 This talk is not so limited warranty, targeted attacks on warranties for fun and profit. This talk is for people who like unconventional forms of social engineering, who want to learn more about serial numbers and how they're used to protect products, and people who join finding holes, of course. This isn't for anyone who works for with Amazon, Apple, Lenovo, or Proctor & Gamble. Who am I? I'm a student. I'll be a senior in fall. So shortly, I'm a warranty enthusiast. Everyone loves reading those six-page paragraphs when you get your new device. I do a little programming on the side. There's my email if you ever want to email me. All right, a serial number. What is a serial number? A serial number is used to identify a product. If you have the serial number, you're basically considered the owner of the product. There's different types of serial numbers. For example, there's the identifying, which will contain 2012. It was made in 2012. Or there's the random, which is, I don't know who came up with the idea of using just random numbers, but those are out there. And then there's sequential. Sequentials are used in food, so you can track production and such, and that's one, two, three, but you know what sequential is. They're usually located on the product, like in a physically accessible area, in case it malfunctions. If you have a computer or something and it stops turning on, you really don't want the serial only accessible via the internal means. Though sometimes this is available via software like on iPhones or some Apple products. Why are serial numbers important? Proof of ownership. I can now cancel your warranty by saying I do not agree to those terms and conditions that are in that wonderful six-page paragraph. Then there's the die-hard movie plot where the evil hackers are working on invalidating everyone's warranty to collapse the economy. You can do information disclosure. You can disclose quite a bit of information with just an Apple cell phone serial. I got some C-sharp code for that that I can show you guys in a couple. You can report it stolen. That's always great fun. The C-sharp code here. Basically this code generates an iPhone serial and then automatically plugs it into this wonderful hole that Apple left on their website. They return all kinds of fun data like ICCID, IEMI, personalization, date of purchase, carrier, when is it covered by warranty, all kinds of fun juicy information that you can use. How can people get serial numbers? The Internet, Google Images, you run a search for an X item and wherever the serial number is located and I guarantee you're going to find at least 10. Calling people on Craigslist or eBay, checking, you ask them if it's stolen, so you ask for the serial number. Now you've got a serial number. Stores, you go into the store, you flip your laptop upside down and you've got the serial number. Guessing, sequential serials are terrible. If I could find one, I found all of them. Or owning the product is the case with some people. Personal touches are everything when you're dealing with customer support. Personally, the technology impaired user works quite well with tech support because they're underpaid and under-trained and frankly they just want to go home at the end of the day but if someone who can't figure out how to reboot the phone is busy keeping them at the office, they're pretty much going to scoot you along. Angry guy, pretty self-explanatory and the business owner who needs this back online right now for the reports. In the next couple of slides, I've ranked a couple of companies on security, protection as how they secure it and how these countermeasures are not easily broken and how obnoxious it is if someone is actually returning a device to get it repaired or replaced or something. Starting, we got Pringles. Pringles wasn't really designed to protect against targeted attacks like this because no one really wants to go out there and get Pringles so they have a batch code which is sequential and that makes perfect sense if you're going to have a food recall or otherwise something in manufacturing goes wrong. This is low protection for product and it's not very obnoxious not intrusive at all, easily bypass. Lenovo. Lenovo will use a serial number but luckily they were nice enough to give us unlimited attempts on an online validator as well as if that was enough, you've got a bulk checker so you can upload a CSV file with as many as you want and just check that and I've got some... This file will permutate through it. If you have a base string which is half of a serial it'll permutate through and give you every combination of that serial and then you can go forth and upload the CSV file to the link included in the code. This code should be on your disks. You can upload it to there and then you can get the country, the warranty information, the model, the made, the year, any information you want about this product so that's kind of a big hole. Regional locks, they lock it down based on country which only really works if you don't have an online validator that tells you the country of the serial every time you check it. So this is OK protection. It'll keep some people out. It's not really that obnoxious. Moving on, Amazon. They use a serial number which is non-sequential and actually follows a preset set of rules but once again they give us unlimited attempts to register it on our Amazon account so we could, I don't know, automate this system and start registering as many false serials as we wanted. Oh, and every time you get a serial, right, it gives you a free month of Amazon Prime in case you need like a bonus or something. When it comes time to actually send the product back, they, you know, put a hold on your credit card. You know, a whopping $2. So if you, you know, have a Visa gift card you can easily circumvent this. You know, this is really over-the-top protection that doesn't work and it's kind of obnoxious too. Apple uses serial numbers that are once again non-sequential. They're easy to generate. I included the generation of them in the C-sharp code, the same that queries the website. They ask for an ICCID or an IEMI upon replacement. Once again, an attacker can circumvent this by querying the script that they so generously provided on their server. The one part where they'll actually keep most people down is a credit card on hold. They charge the full amount of the product to your credit card. So this kind of makes them very well protected, but in turn it makes them quite, quite obnoxious because not everyone's got the full hold. Protecting companies. No one limited invalid serial. No one is going to misread their serial and their kindled serial to activate 200 times in a day. A captcha could save so many of these. Register the serial to a single account in a single account only. Amazon has the right idea here by linking it to your Amazon.com account, but they still let you have unlimited attempts. No serial is on demo models. If you're going to put a demo of your product in a store, you really, really shouldn't have a serial number to scratch it off or otherwise remove it and no automated checking systems because that's a bad idea. Credits to my friend Jared and Nico. They're the images. I went really fast. Are there any questions? Yeah, you in the back. Map this? Combat this? Well, I mean just advising most companies to avoid these serial numbers of demo models and no automated systems. That would be a great way. I mean, Lenovo alone with the bulk checker is quite a problem. Anyone else? All right then.