 My name is Salvador Mendoza and I'm going to talk about how to exploit all of the information we need technology. The idea behind this tag is how to implement audio waves and Bluetooth connections. A little bit about myself. I'm a security researcher. A lot here I present about Samsung Pay tokenized number of flasks and issues here in DEF CON. And even today we're going to use some Samsung Pay tokens, yards for the demos. What exactly is max try information? Well, any kind of capability to store max try information, they have this item based magnetic particles that could change implementing magnetism. But how we can relate max try information with audio files? To do that, we need to, in this case, in order to transmit max try information into audio, we need to be able to mimic the audio waves from the magnetic field changes when you swipe a card. These kind of waves are the two F signals and they contain zeros and ones that the carrier can interpret like any kind of character. These characters are, of course, account numbers, names on the cards, all that kind of information that you're going to have on the cards. This is how it looks like audio spoof or audio file. We have many different kind of spikes on them. But what that really means, from Major Malfunction DEF CON 14 more than 10 years ago, he tagged about max try madness. And that presentation, he said that depending on the space of the spikes, they're going to be zeros and ones and these ones are going to represent the characters. But of course how we can transmit this kind of information to the card reader? Last year, Weston Hecker presented how to brute force auto keys foils implementing M3 player. But also he presented how to send raw mass try data with M3 player too. So I started searching what kind of technology we need to do that kind of thing. If you try to transmit audio files implementing just the audio by itself, you're not going to get anything in the card reader or you're going to get some kind of errors. The key in this attack is the amplifier. Sounds kind of funny. You need an amplifier to amplify the signal. So the first demo is how to use Raspberry Pi and one coil from, this is the cheapest one, $3 from eBay. This has a range from 5 volts to 12 volts. How you can transmit max try information. The setup is very basic. You connect the audio to the Raspberry output and connect directly to the amplifier. I'm using an external power source to the amplifier so I don't want to damage my Raspberry Pi. And I'm using a coil from my last max booth I used for my last stack here in Defcon. I connect a critical reader directly to my laptop. So basically when I run a audio spoof or audio file, I get directly the max try information into my terminal. So you can see in the critical reader how the lights detect the signal and send directly to the terminal. So after this approach, I was thinking about portability. How we can do some kind of thing like that to be used in different kind of things. The main idea was what kind of technology we have that can support audio and could be close platform. Well, we have Bluetooth technology. I start buying many different kind of speakers. Try to implement in this kind of attack. And this one, specifically has a amplifier built on. So we don't need an external amplifier. So I designed a tool that I call it blue spoof. The blue spoof is a tool that is not kind of similar to the semi-cam car max spoof because that one implements an 8085 microchip and also a more controller. This one implements a Bluetooth speaker board and implements audio files. And of course a coil. Some of the characteristics of this tool is cheap, Bluetooth support, 3-point volts very portable and accurate. So what about the demo? So it can be charged directly from five volts like any kind of charger that you have for your cell phones. So in this presentation, I'm creating a WAF file, implementing a track two form. And the max try information that I'm using is a Samsung pay token for my chase account. Please don't use it. You are going to be able to do it. I hope so. So in this case, I'm creating the chase spy WAF file. I'm connecting to the blue spoof like normal Bluetooth speaker. After I connect it, I'm going to open audacity so I can see the WAF files from the file that I just created. After I open the file, what I'm going to do is I'm going to select the output of the audacity to send the data to the blue spoof tool. So you can see the WAFs in this file, how it looks like. The name of the blue spoof register in my computer is the token. So when I play like loop play in this attack, what I'm trying to do is I'm approaching the blue spoof to my credit card reader to get some kind of information. So you can see how I start detecting the signals when I approach this kind of tool. So what about another kind of device? What about a Huawei chip smartphone? I'm talking about $20 smartphone. It's already connected to a blue spoof tool. So I approach this one to the credit card reader. And what happens is I start detecting the signals momentarily and after that it starts registering like another kind of track. After this I'm going to implement an iPhone sit. Because all of them have support to a blue spoof connection, we can implement in all kind of devices. It's kind of cool how the iPhone sends a Magstripe signal because almost all of them are detecting the credit card reader. So I'm going to play the same WAF file. I'm implementing a loop to get a better result and the attack. So you can see how the text signals the credit card reader. What about the Samsung Galaxy? Well, they were the same. They implemented the blue connection too. And it's almost like the iPhone's result. I can detect almost all the tracks sending by the audio spoof. Well, the question is how can I implement this kind of attack without downloading any kind of file to my computer or to my device? So designing a project that I call ViolentMac.com, I was able to create audio spoof from the web browser. So thanks to actually for this idea. The main point here is to create audio files in the both server and after that, we can create all to play the WAF files from the web server without the necessity of downloading any kind of file. So let's say I have, I'm using an iPhone 6 and the example. I'm going to play from the web browser implementing HTML file support. And you can see in the background how the Magstripe is detected by the credit card reader. So let's try to make a payment. I mean, that's the main idea of this kind of attack. Let's see it really watching the real time on the live. So I'm going to make a payment and this kind of terminal. It's already detected signal very quickly. And I can select the product. After that, it's going to validate it. I'm using a Samsung Pay talking. They say they can't use any kind of Samsung devices. And I got a notification from Samsung that I'm using one of his tokens. Of course, after that, if you are tired of spoofing, you can connect directly to your original speaker and use it like normal. So the question is how we can use this kind of tool to attack different targets? Let's say, let's put a scenario of Western Hacker that he was trying to boot for different kind of doors, door locks in the hotels. How we can send data that say we have two locks in the hotel and we have two blue spoof that we can put one in one lock, another one in another card reader. So we can send data to both of them simultaneously so we can see which one can open. In the example I'm using one of the programs from my laptop called Audio MIDI Setup in my Mac. I'm going to create a multi-output device. I already have two devices, two blue spoof connected to my computer. So I co-app them to this multi-output device. After that, in the output selection and the sound settings, I select the output. So let's see a demo of this one. So in this example I have two computers with two credit card readers. I have two blue spoof already connected and I have my laptop that it has the same settings that I present today. I'm going to play an audio spoof file and you will see in the background how all these two computers detect the signal simultaneously. You have to play again. I'm using a Windows and one machine. I'm using Ubuntu and then another one. So I'm playing the audio and you can see they detect the tracks and two computers simultaneously. Now the big question is how we can send different data to different blue spoof. It's kind of challenging. First I tried to use SOTS from terminal to select the output device but it didn't work in my computer. So I started searching and I used Python sound device library. You are able to connect to multiple devices and you can control them implementing Python. So let's tell you a little bit about the background of Samsung Pay tokens. When you are making a payment in Samsung Pay, you put the cell phone offline mode, all the tokens, some of the tokens are going to be incremental but the cryptogram is going to be static. The last part of the token is going to be random numbers, three digits. How we can brute force these three digits because I know the transaction ID is going to be incremental so the next one instead of 10 is going to be 11. So let's try to make a brute force attack. So in this example I'm implementing three different blue spoof simultaneously. I'm connecting to my computer, your laptop, in this case the Mac, you can connect that up to seven. But in this particular case I'm connecting three but yet I'm going to use two of them. I'm going to put them close to the credit card readers so you can see, oh I think I got it, I want to cry in my Windows computer. So I'm going to put close to the credit card readers and I'm going to play, I'm going to check the output first, the sound device library to show you the outputs of the sound board. So I have three outputs but I'm just going to use the IDs three and five for this type because they are my blue spoof tools. So I'm going to generate a brute force attack. In this case I'm going to use this token sample dimension and I'm going to create a web file from that. So if the token transaction ID is 10 and this one, the next one has to be 11. And the random numbers I'm going to create is from zero to 20. After that it's going to generate the web files and it's going to start sending depending on the idea of the speakers, different kind of extra information to another one. You can see in the background how it's going to detect the signals one and the next one. So they are different tokens in one terminal and another one. One has to be even numbers and the random and the next one has to be odd numbers. So after it's running this attack, I'm going to approach the camera so you can see the tokens to show you the even numbers are different between one token and another one. I'm giving two seconds of sleep just to not be too fast. So you can see in the back part of the token we have three ones, five sevens. And these ones are four, six, eight, ten, twelve. So they are different tokens for different kind of attacks. For the brute force attacks. And this part of the base that we're making in the attack, we have the track numbers, frequency, padding, base, maximum bits and the name of the file that I'm implementing. Of course you can see what kind of speaker we are sending and you can add token. After it's completed, you can see how you get the last token is going to be 20 because that was my last part of the token, the last part of the attack. So this Saturday, I'm going to present demo labs, this tool called Samicam, in honor to Samicam car. It's about how to implement blue spoof together with this tool. So you're welcome to be there. Thank you to all these guys for all the support. And please, if you have any questions, feel free to ask me.