question? The question is, could this have been reused from something else the company created? It's possible. The company's been around a little longer than this system, but based on the fact that this is now their only product, I don't think so. Who knows, maybe. How many copies this is? Well, okay, it would probably overrun the entire city with paper, burying it in paper. All of the copies, yes. Asterisk copies. So the card itself, the data on the card is protected by a three-byte security code, 24 bits of code. And so there's 16.7 million possible combinations and my basic research led me to believe that all of the Kinko's cards probably have the same code because the blank cards from the kiosk don't have the manufacturer's default code, which is I think six Fs all in a row. And the code could theoretically be derived from changeable data on the card, but if somehow that data got corrupted, then you wouldn't be able to derive the security code and the customer would be stuck with whatever money was left on the card. 20 bucks, angry customer, that's not worth it. And everything about this card is just really simple anyway, so why would they bother? So now comes the time to start formulating an attack. The security code can only be read once the correct code has been written to the card. So you can't just stick the card in the reader and say, tell me the security code because it's gonna go, no. So this is the, this graphic is from the spec sheet for the chip. This isn't the exact graphic, I just redrew it in the slideshow program, but this is pretty much the block diagram of how you read and write to this chip. All writes have to go through the security logic. And there's an error counter to count how many times you got it wrong and the security code is stored in there, but it won't read that back to you. You can't read this back out unless you've written the correct code to it. So how do we do this? Well, the first possible attack is a social engineering attack on the company that makes the system. The second one is to emulate the card somehow. The third, you intercept the code during transmission between the reader and the card, or you can read the memory directly. And these are all feasible somehow. The social engineering attack in theory, you contact N-Track and pretend to be someone, you extract the code from some unsuspecting employee. So obviously the pros requires at least technical jiggery pokery just to pick up your phone and be a good talker. The problem is that the code might theoretically be so secret that no one but the N-Track engineers know about it. I mean, they seem to put all their eggs in this one 24-bit code, so maybe, right, could be under in a safe somewhere. And the safe combination is that code, right? It's tough to repeat this attack if the code has changed because then, you know, we'll wait a second. Every time we change the code, the same person calls back and says, hey, I need to know the code. And there's no technical challenge. It's just, you know, talking on the phone. And we all do that, right? You could emulate the SLE-4442. When they sell development kits for smart cards, they sell a dongle that you connect to your computer and on the end of it is this thing with contact points on it and pretends to be a chip. So it's fairly foolproof and you can figure everything out and you can have your computer say, oh, that's what it's thinking the code is. Okay, well, there we go. The emulator dongles are kind of bulky and the problem is that Kinko's uses this motorized card transport where the card goes like an inch or two into the reader. So unless you've got a really flat ribbon cable coming off the back of it, it's kind of tough to use with this motorized transport. And the second problem is that because these are typically for microprocessor cards, more complex chips, the emulation software for this really simple chip might not exist at all. The other option for the emulation attack is to find a microprocessor based smart card that can behave just like the SLE 4442. And I mean, it would be easy to do because, I mean, you just go in with a card like this. I've got a laundry card that's also a smart card that's also just a plain white card. It's got text on the back that says, treat this card just like cash. Disclaimer, disclaimer, disclaimer. But other than that, it's plain white. So I mean, the average person might stick any random card in the reader, so why not you? So you just go in, you stick the card in and you walk back out and you go home and you say, oh, hey, here's the code. But unfortunately, and it's really elegant because any system that uses this type of chip would be vulnerable because by design, if you want to write to the card, you've got to present that code and you can't, and so any, like this chip isn't used, just using Kinko's, it's used in loyalty card programs and I think for a time, like the German government's healthcare system used this card, I hope they've changed something better, I don't know for sure, for sure. Anyone from Germany can confirm it or deny that? Yeah? Okay, thanks, thank. And the problem with this is every micro-processor card I've looked at follows the ISO 7816-4 standard and not the SLE 4442 communication protocol. So you'd have to either find one that can do it or you'd have to be a really, really awesome FPGA or whatever the type of chip you use and I'm not that good a coder. So you could intercept the security code by using a logic analyzer and wiring some wires up to the card. The easy part about this is that the logic analyzers are small and transportable. The logic analyzer that I bought is about as big as this little remote that I'm using. It's a little bulkier, but for the most part, it can fit easily in a pocket or a laptop bag and you can hide the wiring really easily. So there's a little chance of card rejection because you're using the actual card. You're not using some emulation chip or whatever. And the problem is unless you have a lot of cards, it's easy to screw up if you're not good with a soldering iron and I'm kind of klutzy with a soldering iron, so I managed to screw up a few cards. Or you could do the really, really expensive thing and burn the epoxy off the back of the chip and read the security memory directly if you've got an electron microscope, et cetera, et cetera, et cetera. So let's get to the attack. So the logic analyzer attack is the one I picked. In a perfect world, I would use something similar to this, which this is a picture I took today. There's a vendor in the vendor area who has these who make prefab boards of any kind whatsoever. And one of the examples they have is the smart card board. So this would be really awesome because you can't see it too well in the picture, but there's these contact points here and there's these leads going back to contact points on the back of the card that you can connect the logic analyzer to. So you've got a tail off the end and a pin header and there you go. That's really clean, really elegant way to do it. But this is not a perfect world, not a half that. So I resorted to soldering wires to the card and making this really ghetto, do-it-yourself ribbon cable thing coming off the back of the card. If you look at my awesome 31,337 soldering skills, you can see that I got the solder all over the place and it's like de-soldered little bits. I blow at soldering. Just to give you a little more detail of how this works, this is a test card that I have with me here. And I used like really thin bits of transformer wire. And I think this was one of the tests I did. Like, because the solder increases the thickness of the card, I wasn't sure whether this would just jam in the reader. So there were a number of tests I did where I'd like just taped a piece of wire to the card and went to Kinko's and stuck it in the reader. Or I just soldered, put some solder on one of the contacts and went to Kinko's and put it in the reader and tried to see whether it would work or not. And I figured, well, if these get stuck, I can just walk off and never go to that Kinko's again. But fortunately, because the card readers use a landing type contact where basically the card goes into the reader and then once it's fully in the contact points are lowered onto the card, this worked just fine. So I got all the cards back and nothing got stuck. So what I did was I took my little thing to Kinko's and I've got my, if you can imagine my laptop and I've got the wire going, the USB cable going from the laptop to the logic analyzer which is hidden in the bag and then I've got this wires running from the logic analyzer to this pin header on the back of the thing and then I've got the card that I'm sticking into the kiosk. And fortunately for me, Kinko's has this section where you can sit down with your laptop and plug their stuff into it and you get to use their internet connection for like, I think 25 cents a minute or something like that. Something ridiculous. Like AT&T long distance rates from 1978 rates. Oh, there's cameras. There's cameras, but if you look where the camera is, you know, it's kind of, there's only, it's not like they have cameras at every station. So if you go to one where the camera's off on one end and the laptop's on the other end and you have someone come with you and stand behind you and you just do this really quickly. So you set your logic analyzer to read the data and you stick the card into the thing and it reads and spits it back out at you. Then you stick the card in the thing, it reads and spits it back out at you. You do it a couple times just to be sure. You get a couple data captures and you pack up your stuff, you walk home. And so you walk home and you pull the data out of the logic analyzer and you get this. Just a stream at binary digits, ones and zeros and ones and zeros and ones and zeros. So on their own, this doesn't really, the problem is this doesn't really chop up cleanly into individual bytes because there's a lot of things where it'll read ones where the card is processing and the card will just process and process and process and it'll go okay, I'm done, but it won't actually be on any divisible number by eight. So you've got to actually manually step through this and figure out where the codes are and what's happening. So you've got to have a little patience. There, if you look at the spec sheet for this card, these are the commands to operate the card. Read the main memory, update the memory, read and write the protection memory, read and write the security memory and compare verification data. And if you look in the manual, there's a very specific sequence of these commands that you need to present to the card in order to open it up for writing. So you need to, I think, read something twice and then present the security code one byte at a time using these commands. And so you just have to look for that pattern in the data. So there's a command structure to these. There's the command byte, there's the address byte and there's the data byte. So here's the security code presentation thing I was just talking about. You read the security memory, you update the security memory and then you write the compare verification data in three steps, one byte at a time, update security memory to N and then read security memory. And if you've done that correctly, it'll say, okay, the security counter is reset to three and you're set to go. And if not, the security counter will decrement to two or to one or to zero. So here is stepping through the data byte by byte. So here's the answer to reset and these are the first four bytes of data stored on the card in that right protected header. Here's the processing cycle. Read main memory from byte 15 to the end. And so then there's processing cycle and it starts dumping everything out. Here's the main header, here's the value, timestamp and so on and so forth. So do this many thousands of bytes later. And you find this. So it says, read the security memory, okay. Update security memory, okay. Cards processing, processing, processing, compare verification data, byte one. Hey, here's the first byte of the security code. Here's the second byte of the security code. Here's the third byte of the security code. Update security memory. I'm like, oh wait a second, why do I need to keep going? I found it. And for those of you who were in the back and can't read this, I've taken the security code and replaced it with Xs and then down here it says, why hello there. I'm the information security responsibility cupcake. And it's my job to tell you that you're gonna have to figure out the security code for yourself. Also, dead hookers. I figured it would be grossly responsible of me to just give you people the code. Because I'm sure there are some in the audience and not the audience who would just take the code and then all of a sudden Kinko's is losing millions of dollars to just random people coming in and making hundreds of thousands of copies for no reason. And then, oh, who's that Schmuck who presented about this at the DEF CON? Oh, me. So, manipulating the card is really easy. Let me turn this off and I'll open up the program that you used to do this. Stick the card in the reader here. I'm gonna use the basic blank one so I don't give you guys the real security code. So, here's the SLE4442 and here's the main memory. This card's blank, it's all ones. So, let's present the security code and hey, we got it right. This software is a little buggy. It says incorrect remaining chances equals three. But now that we know the code, we can write to it. So, you know, dead beef, cafe, 1111, 1111, 1111, 31337. Oh, oh, oh, oh, oh. And there we go. So, we've written to the card, simple as pie. And to prove that we can write to the Kinko's card and we'll take this out. And let me just reset this. And here's a real Kinko's card and here's some data which wasn't on the card originally if we go to ASCII, it says LOLDeafCon. So, now that we can write to the card, let's figure out what we can do with it. Oh boy, internets. Your balance is $313.37. Wait a minute, you can only put $100 on these cards, what the? So yeah, this is the proof of concept. This is the first card I wrote to him like, here's a value that kind of proves I can write to. It ran off and it worked. So, that was pretty sweet. Now that we can rewrite these cards, how does the back end system interface with this? So, let's play with it a bit. I'm sorry? Okay. So, here's the layout of a typical Kinko's. There's one kiosk, there's a bunch of PCs, like maybe one Mac, probably you Mac people out there. Bunch of copiers and a bunch of registers. So, first thing, card cloning. Does this, because each card is individually serial numbered, does the system have some sort of balance tracking that it can do? So, buy a card, clone the card, make a few zeroes with the first card, and then print receipt with the clone card. And, it turns out that when you do this, like, whether you put the clone card in, it'll say, okay, you made two copies at 10 cents each, so that's 20 cents, and your balance is a dollar. So it just reads the balance off the card. Value alterations, does the system throw up red flags if the balance suddenly changes for no readily apparent reason? So, you do the same thing, you buy a $1 card, you rewrite the value to $2, you make several zeroes, of course less than a dollar worth, because you don't want to commit fraud, obviously, and you print receipt at the kiosk. And in this case, it goes, oh yeah, you purchased the card for a dollar, you made two copies at 10 cents each, so that's 20 cents off, and your balance is now $1.80, no red flags. Does the system freak out of the card serial numbers from some non-existent store somewhere? Does the system even verify that the serial number is valid? So, you buy the $1 card again, you alter the serial number to store 9968765451, there is no store 9968 anywhere in the system, and you do the same thing, and it just works fine, doesn't even bother. And okay, is the card serial number invalid if you redeem the card for a stored value? Because you would think, right, okay, here's someone who turned the card in, they've got cash back, let's make this card not work anymore. That'd be the logical thing to do, right? So, you buy a $1 card and you destroy it. So, there's the $1 in the system that you're never getting back. You buy a $1 card, make a Xerox with the card, clone the card, redeem the original card, make a Xerox with the clone card, and see what happens. And it works just fine. The clone card, even after you redeem it, still works for Xeroxes. Okay, so maybe it takes some time for them to update their system or something, so you go eat pizza and you come back and try again. No, still works just fine for Xeroxes. Maybe, maybe, maybe you go back a day or six later because maybe they're really, really slow, you hope. But no, the card still works after six, seven days. Did you know, did I mention that they have only one product? This. And their slogan when you go to their website is counterintelligence. I wish this were false, but. And so, oh, and also the employee cards. It turns out that, okay, so with the convenience cards, you can just reset the counter of the number of copies you've used and it'll just keep working. You can alter the serial number, it doesn't make a difference. And the employee cards, all it does is check that timestamp and see whether it's been 24 hours since the timestamp. It doesn't bother to verify whether the employee is still working there or is even a real employee at all. So you can. Does it? Oh, okay, yeah. So it checks the store number two and that's it. But yeah, if you get the store number right, you can be Joe Blow 999123. Doesn't make a difference. Not a date in the future. I'm sorry? A date in the future? A date in the future, I didn't try that. But that would be a fun thing to try. If there's a kink goes around the corner, we can have fun. So how do we engineer a better system, right? Well, first off, there's several options, right? How do we do this cheaply and keep the existing base of installed cards? Well, the first thing to do is to change the way you store things. You change the way the security code works so that the security isn't the same for every single card in circulation in the entire system and you change the method for verifying the cards. So it's inexpensive because all you have to do is change the software, but it's still somewhat insecure because you're still using the same cards and also how do you ensure that the old cards that are still floating around aren't fraudulently being used? You increase security by verifying the information. You generate a hash, you encrypt the data, you don't store value in plain text. You basically make it difficult for someone to do what I did where you just look at it and go, oh, this is the store number, this is this, this is this, this is that. You make it just look like random garbage. Or you don't store the value on the card itself, right? You just use the serial tokens and you store everything on the back end. But, and you invalidate the cards when they're cashed out, duh. And don't use the same security code for every single card out there. Use some code derived from a randomized rotating value or don't base the code and don't base the code from any value stored on the card. So it has, okay, 10 minutes next. So better thing to use is use a different chip that has cryptographic product on some sort of cryptographic function on it. The Atmel Crypto memory chips used by my laundromat are higher security than Kinko's chips. So it's easier for me to make copies than it is to steal laundry. You use a chip with a microprocessor, you can do challenge response, you can encrypt data, you can do access control, you can do hidden goat's sea if you want, I don't know. And, you know, if these new chips are more expensive, like you can do what my laundromat does and charge a deposit for the smart card, currently the cards are free for the take and you just go to the kiosk and say, give me a card, give me a card, give me a card, and it'll just keep spitting the back out at you until the thing's empty. It'll go, oh, contact a team member to get a card now. So you charge a buck or two to obtain the card and then when you're done, you have the customer return the card and they cut their dollar back, big deal, right? And it'll prevent, you know, curious tinkerers like myself from obtaining massive numbers of cards for play and analysis, you know, like a small stack like that. So, some resources you can go to our SecureScience.net, which is my company, it's the plant's company, I work for it. You can go to my website, StromCarlson.com, Infineon is the manufacturer of the chip on the Kinkos card, Atmel is the manufacturer of the chip on the laundromat card, and SmartCardSupply.com is where I got the stuff. What? What? Am I? Yeah, but I never talked about that on here, so that's not a resource for this talk. So, questions, answers? Yes. One thing that you mentioned was that when you were practicing with writing cards, if you would write, you know, if you try to break the security code on the card, you only have three chances. But you also said that when the system goes through and correctly authenticates the card, it resets the counter, is that true? Yeah, it resets the counter. If you, for example, write the wrong code twice, you can go stick it in the kiosk again, and it'll reset the counter to three. But the only problem with that is you look kind of weird going with a stack of cards and sticking them in one at a time and then coming back the next day and doing the same thing. So, question? I thought, you know, wouldn't it be more secure to just actually put all this data, like the dollar amount data in a database and actually have a program searching for patterns of things that are strange? Because I don't know why you would put the money in the card. It doesn't make any sense to me why they would do that. I don't know either why they did this. So, that was the question, it was just more of like a statement. Yeah, I think I mentioned that. I'm curious as to why you called it hacking FedExKincos when you were actually hacking in track. Because no one's heard of in track, but everyone's heard of FedExKincos. So if I called a hacking in track, like half of people would go, what's that? Okay, never mind. Any attempt to do some power analysis to brute force the security code? I'm sorry? Any attempt to do power analysis to check when security code becomes invalid on a bit by bit basis? You can't do that with the way this, I mean, theoretically, right? Theoretically, I think you might be able to do that. But again, this is not my area, electrical engineering is not my area of expertise. Yeah, seems to use them just to give it to you. Yeah. After you've locked out the card by writing to it too many times, can you still read it? Yeah, you can still read the card, you just can no longer write to it at all. It's burnt out. I'm sorry? Yeah, can't be updated at all. But, well, no, see the thing is, if I actually tried that, if the system can't read right to the card, it just said, this card's bad and spits it back out at you. So, no, you can use credit cards in the same reader. Oh, wow, okay, interesting. I have five minutes, so a couple, and then use her. If you burn out the card and there's money left on it, will this still let you cash it out? I didn't try that. It's worth a shot. Have you tried notifying and track of the security issue, and if so, when? We notified them at the beginning of February. We didn't hear a thing from them for a month, and so we said, okay, usual standard practice is a week, so we went public with that. Is this attack still valid then? Yeah, this attack is still valid, which is why I'm not releasing too many details. Any other questions? I'm gonna shine this in your eye for being off topic. I'm gonna shine this in your eye for being off topic. I'm gonna shine this in your eye for being off topic. I'm gonna shine this in your eye for being off topic. God, okay. All right, no more questions. Oh, Logic Analyzer, if you just Google for USB Logic Analyzer, there's a number of companies out there that are selling them. Why didn't you build your own? Why didn't I build my own? Because, A, I suck at soldering, and B, it would have taken too long, and I just felt it was worth it to spend the three hundred dollars instead. Yes? Yeah, the pinout is described in the data sheet of the card, and I think I put the data sheet on your DEF CON CD, so you can look through that. Any last questions? Okay, well, oh yeah. Did I cry what? No, I didn't try that again. I'm not much of an electrical engineer. I'm not much of a coder. I'm a phone freak. So, you know, this is just me tinkering. Okay, well, and if you wanna bring me your Kinko's card at any point during the con, I'll write something silly on it for you. Thanks.