 you're at hotacking health hotel keys and point of sale systems you guys see the slides all good and everybody hear me good perfect perfect so uh Western Hacker I'm gonna be hacking hotel keys and point of sale systems I had backup videos just in case if anything went south so yeah funny story us starting out a little bit after I go through a little bit about myself I do a lot of talks uh did Hope this year did uh Black Hat uh this is my third year DEF CON it's a privilege to speak here so yeah basically do pen testing for living I do a lot of research on the side I'm a ATM enthusiast and like some of the other stuff I just like playing around with the technology so I got a couple side projects um I was working on some car hacking uh point of sale system hacking hotel key hacking and uh just exploits and uh property management software so but uh funny story uh so when you do a uh hotel hacking talk at a hotel it usually involves the staff uh pulling you your PR person and your boss aside and taking you into the bowels of the hotel and I've seen Casino one too many times because I was a little nervous and uh you know so but it was something where it ended really good they just wanted to know if they were uh vulnerable to this attack and it is not uh they tokenize their stuff they did it set up properly they follow the best practices so you guys this hotel room keys are safe uh and all the Caesar's properties so I just wanted to throw that in there so haha so I'm gonna explain uh the actual max uh mag spoofer which is a semi camcars device uh this one's a modified version of the mag spoofer uh this one is not the one that is set up for brute forcing uh but I do have the demo of the actual brute forcing going on and then we're gonna actually uh infect this point of sale system with malware using a human interface device injection so and uh yeah I'm gonna explain a little bit about the point of sale systems and the actual uh process of how the keys are actually made on some of them that rely on night audit and batch services uh they have to do some very insecure things to make sure that their database is post and they get charged so uh I'm gonna do uh privileged uh show you how the privileged attacks work uh fireman keys uh service keys things like that so and it's uh yeah haha some of it's uh I thought it was a pretty duty heavy encryption of some kind in uh some most of it's just uh encoded so they uh definitely skipped some steps and the point of sale talk it's gonna uh go from how I led from doing hotel research into actually attacking point of sale systems because like the uh I don't know anybody else when they saw Sammy's video like they thought of every single thing that has a uh mag strip reader on it as now an attack surface and I just want to give him a shout out because that was uh an amazing research and he uh saved me many many hours of reading manuals so and yeah I'm gonna basically go through how it uses the mag strip readers uh whether where the fail was in that and uh I'm gonna actually go with triggering events on the readers and see what it's listening for cause some of the newer uh point of sale systems like they will only power up the reader when X happens and uh I actually have a tap that you can attach to uh uh bypass some of that stuff so and I'm gonna go through some of the management uh cards uh root forcing management cards you can actually you know do refunds stuff like that so you can actually refund to other credit cards uh using one of the other attacks so or yeah I was it was one of that I was conceptually doing and it was uh it would have been a pretty decent attack cause I never knew that you could actually refund to a credit card that wasn't originally charged on and that's something I came across while doing some uh other research I was doing this here so and yeah so I'm gonna do a cash tend check tend attack so that basically uh when you inject the F8 key it literally just pops the register open and I'm gonna go over that in a little bit here so because everybody pays a check still right so yeah and uh attacking OS injection uh I'm gonna do a pop a command shell and then I'm also gonna demo a drive by attack as long as the 4G holds up so I might have to get Steve Jobs on you guys have you turn your phones off but no he should be good so I did a 4G working earlier so and uh some of the uh actual restaurant attacks and other mag research like some of the rewards programs uh I wrote a one version of it where it cycles through 10 cards so same as some of those places where you can collect points they're on to employees you know just giving the points to themselves so it actually cycles through like 10 accounts and I'll go through that in a little bit here so I'm gonna go through uh who in the room knows what a mag spoofer is who's built one they're fun they're they're very fun things to build and uh yeah so basically uh you guys can see there that's what actually happens if you put iron oxide on uh credit card it's gonna actually mag it has a little magnetic uh field to it so that's when the actual card is swiped through it's actually generating a magnetic field and speaking binary data so one zero is things like that so basically what Sammy Camcar did was he actually you know built a version I think the uh patenting all goes back to like 2008 with the loop pay which is a system that was bought by Samsung and so basically you just need all you need to know is that there's a EM field being generated that is the same uh pretty much the same uh some of the timing is different uh but as far as that goes when you swipe the card it's basically doing the exact same thing so it's able to speak to magnetic head raiders uh using a small little uh mag spoofer so and uh how is the yeah it's scared of mag strip transmission so it's like I said it's uh something that's been around since 2008 so back in 2002 and 1997 you know people didn't think that this kind of thing was possible so that's uh why a lot of these vulnerabilities um there's no reason that this keyboard should have a 102 key functionality that you can actually inject through the actual magnetic head raider so and yeah it's not it's not RFID um a lot of people ask me that like you know the hotel attacks like is it on the RFID um actual keys and no it's not it's actually uh basically turning a magnetic card into a wireless card so and yeah how do you handle the overheating so basically uh the first thing I did after uh got my first mag spoofer built it ordered all the parts from china waited like a week and a half and the first thing I did was burned it out because I tried uh injecting multiple cards I pushed like five or six cards and uh I did my first modification just to increase how many cards I could store in it and then I started actually you know seeing how many I could do and after about 18 cards uh it burned out so so I waited about another week for all the parts to come from china and yeah I basically made uh six six mag spoofers and one uh with a little bit of a controlled arduino and then it has a 3800 milliamp battery instead of 100 milliamp so I think it's heavy duty I call it big bertha because it is just it's like huge coil on an arduino so and I'm going to go into a little bit of what property management software is uh it's uh uh when I refer to it from PMS from now on it is not what everyone would think it was so it is property management software and that is something where uh it is actually where your folio data is everybody's you know seen the checkout where it says folio that's basically where the hotel keeps all your records uh it's how it actually you know what's to charge when they actually do the night audit process so when they do run the night audit it's gonna charge under your bank account nowadays like uh when they're properly proceduralized it's something where uh there's lots of security mechanisms that people can actually put into place so I'm gonna go into a little bit of explanation of what the actual uh proprietary card readers and the security behind the hotel uh so basically uh there is your folio number uh actually the one that I found the weakness in was um after I uh unencoded the actual cards I read it and I raw using an MSR 605 which is a magster breeder basically read the raw data unencoded it and it was literally the same as my folio number and my room number and the checkout date so if you make an assumption that somebody's gonna check out in the next week uh your space just went down a little bit and if your hotel uses a very uh not very old process actually um they actually weaned away from it in 2007 2006 so if they do incremental folios and you're in a 50 person hotel it's not very big space you have 918 options in a 50 key or a 50 person hotel so it's something where yeah that's not many options to try especially with a modified mag spoofer you can actually inject uh 45 cards uh per minute so that goes through that space pretty quick so and yeah uh collecting the information as you can see the also instead of injecting full credit card numbers you're actually injecting uh just some of the track most of them is the track 3 data a lot of the track 2 data so credit cards are broken down into track 1, 2 and 3 uh track 3 is the one that hotel chains use mostly so and if you've ever noticed you can put your card in upside down that's because that half of the actual magnetic stripping is only used so they only use a portion of track 3 and as you can see I put iron oxide on this one also and it just shows that it is actually not yeah it's not using the full card because I covered the whole thing then wiped it down and yeah so and that's one of the things too I travel a lot when I go pen testing so I have like an entire suitcase not an entire suitcase full of it but it's uh got about 3 layers of uh actual hotel room keys and I was always wondering what was on them so I just got bored one day and started pulling information off of them and yeah and there were several several of them um that actually were you know uh pretty easy to actually break the encoding on them because they were using uh non uh I was like I think base 64 but a little bit less cause it was very very simple uh I wrote a actual script and then uh most of that script actually worked for like 3 or 4 different kinds of keys so I'm guessing that they're using the same PMS software so and yeah so how do you uh how would the bad guys go about uh interacting with uh say for example if you were going to brute force that 918 space say uh Weston wanted to get into heckers room it's you know now I know the folio number I assume he's checking out in the next week I can actually go to an elevator or the pool area and it'll actually tell me once I get that uh when I get valid card numbers so you don't have to actually be sitting in front of the person's door which is kind of you know that would rise a lot of suspicion you know especially if you had to sit in front of his door for 18 minutes or something like that so the actual yeah that gets kind of creepy the guy in the hallway for 18 minutes so that's something where yeah uh I was like one of the concepts and with that was with permission on this property it was uh actually testing it out by the pool area and the actual uh hotel because uh I also found out how the floor restrictions in elevators work this way so so it's kind of cool like if uh somebody wants to go up to the 26th floor you can literally just change the room number it doesn't actually validate the folio on that so and do and as far as getting maid service keys um on that property that was on I literally attached my device to the back of the door and I did that from the privacy of my own room and when people walked by it was uh you know just randomly beeping here and there but uh it was something where it took about 33 minutes to actually get a you know the domain admin of the hotel pretty much it was one of the maiden keys and you can literally want like it is crazy the amount of uh access especially with some of the service keys and uh I feel dumb for root forcing it because it was uh pretty much all zeros for the maids keys and I'm sure you know some of the guys out there like that have been right away it's like let's start at zero instead of you know the folio numbers so it's something that once I understood that I tried all nines and that was the service keys and yeah so then uh some of the actual issuing um they issue a monthly so the folio uh once I found out that that was the way that they were issued it was something where I was actually you know pretty much able to do that so and yeah and a lot of the elevator and firemen keys like there's some states that are looking at actually uh luckily they're hid behind metal so there's no way people could interact with them you know so that's what I'm saying like uh that heavy duty mag spoofer it can go a pretty good distance so that's even if they're blocked off uh for law enforcement or firemen usage uh it can actually reach some of those so yeah so the I'm gonna go through some of the raw dumps uh some of the track uh the other facilities they actually use like say for example if you go to uh theme theme park they'll have on track 1 and track 2 they'll have other information um uh track 2 on some of the properties uh keys that I was looking at they actually uh basically had my name and I was like uh how am I gonna brute force you know names and stuff and luckily it wasn't validating it so and that's one of the things too is like I always wondered about that like how often you know because that's one of the things like uh people always heard news stories about personal information there's no personal information on any of the keys that I came across um the ones that could could decode at least uh with the exception of like a name um and yeah that's to me that's not that identifiable I guess so and uh there are limitations to characters that can be entered um due to the limit limitations of encoding of the keys only uh once you introduce the mag spoofer you can actually start injecting some illegal characters which I actually found out when uh I was running pretty hot like uh because I was actually uh measuring like uh how hot it could get before it actually started uh garbling the messages and stuff like that and actually uh some of the bit error percentages like if they would go through the roof if it started overheating and uh you know to actually figure out what was safe to run the device at and uh yeah there were some characters uh I'm guessing some bits flipped and that's what led me to believe that you know some of the research which I actually will be demoing at the end here too and with some readers they also yeah they automatically inject a return character after the card is wiped so after a certain amount of digits are entered um there is a way to actually uh stop that automatic return character so and I will go uh that's what the modified version of the mag spoofer only cause uh after it does like 46 digits it'll do an automatic return character so and yeah other than that um you just need to know literally the your own folio number if you wanna uh when I was actually going to like actually uh breaking the encoding it was something where I actually you know just had to get my own key issued and stuff like that twice and um yeah that gives you a sample to go off of and you could pretty much uh other keys that are collected you know there's lots of them where they have the return things I didn't get those ones but I pretty much just got my own uh keys so it's a breaking the complex encryption yeah that was pretty simple you know I've had to rent an amazon server for you know I literally just booted up my computer uh wrote a script uh yeah this one was actually this version of it was actually just base 64 encoded so that was kind of uh kind of irritating I thought it was gonna be a lot more harder on this one but and some of the uh kiosks I started playing around with some of that stuff and anytime you guys go to security conference that's always the you know first thing they shut off for a good reason for this kind of stuff so because uh this is a really good way to like issue your cards and uh if you're the bad guy obviously uh it's something where they will you know you're able to get like seven cards without being suspicious so because yeah unless yeah so so what led to the research after the hotel keys um that pretty much was my next step I was thinking everything with a um pretty much a Magrater on it is now a target so and I actually noticed that once I started buying some of these devices that they were generic hid uh hid and I done a lot of uh hid attacks uh human interface device attacks which are basically keyboards um with uh tin seas and payloads in the past so it's something where now that I was uh looking at the attack service of point of sale systems it was yeah naturally the next step so so how does it use a Magrater? This one up here is a 102 key keyboard uh generic uh human interface device and so basically anything you can type you can now inject through the uh magnetic uh head or card reader so and uh that's one of the things too it's like oh why not just hit the keys uh yeah there's some of these things that uh literally like you know it's this long of uh text string like say for example I'm gonna be demoing a drive by attack because uh yeah point of sale systems are a little out of date sometimes so and I'm gonna actually go through um yeah some of these methods here in a second and triggering events like that's one of the things too like some of the newer ones they have actual uh uh you can test if they're being USB fed so that's something once they're powered on you can still do some of it but they have to wait for a trigger event or for the remote cable to be toggled so uh yeah so basically you can figure out when they're listening and it's not something where you have to uh you know tap into it you can literally just look and see if the green lights on so that's like one of the indicators of it and uh I would definitely if you guys want to start playing with some of this stuff get the MSR uh the little Magstarp Rader 103s I think are like 15 bucks so they're really really fun and you can basically dump anything you want to into a notepad and uh yeah so management keys that was one of the biggest things too uh where I was looking for a really hard challenge and the actual first point of sale system I bought which uh was pulled out of a taco restaurant and it when it was disbanded and it was auctioned and uh yeah it came with a management key and that management key worked on the other two point of sale systems that I bought from separate lots so I was like ah there's nothing you know nothing deep you know crazy no techno no chain smoking it literally was just uh pretty much the same admin account used across several point of sale systems so now uh I'm guessing uh cause I hope now you can't turn this off when you go out in the wild it's something where uh I started noticing every single point of sale system and I'm like I wonder if you know that key would work on that key would work on that and I actually uh one of my buddies owns a restaurant that happened to have one of those and you know you can literally inject the uh actual management key into it so that's something that is pretty crazy and like you can mess with inventory you can throw off inventory you could yeah some of them need uh management overrides you know for some of the electronic checkouts and stuff like that so that's some scary stuff and here's pretty much uh which you guys probably can't read but uh yeah you get everybody knows how uh for the most part how keyboards work and I think we deal with them on a daily basis so we pretty much know all the character sets so quite literally anything that you can type on that keyboard that I showed earlier you can pretty much inject uh like I said sometimes you have to uh strip some of the uh uh auto return characters the enter characters so and yeah one of the first attacks I did uh was I saw the cash 10 button or check 10 button and that was uh injecting I was like okay I wonder how hard this could be so you know I started uh playing around with it and I was getting into the F F key functionalities and I was rolling through and testing it and this basically is like a way to like uh like for a bad guy to actually just walk in and literally rob a store they could literally just put this device on there and that's what kind of made it scary like it's you know now people can rob stores that way so with the F8 key it's uh pretty bad and uh yeah behind every strong man is a strong woman as you can see I'm wearing my wife t-shirt so and behind every uh point of sale system there's an outdated operating system so and uh not every point of sale system I can't speak for them all but uh every single one that I bought or I could afford and that's kind of the way it goes um so basically what you're going to do is you want to exit out of the point of sale system and uh yeah the next step will be popping a command shell and uh injecting the payload and what kind of payloads would one want to run on the point of sale system uh I did a talk last year so I had uh a couple mal- uh memory scripting malware laying around and I was like hey I will see if I can uh load these on a page so it's gonna do one distribution and I uh tested it this morning so it's actually gonna do a drive by attack on uh actual web server that I have uh loaded so and this is uh it's a neutered version of it uh just talks to itself so it's not gonna actually be doing anything illegal and it's just gonna literally visit the web page and uh it has a vulnerable version of uh some software running on it and then also you can literally uh through the command shell because most of them run uh uh deprecated operating systems some of them still functionalities that where you could literally just put URLs and uh download from pretty much any source you wanted so yeah like I was saying uh this is the payload that the bad guys would use um like the actual memory scripting malware so uh in the past you know people had to do these ridiculous supply chain attacks or they had to you know breach a vendor account and now it's literally uh you know the bad guys it'd be as easy as walking up to one of those point of sale systems and actually infecting it so and yeah and some of them are dev environments so like they're uh custom they have um yeah but they pretty much have their proprietary key functions they don't have a classic layout but they still have magnetic card readers in them and uh actually uh you know is expecting to have to you know map these keys out and do all this crazy stuff but uh they actually uh if they have the generic driver loaded they will accept the same key commands even if they don't have the keys on the keyboard so that was like another huge fail so but yeah as far as limitations of mag injection uh making a physical card attack limitation uh could you make the waiter do the dirty work could you like give him your credit card to pay and actually have him walk up and do some of that that's something that was kind of my you know next step after all this was kind of finished up and uh yeah that's um some like I was saying there's some illegal characters that you can't actually encode onto it so it wouldn't work as good but I think that um it's something that some people have explored in the past and it's uh definitely something that will be once I have some free time now that you know all the talk and conference seasons are done with I'll do some more checking into stuff soon but yeah that was kind of the one thing too it's like you know how much of a payload could you actually put on a credit card so untrack 3 and uh yeah these devices are everywhere this is literally me flying to Huntsville uh when I was speaking at uh TakedownCon and yeah these mags to breeders are everywhere like quite literally everywhere and uh one of these uh one of the other things that I started looking at I was like okay uh aside from being able to you know just pop the register installing malware that's not bad enough I guess yeah actually attacking player rewards uh systems like say for example the who's ever played slot machines and like you just kind of were bored and just wanted to go back to your hotel room so you're gonna go play the twenty dollar slots or the you know fifty dollar slot and just get it done with that's one of the things like uh every time I went to those higher end uh slot machines people would always leave a card in there and I thought it was by accident at first like I'm like hey this person probably left their card there and I try to turn it in and they're like no the people do that because they try to squat points because uh some guy who is just literally you know waiting for a plane or something is gonna you know play twenty five hundred dollars with the slots and they get to collect the player's rewards points so they kind of squat some of those accounts and uh that was like one of the attack methods that I was thinking of it's like now that you can inject magnetic data uh it's like you can you can squat on one of these devices and it's another one is like I was saying uh uh I think I was in high school I worked at uh uh actual company that uh they had like a player's reward program and they they told me they were like yeah you can't use your own card people have been fired in the past for that so it's something where they're onto it and uh they'll actually have flags go off if more the the same cards used more than once in you know X amount of time uh but some of the actual uh like grocery store chains or there's uh certain electronics companies where you know every five hundred dollars you spend you get five bucks or a hundred bucks so this is one of those other methods like uh some of the rewards programs that actually is susceptible to this kind of attack so and like I was saying that one of the refunds like we can actually refund onto a prepaid card that should not be possible to happen especially you know if it wasn't our original transaction so and sometimes it has to post overnight but that was like one of my additional attack vectors that didn't have time to we know all the kinks on it but it's it's something that uh seemed feasible so and yeah and injecting into actual uh like I was saying when you can actually tap into the remote signal uh as long as you hit the right wire uh you basically could overfill like prepaid cards like that stuff like that so so if a bad guy wanted to get an unlimited phone calling card he could be injecting his own card and having time added to it so and uh not only that but some of the you know gift store cards stuff like that so and uh some of them do lock once they have the original amount loaded on them so they're not reusable but the reusable prepaid cards that say reusable prepaid cards on them you know those are the ones that obviously they would attack after so and yeah like I was saying um these actually triggered events attacks uh so you have to sniff out the actual uh powered up readers like some a lot of the modern ones they don't actually they send a remote signal that here there's a transaction going on or hey we're going to do some kind of interaction and I don't know if that's because of this kind of attack or if it's just because uh you know they kind of uh looked into the future of what people might actually be doing at these and it's not a good idea to have something uh not only powered on some of these things are low energy so yeah it's something where you can actually uh for some of the rewards programs also you have to hit the enter key to accept that it's your account so yeah that's one of the things too I was wondering if you know if it'd be possible to actually inject that so and it uh on the actual point of sale system that I tried on that it worked perfectly because that's one of the biggest things is uh there were customers always stealing people's uh you know points uh say somebody didn't have a rewards card they were actually letting them inject it so yeah and uh who's ever used a clock in system yeah who you can never be late to work again now so yeah that's one of the uh uh as far as the hardware goes I bought like a hotel key for the back door I bought a couple keyboards I bought a couple point of sale systems um and I bought a clock in system and uh a lot of people are going to the fingerprints or some of the actual newer method ones so but yeah this is one of my last attack surfaces that I actually looked at so and yeah I'm gonna go over the uh video of the brute forcing uh it was done uh there's a couple times when windows uh stuff popped up while I was actually doing the demo like when I did the video so uh there was actually windows 10 upgrades because it was like a fresh install so I was uh I lost my original driver disc for my uh MSR 605 and I had to download it from an untrusted web page so if you guys wonder what the dialogue box is popping up all the time I'm so and I'm also going to go into the uh installing actual credit card skimming malware off of a web server as long as the internet is still working so and if not uh you'll still be able to see that there are injections so and I'm gonna go set up the demo and while I'm setting up the demo I'm actually gonna if people want to step up start setting up to the mics too uh you can ask questions while I'm doing the demos so yeah thanks for coming and stay legal and I'm uh gonna go into the demonstration portion right now so have you mess with any of this on uh airplane mag readers on the back of seats did you uh mention uh if I messed up with them on airplanes on the back of seats you know how they have the mag readers so yeah I've uh I've learned from other people that have messed around on planes that it's uh it's not usually uh one of the things you guys want to do like uh some of that I saw that mag interpreter and I even felt bad like taking a picture you know of an MSR that was on the keyboard thing so yeah I haven't tampered with planes in here and I hope everybody knows that cause yeah that was like one of the uh I see I've saw I've seen those and I thought the exact cause you can't once you start doing this kind of stuff you can't like turn that stuff off so yeah. How about the uh like the new like square and uh PayPal and all this. Oh yeah yeah the uh some of that I had some of the original and right now it's actually and I'll come back to your question uh some of the square readers and some of the remote ones yeah a lot of the and that's not a vulnerability in them it's anything that uses a mag strip but yeah quite literally everything that is affordable that is a mag strip and I've bought and injected stuff into so so yeah yeah it's pretty pretty crazy and that's I'm saying like if you're making your own payment you could be you know presenting a different card I see where you're thinking that's some clever thinking so but uh basically right now it's actually injecting the the folio numbers and I'll roll the video back here a little bit and there's the first Windows 10 upgrade sorry about that and if you guys want this video is online on uh YouTube already so and so basically I'm gonna read the raw data because it has like I said it has uh custom encoding so you have to have a specific reader to actually do the and uh you're gonna be reading the you have to switch it to high-code and then read raw so yeah there's the first transaction and then it's actually you can if you can't see on the actual video it'll show because my phone wouldn't focus but it's actually uh some of the numbers are changing because it's rolling through the actual folio revisions they have the same checkout date so it's like the end of the conference is happening or something so everybody I knew that they were checking out at that date and uh it literally took about like six minutes but if you guys want to see how the actual devices over my MSR605 it was actually injecting folio data then uh I think the end of this I'm gonna let roll again here for you guys and then after this I actually used a Chinese made mp3 player to inject a credit card number which is kinda cool and it burns the mp3 player out so don't try it at home so yeah what's your question? Um did you ever uh try using the mag spoofer as a jammer to perhaps like jam a transaction that's in place and then play after it's done anything like that? Yeah that was actually uh sorry when people ask me like how do you protect against this kind of stuff and that that's kind of the exact same thing is you can put one of the mag spoofers injecting random data on the back of your door it'll actually deauthenticate anybody from uh from actually using it so like it would be a really good defense mechanism and you could have like a two form authentication habit when your bluetooth phone comes in it'll actually shut off the jammer so you can add two form authentication and it might actually drain the batteries so you'll get locked out of your room if they don't have it hardwired though so so you might actually de-dost yourself out of your own room but yeah what's your question? Uh so how might someone defend from one of these attacks? Oh like I was saying the uh um updating to the latest versions of the mag strip raiders and the actual uh point of sale systems uh that would be my recommendations uh where they send remote coding because a shut off mag strip raider is the one that is not responsive to this kind of attack so that would be my biggest recommendation is uh get update to something that's USB 3.0 and uh push the latest versions of the actual point of sale systems so yeah and yes what's your question? So I've seen I've seen something that says you can go around the chip and pin cards by reactivating the mag strip uh how does that work uh? Yeah uh same account card did a really good job of explaining how mag spoofer can actually modify some of the flag details on the actual uh magnetic card raiders uh he didn't release it in his code because he's the same way I am I don't want people to use these for illegal purposes but you can actually uh tell you can basically send the command that hey the pins damaged on this let me just use my mag card uh some of the mag spoofers they're modified like this one has uh two payloads on it and uh I have like I said I had the six mag spoofers in one was my actual uh big bertha which is like a huge magnetic coil and I uh let press take a bunch of pictures of it but that's like my brute forcing one and that thing took me like six hours to build so I didn't want it to break but yeah this one's basically a modified version of the mag spoofer here and I'm gonna actually how much time do we got for demo? We're doing really good okay if you want to ask some more questions too. Did you write any fuzzers for any of the embedded systems hooked up to these mag swipe readers and did you find any memory corruption issues? Haha yeah that was actually my next uh I was kind of thinking something along the same lines but I uh literally ran out of time because I got kind of obsessed with my ATM attacks that I was doing and some of the uh actual relaying portions and stuff so I'm gonna actually I'm gonna get the actual mag strip demo kicked off if anybody has any questions at all uh feel free to come up to the podium so so can everybody see the point of sale system too on the screens? Awesome here we go I'm gonna check to see if I have internet connectivity here here we go one second and it is not visiting the right page so I have to uh I'm gonna try the second payload I'm gonna try to pop the command right now so if anybody has any questions I can answer these while I'm doing this so. Hey Weston. Yeah. Obviously Sammy's done a lot of research in this area also have you have you done anything with with uh BLE using like the coin to rewrite or done any track uh research on how coin rewrites the data or the plastic? Uh no no I haven't actually using it that as an attack attack method. Oh no no I have I was looking into some of the other research that Sammy had done and then like I said I did shift uh what halfway through this because this was done like very very early in the year. Right. And yeah that was something that uh I thought some of the stuff that Sammy was doing is amazing and I was wanting to read some more of his research so. Okay. But yeah I didn't look into some of that but I did uh get some of the NFC working but I burned my original uh HTC phones uh near field communication out trying to do stuff at that. For the radios out? Yeah what's up? You burned the radios out on it? Yeah burned the radios out on it so. So that was like the end of it because I like just broke a six hundred dollar phone so uh that ended my curiosity pretty quick so. Cool thanks. Just one more second I'm gonna try and plug in the hit. I know it's a very different approach but uh do you have any interest in looking into NFC and other technologies that hotels are now using because a lot of hotels are phasing out the Magstrips? Yeah those are uh most of the ones that use RFID ones are actually tokenized so they reflect the folio number instead of having uh actual data in there. So you could use some of the classic attack methods but it wouldn't actually uh wouldn't actually work so as good and that's what I'm saying if you're root posting those like that's something where uh your key space would be a lot bigger and like you're able to uh it's a truly random sixteen digit number so. Well I apologize the demo blew up on me but I will put a YouTube video up uh I've actually working and if you guys wanna come in uh I'm gonna try to demo it here until I actually get kicked off stage but I'll still answer in questions so if you guys have any questions feel free to ask too so. Yeah I was just curious have you done any uh playing around with the new tabletop devices that are in the restaurants and stuff have you looked at any of those? Yeah now every time I sit at uh one of my favorite restaurants on the street that's like my first thing that I would love to but I don't have access to them I think it would be kind of breaking the law but I would love to actually order some of those. Right. I've seen a lot of fun things people do with some of the pager systems and stuff so. So a bit of a comment on uh running on old operating systems I ran uh um around with a uh award driver downtown and I found a lot of uh uh WEP Wi-Fi and uh went into the uh the restaurants that are using that and asked permission of course because we all asked permission and uh got the handshake from WEP real quick you know with Wi-Fi and did some sniffing found out they're all running old XP 0867 gets to it old uh POS on there uh dump memory and I found even on there uh admin account with back door back door so I wasn't the first one there but I found that they provided WPA2 to the customers but because the uh the uh old point of sale couldn't authenticate and the old XP couldn't authenticate to WPA2 they even run on WEP and so you don't have to get very close at all. I want to know if that's been your experience or not as well. Yeah for as far as actual using already inputs on this kind of stuff? Yeah yeah and I mean like don't have to get that close to it that if they're already networked with with WEP then you know it goes in there but yeah all that default credit in old uh OS uh I've seen the same thing. Yeah there's tons of other ways that I can see if you watch your attacking these. Yeah this is like my main attack surface on this so. So shifting gears little from mag strips to chip readers have you ever gone into something like that as chip readers start to get more and more popular and maybe hotels start to use that instead of mag strips do you think this attack vectors that you have kind of really researched might be able to shift and transition into the same way you could apply it to chip readers? Yeah some of the chip readers uh they'll still be using some of the like uh magnetic track data for the most part on some some of the stuff but uh some of the challenging and the encryption they can do I would see it being able to block a lot of it so. What about uh looking into the serial programming on the actual door itself? Yeah I haven't dug too deep into some of that stuff like uh after I got some of this attack surface and then I broke my phone like I said it kind of disheartened a little bit so but yeah that was like uh I was I was still curious about a lot of the attack surface that was out there but I just yeah I didn't have the some of the stuff to to get into it so as far as especially time was my biggest constraint on that. Cause if you have a key to your door and you're able to reprogram the lock to your door or you could spoof your key. Yeah. Then you. Yeah that's the biggest thing too is like uh are you asking about if you can I'm sorry I might re-ask the question. No so a lot of the doors have a like a barrel serial connector on the bottom a 2.1 jack. Oh yeah yeah. And then if you could reprogram that door over serial and if this is the kind of security that the keys are using are the locks really using that kind of security. And that's something like even though the the most recent hotel town like where they had the little uh thing or the not the bingo dauber but the actual marker at the bottom those are newer systems those have two-way interfacing so they can blow the keys away. Uh it's a lot of these low energy old ones or older ones like as old as in like 2008 2006 those ones uh have two-way functionality but it's in 15-minute increments. So some of the full blown ones uh they're they're got a little bit different method of actually you know protecting themselves. So yeah thank you. Did you have to use any kind of a proprietary um reader for your mag strips? I noticed a lot of like credit cards drivers licenses all used a normal standard one two three tracks but a lot of hotels aren't readable by those standard readers. Did you have to use anything special for that or? I didn't have to modify the MSR like a little bit to be able to read some of the raw data at the same time as the other information because they use like a portion of the card and uh actually raw read it uh you do to read their proprietary format you do need an actual driver from the property management software but if you can rip the raw encoding like a majority of them you can actually reverse it from the raw encoding. It just takes a lot of extra time if you do the raw read through the property management software if you were to get the property management software you would be reading entirely different character sets so. Right so that's how you did it for most of what you're showing here was it wasn't to dump it to actual keys but to dump it to raw and then encode it as raw like if you went up to your room and did MSR and just read it in raw and then copied that to another card that raw would work across the board so. Alright thanks. Yeah thank you. Just curious if you looked into uh trying to do SQL injection into like POS systems or other systems using this method. Yeah I was actually the demo that I had was literally going to do a uh a Java or a flash drive by attack so I and then as far as SQL injections that's something that would definitely be possible uh especially for some yeah quite literally if it would be able to get to something as back end or internal that would be a huge attack surface so yeah. Thanks. Uh some of the card readers that are slide-ins either have a mechanical or an optical sensor does how does that is that just an ASCII changer? Like the slot machine ones yeah they actually turn green when something's inserted into them and you can use a very low profile piece of 70 pound paper and it'll actually trigger that event so. Yep. How are we doing on time guys? My goo and over two minutes? Okay awesome. Yeah any last questions? I really do apologize for this I'm gonna try to get a demo going in the hallway. I guess it I need to check on some of the connectivity issues uh should still pop the command shell and inject it though so I'm having some kind of interface issues so if anybody wants to see this if not I'll actually put a uh camera demo online so and I'll make sure that my camera focuses this time but if you guys want to look into the actual injection with the Chinese MP3 player if you want to burn out a six dollar MP3 player injecting credit cards you can feel free to uh then also a lot of the uh actual payload injections I'll be putting uh demos up online so quite literally as soon as I get back to North Dakota which I have to drive so but yeah if there's no other questions I just want to thank you guys for uh staying thank you.