 Good morning, everyone. It's a long walk over here. This is Breaking the Back End, DefCon China 1.0. Congratulations. My name is Gregory Pickett with Hellfire Security. I'm part of the Cybersecurity Operations Group. Brief overview of what we'll be talking about today. I'm going to start with transit systems. Just a brief history, honestly, of several different talks, the major talks we've seen so far. And then, of course, we'll talk about our target. After that, we're going to reverse engineer that target. We're going to learn a little bit about how it works, how that system works. Then we'll talk about the discoveries, what we discovered through that reverse engineering, and then the exploit developed from it. And, of course, always at the end of talks, lessons learned. So we've had a couple of talks over the years. The anatomy of a subway hack in 2008 was taking traditional attacks and applying them to a subway station. Bypassing physical security, hacking the wired and wired this network. Actually, whoops, I got that backwards. That was bypassing physical security and then hacking the terminal, set up as a kiosk. So the next one after that was the NFC subway hack of 2012, where you're looking at a tech in the hardware. There's a read-only bit. I think there were a couple of different bits on that card because they weren't set and they were writable. They were able to replenish that stored value card. Then we had the how to hack all the transport networks of a country in 2012. Going back to traditional attacks, this time around it was social engineering. This one was attacking the wired and wired this networks. And I believe several what-ifs. As far as attacking the encryption. What we did this, what if we did that? Could we get the keys to write to the ticket? And then the breaking Korea Transit card with side channel attack in 2017. Going back to attack the hardware, NFC again, doing side channel attacks to get this secret key so that you could then write to that card and replenish it. This is a little different, not illegal. We weren't sneaking into the station. We weren't hacking their terminals or social engineering anyone or attacking the wired or wired this network. And it's also not about the hardware. We weren't cracking anyone's encryption. We weren't cloning the Magstripe, the RFID, or in most cases of course NFC. This is about flaws and application logic. There's cloning involved. I will admit that while we do clone, but that's not the vulnerability that we're exploiting. Instead we're using AppSec to attack a complex multi-layered, real world solution. Lots of moving parts. We'll see where they break. So our target is the elevated train. That's the Bangkok Mass Transit System, or BTS, in Bangkok, Thailand. Elevator rapid transit system there serves the greater Bangkok area operated by the BITSX. There's several different companies involved, Hold and Company, Hold and Company, Hold and Company, the 43 stations along two lines. I think that's from the website. So they've been expanding. So there's probably a couple more stations. They have lots of different lines planned. So more stations. The tickets the system uses, there's a storage value card that's based off NFC, and then all day pass and a single journey ticket, both using the Magstripe. And that is what we'll be looking at. Those tickets have two Magstripes each. There's a whole through one Magstripe, and it's about 0.27 millimeters thick. You're not going to go to this corner store and order these. You're not going to go to a warehouse. You're not going to open a catalog. So not easy to get. There are tickets there. You can see, OK, I was very excited that they have a laser pointer. I see the hole there, and there's actually a little hole there. So the top is the single journey, and the bottom is the all day pass. Very thin. I want to distress that. So we have the gates there when you enter. And the two, I'm going to make use of this laser pointer here a lot. So the two there are set up for enter. The little arrows there, you slide it in the slot. It gets processed, pops out at the top. Gate opens up, you walk through. And the same thing, when you exit, you're going to go ahead and slide it in there. It's actually going to capture it at that time. The gate opens up, and you get to leave. So why them? Well, Magstripe, really? It's something very, very old, seems then very, very interesting. And of course, of all the issues out there, Magstripe is very popular for having quite a number of them, almost as many famous as Windows. So you have all these questions. You talk about it, you talk about it. So at some point in time, you have to put up, as they say, your shut up. So I wanted to answer these questions for myself, my friends, and really just get this done, get it out of the way so I can move on to other things. So we have to have some equipment to read these tickets. That's the first thing you really are able to do and you want to do is read those tickets. So you get the equipment. It's a standard reader ride that I ended up using. I went through lots of different equipment. As my understanding changed, so did the equipment that I used, but I ended up here with a standard reader rider manufactured in China. Thank you. It does standards, so it reads it, and we'll decode it according to the standards, or you can do a raw read where it just dumps what's on the card, what's on the ticket. Errors were rare and handled that whole really well. Originally, I thought that whole was kind of a 1980s style copy protection. I don't think many of you are old enough to know what that is. Essentially, what they would do is introduce error or damage, they would damage a sector on a disc so that if the utility from the OS would attempt to copy it, it would fail. The copy would fail, you couldn't then copy the dish, you couldn't copy the game. So I'm thinking they're introducing this whole so that essentially if you tried to use it with a standard reader rider, it would just fail and you couldn't get any of the data off there. Turns out it was just to make sure that the ticket was facing the right way and essentially it went to the right way and that the mag stripes were down. Okay, so I could end up just using a standard reader rider and very reliable performance. Very reliable performance. It's important that you have reliable performance. That way you get reliable data and that way your analysis goes much, much easier. All right, so when you're sitting down with this reader and you're reading the tickets, you have a lot of questions. Data location, encoding schemes, how does the data change as the ticket goes through the system and then ultimately you're looking to find out what that data means and if you're seeking to break that system, you're trying to get it to error, manipulate it somehow, you wanna see what the system response is to data tampering to repeating states or out of order state transitioning. So you're repeating state, you take a ticket that you've used to enter, can you enter with it again? If you attempt to maybe take a ticket you've purchased but you haven't used yet, can you exit with it? How does the system respond? So you sit down and you read that and you're gonna read the mag stripe and you're going to decode the data. Okay, there it is, in all its glory. All right, just in a hex there. We have the two mag stripes each with three tracks. So I attempted to decode that using the standards, the international organization for standardization. There's lots in that standard but it boils down to six character sets and four bit character sets, some with parity and some without. I attempted to decode that both forwards and backwards and I did it many, many, many times. I'm always concerned about my work, I'm always double checking in my work. So I wanted to do it over again, make sure I'm not making mistakes and I did it with software. I used the software that came with the reader and I also did it manually. There's two reasons. I went through lots of different equipment and some of the equipment was not the most accurate, it was most reliable. So I wanted to make sure that the software was doing it properly, was decoding properly and there's an added benefit. If you go over that data again and again and again, you start to, there's patterns, right? There's patterns that you can see and you get to understand that data and hopefully by doing so there's some insights that you can come to as you're doing the work. So after doing this again and again and again, I finally decided that maybe it wasn't using the standards. Now maybe it wasn't encoded at all, maybe it was just raw data, so let's see. Now when you're going to do your analysis, you want to reduce the amount of work that you're going to do. So I'm not a professional, so all of this is just self-taught, so if I'm getting anything wrong, let me know, but I did see a lot of duplication. So if it's duplication, I don't need to understand it, it's just something that's duplicated somewhere else. So I can immediately eliminate these big sections here, it's the same data over again, so it leaves me with just these four sections here. And I didn't need to know this either because talking about insights, I realized by looking at that enough times, that is at 74, whoops, go back, wrong button, that is essentially 100 plus the ticket price. So this was basically a 16 bot single journey ticket and that was, it's 100 plus, 16, 116. So I knew what that was right away based on all that time going over and over again, the data. So I automatically knew what that was so I didn't need to worry about that, I just focused on these, I'm gonna keep doing that hopefully, not those four blocks right there, okay. Now looking at that, seeking to understand it, I realized there's no encryption, it's not all different, so there's no encryption. There's no parity checks if you break out those bits into little blocks and you calculate parity and you see, does that match what you have on that ticket? You don't, it's not there, right. Same thing with the LRC and there are no timestamps. If you purchased one ticket, you waited 10 seconds and you purchased another ticket, none of those values incremented by 10. So that means you're gonna have to not go in the field. You have to run that through the system, you're gonna have to make changes, right. Each time you go through the system, you're gonna vary that input, right. You're gonna go through one station, a particular dispenser, then you're gonna go in, you're gonna purchase actually from a particular station from a particular dispenser, then you're gonna go ahead and use that ticket in a particular station with a particular turnstile and you do that different each time, right, very one input variable and then see how it changes each time you're using it to identify, not meaning. After collecting lots of these tickets, I had some additional insight here. That little section there, the orange section, never changes, okay. So that was good, I didn't need to worry about that then. I wasn't, if it's not changing, I have a hard time understanding what the meeting was going to be so I wouldn't worry about it. And this little section here, while this does change from ticket to ticket, this changes as the ticket is used, that little section there. I can't see the green, but it's essentially, if you could, it's actually blue up there, but yeah, that little section changes as the ticket is used. Now, as I observed those changes, this is what I found. Each ticket has a GUID associated with it, and so it kind of rolls down there. And the location, initially it is in a dispenser and there's a GUID associated with its arrival there. When the ticket moves, that location is updated to a turnstile, and there's a GUID associated with its arrival there. When the ticket moves, it also changes state. Going from issued to used to collected. When you buy it, it's in a dispenser there, underline. It's in the issued state. When you enter, it goes through turnstile, the little turnstile there. It's in the used state. When you exit, it's captured by a turnstile, and then it's in the collected state. Okay. Some additional things that I learned. For all day passes, the known section, or the 100 plus price, is used to track trips taken. The price of that all day pass is 140 baht. So it's 240, so when you take one trip, it's 239 and then 238 and then 237. And there's a different never changes for all day passes. Now this should have struck me earlier, but unfortunately, I didn't think about it. It just didn't hit me until after my slides were finalized, but that would then appear to be a ticket type. All right, that little section there ends up looking like a ticket type. There's also some handling rules. To enter, a ticket must have previously been in a collected state. It would have been sitting in a turnstile someplace, taken out, brought around, put in that dispenser. So it was previously in a collected state. Comes out of that dispenser, now in an issued state. You can use that then, that ticket to enter. To exit, the ticket must then be, after that point, in a used state. Very simple handling rules. Now, we're gonna talk about, of course, exploiting that system. That's kind of why we're here. But what I want to do is really talk about the conditions under which the research was done. I realize now that I was a little bit paranoid during this whole thing, but you can imagine being in security why I might be paranoid, because we see bad things. Some of us do very bad things, and we do hear occasionally about bad things happening to our security research, outside of actually the work itself. So at the time, and even right now, I believe, though they're transitioning, this was done in Thailand, obviously, and the government is a junta, or a military dictatorship. In those sorts of situations, and I think for the most part in many legal systems, you are guilty until proven innocent. They do this very easily with the magislas. Essentially, you've embarrassed the king, you've embarrassed the government, you've embarrassed the country. They say that you do, and you do. That's just, they claim you're guilty. You are, as a foreigner, as a pharang. You may know the term guai lo, or lao wei, right? I don't have rights, so there was no chance I was gonna be able to prove myself innocent. And anyway, I don't think even if I was a thai, it would matter too much, because I think in the history of the magist, only one person is ever successfully escaped their fate. So essentially, if anyone was concerned about what I was doing, for any number of reasons, they could have just snatched me and put me in jail, and then I would just stay there until they felt like letting me out. So I used to say, I took a lot of precautions. I tried my best not to get arrested, right? I did lots of things not to get arrested. The first thing I did was try to avoid them. Anybody involved with the BTS, I avoided security guards. Not all entrances apparently had security guards. There were some entrances that did not. I found, which ones those were, and I spent my time there. Also, I did something called a dip and dash, if you're probably not familiar with Monty Python, but I ran away, I would go up to, I would saunter. I'd practice my sauntering. I would saunter up to, like I'm the enter, maybe I'd pause, look at my phone. I would dip it, actually slide it in, let it come out, and then I would just turn around and I would just walk away, very quick. Not quickly, but not too quickly. And of course, I had an escape route. I had some dark alley I could go down and disappear to. I did say I was paranoid, right? So I had these techniques, this plan, really, but I also could count on them doing their best to avoid me. Punish fear disruptions are harmony is important. In those sort of situations, you tend to see not to notice stuff. You don't want to notice stuff. Also, tend to see not to care. Not gonna worry about it. And you're gonna follow procedures, right? Exactly what procedure would they have for a strange white guy walking up to a turnstile, putting a ticket in and walking away? Odd, odd behavior, right? Not gonna be in the manual. And then of course, avoiding frang or guai lo, we do weird things, right? White people are weird, we do weird things. And what do you do with weird people? You leave them alone. Let them be weird by themselves, do what they're gonna do, and then you just stay away from them. So that does happen, and any number of reasons from not being very confident in your English to any number, as I said, weird behavior, just, it's the Vs again. Okay, thank you. I feel included now. So you know, we basically, this is the way I kind of kept my distance and kept myself safe. So, exploiting the system. That's what this is about, right? This is the fun part. We're gonna briefly review, very briefly, what we learned so far. Talk about the system safeguards that become evident. When you look at this, you know, this transit system we have here, this set of subway stations, the assumptions that they would have had putting this together. We'll talk about some attacks against their assumptions, and then of course, the epic fail that was involved in their design. So what we've learned so far, it's object-based, right? Physical object and a database object. I knew there's a database object because I did tamper with the data on the card and it knew that something was wrong. It would say, go to the office. So there's some sort of reference involved. There are also properties to that object. Then an identification, a value, a location, and as I realized there, it's kind of like a type, right? And there are states, issued, used, and collected, and there's some sort of history. I don't know why I keep looking at the Chinese slides, because I don't read Chinese. So there's some system safeguards that become evident. Ticket composition and ticket design, you weren't gonna just walk down to the corner store, right, circle K, 7-11, and just pick one of these up. Mirror the physical object and database object to prevent tampering, handling rules to define value to the objects. And there's a limited life cycle of the ticket, the only last 24 hours, and they were, of course, collecting that ticket in the final turnstile at the very end of your use. So the assumptions and putting that together, of course, would be that no one will be able to reproduce our ticket. Our system has the only valid objects. Handling rules will prevent concurrent use. The damage is limited to that life cycle, what could happen, right, in 24 hours. And of course, after use, the ticket will be in our possession, they would feel safe, right? We have all the tickets now there, or we feel good about that. So we're gonna, of course, attack those assumptions, attempt to invalidate them. We're gonna acquire a suitable ticket. We're gonna capture a valid object. We're gonna try to bypass those rules, and then see if we can extend that attack to increase the damage. So I did find someone to make blank tickets, and I did copy a shit ton of objects in the issued state. Right, you can do that. That's what's nice about Magstrak. Found a flaw in the handling rules. The collected state found in the current life cycle overrides all other states, right? Overrides even concurrency. So objects are always seen as recently collected. You can run that original ticket, and then all the copies immediately become valid. Honestly, I think they were worried about someone going through the turnstile, handing it back to a friend. They're then using the same ticket to go in, and that's, honestly, all I think they were concerned about. All right, unfortunately, that didn't work. It was not quite a demonstration, but it's a visualization of how this is working. So typically, you've got the original in use there. Someone tries to use one of those copies that follows those rules. When we saw it before, it was in use state. It's now currently in the issued state. It violates the rules, and you can't use it. Any of the copies you try to use, right? However, if you let it pass through all the way, it blocks any concurrent use of the ticket. So if you've got three other friends, four of the friends using this ticket, it doesn't really know it. All it does is see it previously is collected. Oh, last one. Now sees it in the issued state. And so it sees it in isolation, really, and then allows that to pass through. And that's the same for any of them. They're all seen in isolation at that point. It just sees the previous state for the object that's collected, it's now in the issued. You've got it, right? And you can just then walk in. It's not complicated. It's not like a really technical hack. It's just, you just learn how the system works. You learn the state machine, and then you learn ways to abuse it, ways to manipulate it. So you can abuse it. Of course, you gotta prove it. That's nice to say it up on the screen, but we're gonna have some data to show exactly what's going on, and in fact, that is what is happening. So you have three single journey tickets there. You can see that the price same as the station is the same. You have the dispenser, right? And you can see that it sent basically the same instance of the object. So the same ticket, the original and copies. And you can see that it's been used three separate times. It's a same station, different turnstiles, and different arrivals there, right? So you've got different GUIDs for that entry. So you use it three times. And it's the same thing with the lower one here, which is the all-day pass, right? You basically have the same ticket, the same object, and you're going ahead and using it two separate times. Different stations, different turnstiles, and obviously different usage based on the different GUIDs there, okay? Ah, yes, the demo. So we're gonna go ahead and show you me. I'm gonna show you me using one of my counterfeit tickets. Yes, it's mostly my feet. Zaz said that he could tell it with me by my sandals. I'm glad he didn't say he could tell it with me because of my feet. That would have been weird. I mean, a lot of my sandals there. But what I wanted to capture, Kyle's still very paranoid, was the fact that I was using a counterfeit ticket. I was exiting the station using the counterfeit ticket. I accepted it, it let me out. Mainly, you know, it let me out, right? So, yeah, simple hack. Just understanding that system, learning how it works, and then manipulating it, right? That's an exploit, very simple. But let's turn that into its hack, right? To do that, you're gonna have to have tickets, lots of them, right? And a plan, you gotta find some cards and you have to punch some holes. All right, so the cards, you can't go, as I said, you can't go to the store, you can't order from a catalog. Ah, Alibaba, thank you again. I love Alibaba. So put RFP on Alibaba, got lots of samples or engine trials, and finally, after a very long time, found a winning bid, all right? So the thousands of companies, I'm just, of course, guessing, I'm probably millions. And you just tell them what you want, anything at all, and they'll make it for you, right? I had many, many offers. I'll fail but one company. Most of them said you couldn't do it. Can't be done. Those that said you could, they'd send me a sample, it was too thick. It's in vernier calipers, too thick. One finally said yes we can, and they actually did. Okay, all right. Took many months to find them, though. Many, many months, and lots of difficult conversations via email. There is our winning bid. See there? The two mag stripes, it is very thin. I was concerned about it jamming. I didn't need attention. You know, I was probably overdoing it with my precautions as far as running the ticket through, but as far, if it got jammed, yeah. There was no way I was gonna escape attention if that thing got jammed in there. So I was very concerned about that thickness. So we have that thickness there, and then the hole. This is what I use to punch the holes. I went on back, also construction refuge, construction waste. And I just grabbed a, we looked like a piece of a pallet, a chunk of a pallet, a rusty, yes, a very rusty pipe. I had to actually clean that sucker off. Inside, yeah, and I got these concrete. I was in Cambodia. I had no way. It was crazy. It took me a very long time to find those concrete nails because I traveled quite a bit, but I did find some concrete nails for that. And so I would just sit there at my room and just pound. You can get another one and then pound. And yeah, go at it and just create a bunch of those things. So our plan. We're gonna buy, I did the pass. We're gonna copy that daily pass to lots of other tickets, these counterfeit tickets. We're gonna use that original. They're gonna hand out those copies to your couple, your friends, have some fun. And you can do that every day, every single day. And you can use them all at the same time. It has no problem with it. But, I mean, yes, it's fun. It's a fun thing to do. But it's something that could end up being much, much bigger. You've got a lot of people writing the BTS. So you could start with that one daily pass that you have. It's $140 a bottle, $3. Spend 50 cents to buy some blanks for your friends. So that's $3.50, lost to the company, $22.58. I think it does not include the original $3 purchase. Then I'm gonna notice, right? But let's say you wanna escalate a little bit there. So you spend your $3 to get your all-day pass, then maybe instead you get 1,000. It's $100, so it's $103 to do $4,516 with the damage. If you use all-day pass, and of course you wanna use an all-day pass, you get to keep those. They don't get captured by that turnstile, they come out. So every subsequent day, your tech is costing you $3. So $3 to do $4,516 with the damage. And you're gonna keep doing this. Let's say you're a devious guy, you're not doing this for a lot of fun. I think at 1,000, you're not doing this for fun anymore. You're doing this for a month, you know, $137,000. Six month, $824,000. One year, five years, $8,241,000 with the damage. You could make something out of this. You could, you know, I don't know their budgets, but you could slowly bleed them to death, right? Missing funds, not having necessarily money to do the repairs they need to do, to do upgrades that they need to do. If you're talking about making that network unreliably, so undermining that transport system, right? That's 1,000 if you wanted to do a little bit more, if you wanted to spend more time, you could spend, you know, a nation state could certainly ramp it up a little bit more than that. And with 1,000 or 2,000 these tickets, it could probably escape notice, right? I guess it really depends on how the eyeball's on, but it's not just something that's fun, it's something that could do a lot of damage to organization over time, okay? So yeah, we can extend that attack, we can do more to them than just that one quick ride through the system. So the implications for the BTS, millions of dollars in losses, obviously over time, more important to the ties, loss of face, public embarrassment, it's much more important to them. So what was the response from the BTS? And maybe I'm asking for trouble, maybe I'll be stopped in immigration when I get back. We'll find out. You know, I was not in the right social circles, I didn't have the status necessary to unfortunately to be acknowledged. I'm not passing judgment, that's just the rules of the game, right? So they didn't recognize me, they didn't return email phone calls, I tried multiple times, different people, different parts of the organization. So some lessons for us, obviously, and lessons for them. There is no hardware-only solution. I don't think there has been for a very long time. The most common way of realizing that is you talk about the firmware attacks, right? Lots of firmware attacks, there's software in there. Solutions are complex, and there's software in there, and logic flaws as well, right? Also trusting assumptions can be dangerous, I think that's something you could stick at the end of every single talk here, not to trust your assumptions. Don't be afraid, where the research might lead you. You know, measure your risk wisely before proceeding. I was thinking over and over again, what could go wrong? And of course, I was including the people, in focus primarily the people. I wasn't worried about necessarily breaking anything, I was worried about their reaction. It was a hoax, they have guns, right? The BTS, this is probably a harder thing to learn, right? Don't let social conventions blind you. I think this is all about learning to break free of that. Not everyone thinks like you, right? They're guai low running around, they're forang, they're various different types of people that think differently than you. Some are here to help, like me. Others are not. Others might be looking to do you some harm, so it's important that you talk to them, even if it's just an assistant, right? If you're worried about wasting a lot of time, don't. You ask them to show you something, right? If you do that, you're not gonna be spending a lot of time with people, right? And the time you do spend will be well worth it. And of course, the ever popular, covered up later. Once again, not passing judgment. There are different ways to handle situations. I would not choose to handle it that way. I suspect they would, but they can. And they can always, they could have talked to me, you know, said, hey, don't talk about this. Okay, I won't. You can always cover it up later, seriously. I say it with all sincerity. So avoiding their fate, you wanna test all layers, all layers of a solution, testing for application issues, or system responses, and of course, checking your assumptions. And that is what the yearly PEN test is for. Many companies are either not doing a PEN test, or it's just a check box, and they aren't really concerned about who's doing it or why. They just want a good score, right? They need to pay more attention to these things. They need to actually have these PEN tests. They need to make sure it's done by someone who knows what they're doing. Because I tell you, if they were doing some of these things, this wouldn't happen. Doing things like compensating and mitigating controls. They're monitoring the use of that system. I was doing this over two years, man, two years. So I'd do this part-time. I'd be in Bangkok and I would just run down to the BTS station, right? So two years, and they didn't, apparently they didn't notice anything because nothing was fixed. And I was never, of course, grabbed by anybody. So what are they doing now? They aren't a second generation. Everything's NFC now. I presume the issues are still there. A little harder to get to. But I suspect not possible. You know, what we are seeing are attacks against NFC. There's also other types of attacks you can do and move laterally to get that key in order to crack the NFC card and get access to that key to basically do the same attack again because you can read the ticket, you can make another one of your own and you can do the same attack. And of course, there are still no channels for sharing. I did check the website. There's no contact us for this. There's no contact us for that. Knowing the wrong people, I suppose. And I definitely ignore me. Still ignore me. So final thoughts. Trended systems are fun. But they can also get you into trouble. I believe that first talk, anatomy of a subway hack. They were prepared to give that talk. But I think they were threatened with legal action. So they didn't end up giving the talk. These slides got out. That's why I know, we know about the details. But yeah, they could not do that talk. So they do can, these kind of talks can get you into trouble. But you don't know until you try. Gotta give it a try. Reverse engineering is key. I think that's what exploitation relates about is doing some reverse engineering, understanding how the system, how its software works. So until you can exploit it, of course. And then you gotta have some balls. You have to go out there. You have to know that something may happen. That's fine. Just be prepared. Don't believe a lot of the assurances. They're always saying, giving your assurance about how safe a system is. Look to see yourself. And I hate to say this as a network guy. I never did want to do Absec. I just got forced to do Absec. But yeah, Absec was the win here. Understanding that system. Nothing too complicated. Some links. You wanna learn more about those other talks. Different companies involve equipment. Follow on the footsteps there. The people who made that card for me. And of course, the BTS. That's it. Thanks everybody.