E-Book Content
Anatomy of a Subway Hack Russell Ryan Zack Anderson Alessandro Chiesa
For updated slides and code, see: http://web.mit.edu/zacka/www/subway/
what this talk is: Pen-testing a subway system
what this talk is not: evidence in court (hopefully)
You’ll learn how to • • • • • • • •
Generate stored-value fare cards Reverse engineer magstripes Hack RFID cards Use software radio to sniff Use FPGAs to brute force Tap into the fare vending network Social engineer WARCART!
AND THIS IS VERY ILLEGAL! So the following material is for educational use only.
ATTACK PHYSICAL SECURITY
there is almost always a free way to get in
turnstile control boxes open… almost everywhere
computer screens visible through windows
door keys left in open boxes
door keys left in open boxes
43766
state-of-the-art surveillance… often unattended
documents left in the open
what we found on Ebay
ATTACK THE MAGCARD
pick the hardware
$5< homebrew="" reader="" with="" inserts,="" can="" read="" 3-tracks="">
$139.95 Spark Fun Electronics 3-Track Lo-Co Includes source code
$300 MSR206 or MAKStripe 3-Track Hi/Lo-Co Works with our GPL’d software
EC9010402AC9D000000005B800C80150342248A 84EBD132BE10280002000000002025D0000FD60
Is value stored on the card?
try a cloning attack
If yes, then
you now have free subway rides for life
Oh,
but you want more than that, eh?
reverse engineering The Charlie Ticket
reverse engineering Everybody talks about it, But where do you start? 1) Make a guess about what’s in the data 2) Change a single variable; see what changes 3) Repeat many times with varying data 4) Compare similar and dissimilar data 5) Ignore constant regions 6) Build/use tools
reverse engineering Isolate Variables method To locate a single variable: • • •
Group data by that variable Ignore global similarities (between different groups) Ignore differences within groups Resulting locations are probably where the data is stored
EC901 0402AC9D 000000005B8 00C8
0150342 248 A84EBD
028
132
BE
0002 000000002025D0000
1
FD60
EC901 0402AC9D 000000005B8 00C8 const
ticket #
ticket type
value
(ticket / pass) (in cents)
0150342 248 A84EBD time const
028
time
132 BE 1 last last const reader station (approx) used used
0002 000000002025D0000 FD60 last trans # of const checksum (in nickels) uses (approx)
forging The Charlie Ticket
EC901 0402AC9D 000000005B8 00C8 const
ticket #
ticket type
value
(ticket / pass) (in cents)
0150342 248 A84EBD time const
028
time
132 BE 1 last last const reader station (approx) used used
0002 000000002025D0000 FD60 last trans # of const checksum (in nickels) uses (approx)
EC901 0402AC9D 000000005B8 FE4C const
ticket #
ticket type
value
(ticket / pass) (in cents)
0150342 248 A84EBD time const
028
time
132 BE 1 last last const reader station (approx) used used
0002 000000002025D0000 FC90 last trans # of const checksum (in nickels) uses (approx)
+
=
MagCard Reverse-Engineering Framework Bitstir
Reverse Engineering GUI
MSR206
MagCard
Utilities
read()
conversions
write()
comparisons
erase()
checksums
…
time stamps …
CharlieTicket Boston, MA
MetroCard New York City, NY
…
Demo: MagCard and Reverse Engineeri