 uh so welcome to the last uh track speaker here for track three for friday uh we've got uh gregory picket uh going into breaking the back end so here you go greg breaking the back end defcon 27 i got the number right all right long day my name is uh as you said a gregor picket with help our security with the cyber security operations group our talk today all right the transit system our target reverse engineering the target all right the discoveries that i made reverse engineering it then of course the exploit that i developed with what i discovered and of course the lessons to be learned always lessons without the lessons what's the point right all right how is this different we're sneaking into the station we're hacking the terminals we're socially engineering anyone we're hacking the wire to water's network it's not about the hardware we're going to be breaking in an encryption we're going to be cloning magstripes and fc cards instead this is about flaws and application logic all right there is some cloning involved but it is not the vulnerability exploited instead we're using apsec to attack a complex multi-layered real world solution our target the elevated train is the Bangkok mess transit system it's the elevated uh train in Bangkok Thailand serves a grid Bangkok area think of the time that i started this 43 stations along two lines but i believe there are more now and actually more being added uh as we speak that transit system uses uh two different types of tickets store value card using nfc and then an all day pass in a single journey using a magstripe the uh magstripe that we're going to look at those tickets have two magstripes there's a hole through one of the magstripes and it is only 0.27 millimeters thick a picture there the top is the single journey ticket the bottom is the all day pass you can get the mouse over there you can see the little hole right there you see how thin it is you are not going to be opening up a catalog and ordering it you aren't going to be able to go down to the store and ask for it right of course the first thing you're going to do is read it all right the equipment there standard reader writer manufacturer in china before the tariff so not quite as expensive as it could have been standards or raw reader right so it would of course take the data and then decode according to uh standards or just dump the data uh in a raw reader errors were rare was able to handle that hole which i originally thought was a 1980s style copy protection if you aren't familiar with with that uh they used to damage a sector on the disk so if you tempted to copy it area out error out and of course you then couldn't copy it and pass on the copy to a friend it turns out that hole is just to make sure that the the ticket is properly lined right turned up the right direction and facing the right direction right so it would be going to the theater properly and then it was reliable performance you're going to start analyzing any data you want to make sure that the data is reliable otherwise you can't perform that analysis not it's not reliable first thing you do is sit down a lab and you attempt to decode this according to standards using uh the international organization for standardization uh there's a lot there actually but it boils down to six bit uh and four bit character sets some with parity and some without i attempted to decode this both forwards and backwards i am a perfectionist uh somewhat anal retentive i think was the term i used to use so i'm going over and over again to make sure that it was a software not making um a mistake but i'm not making a mistake because i did do it with uh this the software and i'd also then would do it manually so i finally decided after doing this again and again and again that it wasn't using the standards and uh maybe it's not encoded at all right maybe just draw data so we'll see okay so looking at uh the data it's uncrypted there are sections that repeat it's repeating it's not encrypted no parity checks if you break up the bits you calculate parity and then you check the ticket to see if it's represented uh that way there on the ticket it's not so no uh no CRCs and LRCs and no timestamps if you buy a ticket and you wait ten seconds nothing increments by ten so i think after this we can say that it is just draw data but what does that data mean right well that's the field work you run that ticket to the system you're going to vary the input each time and then you're going to see how the data changes it's going to you know use those changes to identify the meaning now before you do that analysis you want to try to reduce your workload right less work you have to do the better so i talked about duplication or duplicated sections the yellow sections up there were essentially duplicated didn't need to look at them then just dump them out there are sections that uh had a utilitarian use this data actually sits in zeros right it gives the uh ticket a chance to line up properly in the reader and so there's basically a delay with those zeros well that's a start set and all the functions of the start set and that's a single bit saying data is now coming so i don't really need to analyze that i knew it just by looking at it that's another benefit of going over the data again and again earlier is that you have some insights later on the seven eight two six which is the red uh you can't see that probably very well when i was buying tickets and taking a look at them i would have a one particular value for the single journey and then i have different value for the all day pass so quite obvious at that point in time that that's a ticket type this here this little is too little uh these two nibbles there end up being 100 plus the ticket price okay so that jumped out i mean i don't really need to do any deeper analysis on that that is me with four sections this one here this one here this one here and this one here so that's a lot less work now each of these of course is different from ticket to ticket it's important to note also that this here and you probably can't tell that but it's blue uh that actually changes as the ticket is used as it goes to the system okay so after i observe those changes this is what i found each ticket has a good associated with it and a location initially it's in a dispenser and it's a good associated with its arrival there when the ticket moves the location is updated to a turn style there it is uh and a good associated with its arrival there when the ticket moves it also changes state goes from issued to used to collected when you buy it comes out of that dispenser it's in the issued state you go and use it to enter it goes through the turn style it's now in the use state then when you exit alright it's captured by the turn style and it's then in the collected state there are also some handling rules to enter the ticket must have previously been in the collected state meaning it was just sitting in a turn style somewhere previously in collected state coming out of the dispenser now currently in an issued state alright that's what the object uh was where it was and where it is now then of course you can use it to enter to exit the ticket now must be in the use state okay so we're going to look to exploit the system we're going to cover briefly you know what we've learned so far kind of summarize everything up talk about uh system safeguards that become evident as you examine the system the assumptions that they must have had uh when putting together the safeguards and then we'll talk about attacks against the uh the assumptions and then of course obviously this is why I'm here there was an epic fail there we don't have regular fails here DefCon we have epic fails alright so uh what we've learned so far it's an object based system uh it's a physical object and a database object I know this one because uh well I turned primarily you go ahead and try to modify any of the data on the ticket and the little screen at the turn style says go to the office it's like school you do something wrong and you go to the office uh now I knew there was a database representation alright a database object because there was no integrity checking on that ticket so they had to be an external reference and it's typically a database and each of these objects uh whether it's a physical object or the database object uh has properties there's identification there's a type a value and a location so they're actually rather different uh than most systems that are transaction based this is more of an object based alright so these objects also have states issued use collected and history now there's some system safeguards that become evident ticket composition and ticket design there was mirrored physical object and a database object there were handling rules and there's a life cycle alright it was only good for 24 hours basically and this ticket would be collected after you used it alright there are assumptions and using these particular safeguards is that no one right no one will be able to reproduce their ticket and their system has the only valid objects alright handling rules will prevent concurrent use I can't hand this to my buddy alright I go through and then hand it back to someone no one can do that that was their assumption uh damage is limited to life cycle right so if somehow someone is able to bypass these safeguards well what damage could they do in 24 hours and finally after the use the ticket will be in their possession right you having your possession now you feel safe attacks against those assumptions first one right acquire a suitable ticket they say or they believe that they no one else can make these tickets let's find out that's true capture a valid object bypass those handling rules and then extend the tax to increase the damage and get beyond that 24 hour it's probably a little shorter than that window it was indeed an epic fail there I did find someone to make blank tickets it took me a really long time most companies said you couldn't do it but I was persistent uh I also had alibaba anyone out here ever use alibaba familiar with it yeah it's great right um and then I did copy a shit ton of the objects and I feel comfortable to say that here shit ton um in the issued state and I just found a flaw in the handling rules right what I found was the collected state found in a current life cycle overrides all other states right so the object is always seen as recently collected you run that original ticket through that recently uh that uh recently collected it's stuck in there so it doesn't matter if you have all these other tickets currently in use it doesn't see that it doesn't see that as a previous state doesn't see that there's concurrency going on it just sees that one collected they're stuck in there and so any of these other copies you use out there they're all valid right and I'll demonstrate that it's really simple it's a very simple attack um you have to look at it and but it's very effective right so in the normal circumstances if there's concurrency other you know multiple tickets or copies being used you attempt to use one of them and it's just seen one in the in the uh used state so now sees it in the issued state and it says no that does not follow my handling rules so none of the copies would work okay but if you let it run through right now try to just hand it back to your buddy let it go all the way through and every single copy then becomes valid it doesn't see concurrency right you can have three tickets four tickets five tickets all the same ones it doesn't see that it doesn't see that they're being used it right now it just sees that one I was pretty you know previously collected and I'm now an issued fine go ahead and go through it so one two three five twenty it doesn't matter it'll let all these people go through with the same ticket of course you can't just say this you have to have some data that backs it up and I'll have a video here in just a second alright so we have a top there this is all the same ticket alright this is an original and two copies of all the same good coming out of the same dispenser and at the very same instant because it it's the same ticket so it's got the same good and you can see it's actually used three separate times it's very hard to make that alright it's very small heck heck letters but you can at least see that it's different so we had the same ticket being used three separate times three separate turn styles actually I believe in one instance different station all together with different goods and sending here for these all they passes it's actually the same all they pass it's used two separate times in two separate stations entered with two separate turn styles uh and two sort of instances of the goods and a video I have to get it over there though it's only twenty minutes uh originally it was a forty five minute talk and there was a lot more about Thailand uh this is where the research was done obviously in Bangkok uh they are currently they were the time and they're current uh currently still can I get the button there uh run the country's run by junta military dictatorship guys the machine guns uh with you know uh no questions asked you want to be arrested okay disappear um so I was a bit skittish we have a air message I can't really see that we have a few minutes let me go and drag this back over here we can't I don't know where that's uh you guys know where this stuff's at we're good on time so you know we can make mistakes it didn't bring it up it just we can't play it it's not too bad because it's most uh most of it's my feet yeah let me pause that yes there's a lot of the ground in my feet great sandals right there we go so yes uh at the time this research was done I forget about the audio junta is in charge guys machine guns so I was a little worried I could be disappeared um as a friend it's white man white guy uh in tie lots of privileges but no rights and you combine that with junta uh yeah it's quite easy would be easy for them to maybe disappear you'll see that there we go obviously not a genuine ticket there we go as I said that was mostly my feet because I was worried about being put in jail disappeared uh so I kept the phone by my side as you can tell um and then of course when it was time for the money shot I pulled it up and and then I did see that you guys couldn't anybody could uh see that it was gen gen not a genuine ticket it was in fact a counterfeit um and you could run around with five of these ten of these twenty of these it really you know the the system would let all of them through at that point alright so that was fun right um but to turn this into an exploit right you know from an exploit to an attack you have to have those blank tickets and you have to have a plan because we actually have one more safeguard right get beyond that 24 hours so I did find someone as I said to make these tickets it took a long time many many months uh with vendors talking to them trying to get them to understand what I wanted and then try to get them uh passed the no we can't make it so there were the tickets there so it's a plan is by I did pass you had to copy that ticket and you're going to go ahead and then use the original and put that in that state and you hand out the copies to have fun now you can do that yourself you can do that with your friend and your pastor your monk whatever everyone can ride but they're actually it can turn into something more uh you can go beyond just a couple of your friends there you know five of you you can go ahead and instead make ten or twenty or a thousand the first uh time you run the attack it's about three dollars for all they pass you're buying your blanks for about a hundred dollars um so a hundred five dollars to do damage to the organization of about five thousand dollars that's the first thing but they're all they passes you get to keep the all they pass it actually you have to use it all day right we'll just keep it with you at the end of your day don't bring it back um end of your day a little early and so you use it again the next day so each is going to attack is about three dollars to do about five thousand dollars for the damage and you can of course do it a whole lot more uh if you're going uh I hate to say cyber warfare but if you're talking about undermining a country start um making their structure unreliable and head reducing trust right trust in these sorts of uh things that people rely on you could just do this uh with a group of people you could do this over years you can very cheaply do a you know three dollars every day right to end up doing about eight million dollars with damage you can mine with other operations and you start looking at um really hurting a company to the point where they can't make the repairs they need to make where the the system becomes unreliable um you could do the opposite you turn to a PR nightmare where you decide to go out with ten thousand things and start handing them out and mean and after that of course then the system shuts down because they have to stop everyone to take a look at their tickets people can't get to work um it's a huge PR nightmare to do it that way so yeah a lot can be done with us so yes you can extend the attack beyond the 24 hour window you can do a lot more damage than I think they realize you could do so obviously to avoid their fate test all layers of the solution not just hard or despite the fact that that's your interaction by passing this ticket through a hardware system it's not just hardware there's software in there somewhere so you have to at some point in time test for application solutions and more importantly check your assumptions I suspect that many years ago when this was the first implemented the assumptions were mostly true mostly um but things have changed and so you have to check that's why I think you know good idea right do pentest every single year do some sort of assessment every single year to make sure your assumptions are still valid and then compensating and mitigating controls I did this on and off because I spent a lot of time in Asia I was doing this on off for two years right I think that if they were watching if they had any sort of monitoring going on they would have noticed they would have found the problem they would have resolved it since they didn't you must not do any sort of monitoring any sort of oversight of their own enterprise their own system right and it's a very bad bad idea as we all know people eventually get in so we have to be ready in that when they do so it's obvious that they were not using compensating and getting control so it's important that we as practitioners recommend and do that so ourselves don't end up like them and then links I do there's lots of information that you can learn about from the hardware use the standards involved in I don't think I have any but I do um so you know the hardware involved um the different talks prior to this that's actually also got cut with different talks there's talks other ways to looking at the transit systems and attack them um there is information about our friends at the BTS right um and I say it's important to look at these sorts of things because this actually was what I got today from so using Magstrup lots of places losing Magstrup so learn about it look at other Magstrup that are out there and this came from is going to recognize it monorail right um I wonder what this is on this right you know I want to look at this right um I'm tempted to start carting my Magstrup reader everywhere I go um just because you've done seeing all these things um there's lots of opportunities that is the talk that's everything I think I'm over early right yeah any