 Welcome to the next good talk with a vending machine into the cloud We have always similar topics here at CCC but from other other points of view and the topic of electronic payment systems gives gives quite a lot of thousands of things to tell and we had Many talks about charging stations about men's are payment cards, etc Jans Stryb is our speaker. He studies and he Will tell us about electronic payment systems applause for Janis Janis Yeah, yeah, everyone who's studying In a Uriosity or working at a big company probably knows this there are vending machines and if you're hungry or thirsty you can get a snack which is more or less healthy and pay this one with your Student card or employee card The systems You also see them in the canteen and the cafeteria men's are And you can charge Or top up these cards at at the terminals like this Sometimes there are also status terminals Where you can see how much money is still on the card and so what you maybe the last transactions The architecture of these systems usually looks something like this we have our vending machine In the shank on and on these are often also called vending machine controller and this One communicates over mdb. It's a serial Protocol with the vending reader This one does the actual payment and it to do this it communicates with a backhand via HTTPS Where the transactions are being done? With a cloud based system A Usually a payment transaction looks more or less like this you hold your card at the machine the reader It gets some information about the customer You see yeah, if you you can also get things like date of birth which might be important for alcoholic drinks and the user And she uses his product product the price is being locked up and then the actual vending process Takes place. Yeah, we didn't get to come. What? Yeah, how how did I come to this topic? I should Build an integration for washing machines. It's this Device you see you with the red field at the two line display in the left lower corner but yeah as a hacker if you have an unknown device with the internet Connector then you usually do a port scan first and there was my first surprise. I saw a vnc server it's a real vnc and You if we have a look at in an exploit database, then we find several Exploits or which might which might match this version. I tried it. Yeah, it works Interesting. We have a windows some see Here you can there's a full full stacks explorer We can watch what the software is doing the software is obviously called CS core Yeah We have for our system we have this Image Obviously two databases on this reader a static DB for static configurations work Database where temporary data are safe I assume and this databases have Not It seems somehow encrypted these databases they cannot be opened with a normal database browsers So I became more curious We have Also added the vnc here I Didn't really look at the card system, etc. I just I just looked at the reader I began to make a rough analysis Would be interesting to know what Happens on this or the PS channel and Https channel, sorry, so we Can do a man in the middle gateway we lock our requests we come For what the data the back-end server just to have a look what requirements we have we it's worth starting while shock once and everyone who's Sees it in detail sees that this is a or two Client and we see the list of supported ciphers of cryptographic methods which can be used If you look a bit closer at them we also see that these are a bit antique not the newest ones among them found Lv2 40 export md5. Hope I translated that correctly. I didn't see that in the wild before so we have a little problem for the proxy because Because not that many implementations still support SSL v2 and or c4 and 3ds And I didn't really want to compile things myself, so I had a look how to make it more simple and the solution was Java 8 Indeed if you use Java 8 long enough if you abuse it long enough It still supports SSL v2 hello and or c4 triple this so I Used my own proxy and I tried it Actually only wanted to check whether the handshake works my laptop deemed as proxy you see my laptop working as a proxy and Bang that's our request It was unexpected Because I haven't actually set the certificate on the system yet So apparently there's no certificate verification here. Cool. Let's work Nice leak and nice back here. Let's look at the API a little as you've seen in The video there are two APA endpoints. There's a heartbeat endpoint Which is used for pretty much everything That's connected to the configuration for example, it provides the static DB for the configuration And is updated In regular intervals and at the start of the vending machine. That's an XML API that's a request It sends a little bit of meter data to the server It also sends a Shah hash of the static to be So if there's no static did we it just sends an empty checksum So I looked at the request a little Then I saw that there was no real authentication Authentication So the only thing that differs between different vending readers is the platform ID And it kind of looked similar to me It's a kind of looked familiar to me so it's yeah nice It's it shows on boot so we can just see the idea and boot and can request the static DB Well, they're still encrypted, but maybe we can use them anyway Next API Alright, let's see the overview first And We see how the static DB is provisioned Or that one we see that we can Interject Intercept the Part beach without any modification of the cartridge the the next API in point Is the API in point to interact with end user accounts There's Some different types Vend which sells something negative vent for a returning deposit or revalue That you can use to top up the card at some machine And there is the section of authentication there. There's some actual authentication in there It's read from the static DB And is that's actually pro-grat? And is different from each device Contour for love. So to come on some was built up. Also. There's some interaction about the Account history The links over the separate can also be Created via separate request So if there's There's a normal Transaction it doesn't actually register in the account history It's done in a separate request. So it doesn't even have to have anything to do with the actual So sprich, they're going to come as an actual transaction. So this is done via some CSV data mit den Information diva nun haben also this information also the via the man in the middle um We can just Revalue ausführen man seat and do a revalue request from our laptop 100 euro mehr auf dem Konto and now we have 100 years more on my account And even without doing anything as a user so we can just get the wallet ID and use the device to Do an API request nice convenient Here you see part of the administration interface which the administrators usually see That's it's also this is from another point of time. It's not the one that I just showed Lower left We see we see our account balance 722 something and we say the Account history Und es wurde irgendwie ein Betrag von 2 month There was a you see a booking about Of about 2,000 euro This is an interesting Example where you see that there's not actually Yeah There the bookings can be arbitrary and they don't really have something to do with the actual bookings It would be interesting to see how this data basis works because at the moment It's only possible to Start attacks when we usually had a seek When we knew a secret and It's only possible with the man in the middle at the moment. It would be interesting to have the databases To do this we need to analyze the software more deeply So I used a you can use a reverse engineering tool But there you have a bit the problem that it's a exotic kind of executable format Windows C for arms And there are not that many debuggers for it, but idea I can do it but first I Could only do a static analysis I could not watch Actual data encrypting decrypting just Just seeing seeing the static static binary There's a nice tool which helps to find trices of encryption algorithms. It's called the fine-crypt it looks for example for certain constants which are Yeah used for For certain algorithms in this case you found an s-box and If you see where these values are used we can find out Where the actual encryption is how happening Just a short disclaimer Just a short disclaimer Even if AES is quite simple And it would be easy to build it. It would be a bad idea to use it in production called It's just a hint I Yes is in principle relatively simple It's in principle only Key we from the key we derive several keys and apply it In several rounds using X or on our Now data to be encrypted and We shift the key Etc. And in the last round we Live out one of these steps and in the end we have a block of 128 bits encrypted data so now we found out our encryption function It's Looks Somehow like a yes, it looks like these transformations and the key And now we can monkey patch it so To to try to extract the key In in the software there's a soft it's a function which can lock things and So we can Key Just write the key down to the log files. It also looks really nice You see in the last line the extracted key But somehow this did not this key did not really work No matter which a yes implementation or variant I tried I could not find anything useful from these databases At this point I gave up basically I will not find out how this encryption works Atman's systems gesprochen, but then I talked to an admin of this system and He talked about having decryption tool that can Just decrypt all of the things Somehow all the same keys been lost and then I listened up and I heard Thought maybe all these devices use the same keys So this Decryption tool can be debugged and Analyzed a lot easier because it's x86. There's a lot of two. There's lots of tools for this So let's look at the key expansion first So it this derives And many keys from the students 56 bite a bit key That's how I'm not be overacted. We say expansion Then I looked at the expansion We'll see a video of either Where I looked at the variable where the expanded key is set I'm a durchsteppe and That looks at How this Variable is filled and we see it's filled a bit And now it starts from the beginning This goes on for a while Until some data appears and then many zeros are there So the key expansion isn't really the usual one We just get a key from another key and a lot and lots of series If we put this into the graphic we had before Then the The process Becomes a lot simpler and It looks like this at the end. So it's basically an extra encryption in the end that was Just Makes it a little bit at the end. So with this knowledge we can use No padding block it doesn't that's why it's useful in this null padding block here in useless to get Exo material Practically that gets us to the keys. So And it's free house a data bank. So that's then let's get a database from the API and We can decrypt it and open it So we get the config and everything for free So we don't have to debug the system to get our authentication data convenient Also good So Everything's broken that we've looked at I guess I was done and show it to the Wender And then they came to me and said we got a new version And Someone got a flash drive got me a flash drive Just plug it in it will work. So I was thinking wait, how do they up the word work? work Apparently these Devices do have USB ports and I looked at it for a while and found out You can put an XML file on the flash drive In either and if you look while in either You'll find a parser That has a lot has lots of comments like copy file or execute file and the same defaults aren't even signed So the identity of this file isn't really checked So I could build some small cmd file put it on a USB Drive and Plugged it into the vending reader And we can put the USB drive back into the laptop And we copied some useful data So now we get the databases and all the secrets And we can also execute arbitrary code really convenient Becomes even more interesting when having at the previous version In an old version The USB port is located on the front, but this version was hanging around for many years at our university and it Uses more or less the same software. It's not not that a good sign I still have some time so Show you something more how I How to analyze How I did the analysis The analysis helps It really helped that the core X a right extensive logs It also contains function names, etc Which really helped to analyze because you can Search for the strings in in the binary and so we know Yeah, we can could identify the functions quite easily This is how such a parser looks like when such a function is being found Excuse me Now I have a little problem by reverse engineering it because by at monkey patching for extracting the key I found out that the software does not really like to do that Come somehow strikes back so somehow somehow this binary is checking itself It seems to be some CRC because we see here CRC In it. Okay, CRC is Just more like Getting a bit errors not for a Say yeah, not for a secure Photographically secure check So we can Also patch it quite easily because we just say CRC it's always Always says yeah, it's it's okay or we just compute the new CRC checksum of our binary and just Permutate the binary is long until until it fits again Or even more simple if we just put the real file at the real place It just works because the path is hard coded Yeah, yeah Good very well That's it from my side We have a lot of time for Q&A. I Made a yeah, this is a short recap what of the Of the vulnerabilities and I I'm listening to your questions Yeah, thank you very much for this interesting Talk so we've got lots of time for questions Just come to the microphones So if you have any questions How to hack your Vending machines or other topics, please come to the mics don't be shy But it's good, you asked us what What things do you mean does I'm best nuts and könnte how could you use this the best way? gratis to get free Free products Well to really get free products shop for free Can Imagine different attack scenarios For instance, you see which users there on the system you root for some ideas and You can Use some one One cent transactions Nobody cares about that and you add all this difference to Your to your account so nobody will notice it And sometimes Other ways to be skated. It's It's usually Not a good idea if money just appears in the entire system Second question hi Thank you very much for your talk You did a lot with men in the middle attacks On the network There's and map stuff is so I'm interested in How did the transport of the data work? Did you test? Of the damit and whether the data of the card ID übertragen ich hab den Anfang des talks nicht ganz Happens so can't could you exfiltrate some idea of the card reader or could you do more than that? The card reader is connected as a usb keyboard so there Only appears the part that you can set in your in your in your settings and for instance only the ID or Some last transactions, etc. So There's not a lot to do on the card by itself because must of it is Is done via the cloud? It's only uses the ID of the card Which you can set up in the card reader You haven't tested like the How is How the Data of the cards works and how the data of the card is used. So So how is the data transferred there? I was glad. Thank you. I didn't observe such things. So no See to us that's we're in alle fragen abschließend be antworted looks like all questions have been answered Thank you very much. Yeah, that's what you're amazing talk Thank you for listening to the translation stream. We were far more firm and I've been If you have any feedback regarding the translation you can find us