E-Book Content
Anatomy of a Subway Hack Russell Ryan Zack Anderson Alessandro Chiesa For updated slides and code, see: http://web.mit.edu/zacka/www/subway/ what this talk is: Pen-testing a subway system what this talk is not: evidence in court (hopefully) You’ll learn how to • • • • • • • • Generate stored-value fare cards Reverse engineer magstripes Hack RFID cards Use software radio to sniff Use FPGAs to brute force Tap into the fare vending network Social engineer WARCART! AND THIS IS VERY ILLEGAL! So the following material is for educational use only. ATTACK PHYSICAL SECURITY there is almost always a free way to get in turnstile control boxes open… almost everywhere computer screens visible through windows door keys left in open boxes door keys left in open boxes 43766 state-of-the-art surveillance… often unattended documents left in the open what we found on Ebay ATTACK THE MAGCARD pick the hardware $5< homebrew="" reader="" with="" inserts,="" can="" read="" 3-tracks=""> $139.95 Spark Fun Electronics 3-Track Lo-Co Includes source code $300 MSR206 or MAKStripe 3-Track Hi/Lo-Co Works with our GPL’d software EC9010402AC9D000000005B800C80150342248A 84EBD132BE10280002000000002025D0000FD60 Is value stored on the card? try a cloning attack If yes, then you now have free subway rides for life Oh, but you want more than that, eh? reverse engineering The Charlie Ticket reverse engineering Everybody talks about it, But where do you start? 1) Make a guess about what’s in the data 2) Change a single variable; see what changes 3) Repeat many times with varying data 4) Compare similar and dissimilar data 5) Ignore constant regions 6) Build/use tools reverse engineering Isolate Variables method To locate a single variable: • • • Group data by that variable Ignore global similarities (between different groups) Ignore differences within groups Resulting locations are probably where the data is stored EC901 0402AC9D 000000005B8 00C8 0150342 248 A84EBD 028 132 BE 0002 000000002025D0000 1 FD60 EC901 0402AC9D 000000005B8 00C8 const ticket # ticket type value (ticket / pass) (in cents) 0150342 248 A84EBD time const 028 time 132 BE 1 last last const reader station (approx) used used 0002 000000002025D0000 FD60 last trans # of const checksum (in nickels) uses (approx) forging The Charlie Ticket EC901 0402AC9D 000000005B8 00C8 const ticket # ticket type value (ticket / pass) (in cents) 0150342 248 A84EBD time const 028 time 132 BE 1 last last const reader station (approx) used used 0002 000000002025D0000 FD60 last trans # of const checksum (in nickels) uses (approx) EC901 0402AC9D 000000005B8 FE4C const ticket # ticket type value (ticket / pass) (in cents) 0150342 248 A84EBD time const 028 time 132 BE 1 last last const reader station (approx) used used 0002 000000002025D0000 FC90 last trans # of const checksum (in nickels) uses (approx) + = MagCard Reverse-Engineering Framework Bitstir Reverse Engineering GUI MSR206 MagCard Utilities read() conversions write() comparisons erase() checksums … time stamps … CharlieTicket Boston, MA MetroCard New York City, NY … Demo: MagCard and Reverse Engineeri