Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized...

31

Transcript of Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized...

Page 1: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON
Page 2: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

Exploiting 0ld Mag-stripe Information with New Technology

Salvador Mendoza Twitter: @Netxing Blog: salmg.net

Page 3: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

About Me

● Security Researcher

● Samsung Pay: Tokenized Numbers, Flaws and Issues

@Netxing

Page 4: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

Analyzing previous talks/tools

● Major Malfunction DEFCON 14

Magstripe Madness

● Samy Kamkar

MagSpoof - 2015

● Weston Hecker DEFCON 24

Hacking Hotel Keys and Point of Sale Systems@Netxing

Page 5: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

Intro to Magnetic Stripe Information

● Type of card capable of storing data by modifying the magnetism of tiny iron-based magnetic particles on a band of magnetic material on the card

● TL;DR –> Track1 = [UPPERCASE,numbers] Track 2/3 = Numbers

Sou

rce:

sam

y.pl

@Netxing

Page 6: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

Magstripe Composition

%B4929555123456789^MALFUNCTION/MAJOR ^0902201010000000000000970000000?

@Netxing

Page 7: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

Magstripe info, Parity, and Waves

@Netxing

Page 8: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

Magstripe info, Parity, and Waves

@Netxing

Page 9: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

Magstripe Signal

@Netxing

Page 10: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

Major Malfunction DEFCON 14

https://www.youtube.com/watch?v=ITihB1c3dHw @Netxing

https://www.youtube.com/watch?v=ITihB1c3dHw
https://www.youtube.com/watch?v=ITihB1c3dHw
Page 11: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

BlueSpoof DescendancyMagSpoof

MagSpoofPI

SamyKam

First Prototypes

https://www.samy.pl

Designed PCB by @electronicats

http://www.samy.pl/magspoof
http://www.samy.pl/magspoof
Page 12: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

Weston Hecker - DEFCON 24

@Netxing

Page 13: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

Sound Amplifier

@Netxing

Page 14: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

Raspberry Pi + Amplifier + Coil

@Netxing

Page 15: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

Raspberry Pi - Demo

@Netxing

Page 16: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

Bluetooth Technology

@Netxing

Page 17: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

Bluetooth Speaker

@Netxing

Page 18: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

Bluetooth Speaker

@Netxing

Page 19: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

MagSpoof Cousin

BlueSpoof MagSpoof

Electronic Cats(@electronicats) design

@Netxing

Page 20: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

BlueSpoof

@Netxing

Page 21: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

BlueSpoof tool - Characteristics

● Cheap < $20● Easy to implement● Escalable● 3.7 V Battery ● Fast transmission● Accurate

@Netxing

Page 22: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

BlueSpoof - Demo

https://www.youtube.com/watch?v=elzqLhLnCek@Netxing

https://www.youtube.com/watch?v=elzqLhLnCek
https://www.youtube.com/watch?v=elzqLhLnCek
https://www.youtube.com/watch?v=elzqLhLnCek
Page 23: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

Multiple Targets?

@Netxing

Token 1

Token 2

Page 24: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

Controlling Multiple Speakers?

@Netxing

Python Sound Device Library

https://pypi.python.org/pypi/sounddevice

https://pypi.python.org/pypi/sounddevice
https://pypi.python.org/pypi/sounddevice
Page 25: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

Attack with Multiple Bluetooth Speakers?

https://www.youtube.com/watch?v=5hInVNLUC8s@Netxing

Dem

o

https://www.youtube.com/watch?v=elzqLhLnCek
https://www.youtube.com/watch?v=5hInVNLUC8s
https://www.youtube.com/watch?v=5hInVNLUC8s
Page 26: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

Bonus Take-Away Project: iWey

@Netxing

+ =

Page 27: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

SamyKam

https://salmg.net/2017/01/16/samykam/@Netxing

https://salmg.net/2017/01/16/samykam/
https://salmg.net/2017/01/16/samykam/
https://salmg.net/2017/01/16/samykam/
Page 28: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

Greetz, Hugs & Stuff

Samy Kamkar (@samykamkar)

Electronic Cats (@electronicats)

RMHT (raza-mexicana.org)

Los Razos!

@Netxing

Page 29: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

Questions? Salvador Mendoza Twitter: @Netxing Blog: [email protected]

https://twitter.com/Netxing
http://salmg.net
Page 30: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

Thank you!

Happy Hacking Anniversary!

Page 31: Exploiting 0ld Mag-stripe Information - DEF CON … CON 25/DEF CON 25...Samsung Pay: Tokenized Numbers, Flaws and Issues @Netxing Analyzing previous talks/tools Major Malfunction DEFCON

Resources

Samy Kamkar: samy.pl/magspoof

Electronic Cats: twitter.com/electronicats

Major Malfunction: youtube.com/watch?v=ITihB1c3dHw

Weston Hecker: youtube.com/watch?v=mV_0k9Fh590

@Netxing


Kartograph - DEF CON

Kartograph - DEF CON

Eric Sesterhenn 2018 CON 26/DEF CON 26 presentations/DEFCON-26... · DEF CON 26 Hacking Conference Author DEF CON Speaker Subject DEF CON 26 Presentation

Eric Sesterhenn 2018 CON 26/DEF CON 26 presentations/DEFCON-26... · DEF CON 26 Hacking Conference Author DEF CON Speaker Subject DEF CON 26 Presentation

DEF CON 23 Presentation CON 23/DEF CON 23 presentations/DEF CON 23... · GPS SPOOFING Low-cost GPS simulator HUANG Lin, YANG Qing Unicorn Team – Radio and Hardware Security Research

DEF CON 23 Presentation CON 23/DEF CON 23 presentations/DEF CON 23... · GPS SPOOFING Low-cost GPS simulator HUANG Lin, YANG Qing Unicorn Team – Radio and Hardware Security Research

WhyMI so Sexy? WMI Attacks, Real-Time Defense, … CON 23/DEF CON 23...Title DEF CON 23 Presentation Author DEF CON 23 Speaker Subject DEF CON 23 Presentation Keywords

WhyMI so Sexy? WMI Attacks, Real-Time Defense, … CON 23/DEF CON 23...Title DEF CON 23 Presentation Author DEF CON 23 Speaker Subject DEF CON 23 Presentation Keywords

Hacking MANET - Def Con

Hacking MANET - Def Con

DEF CON 26 HACKING CONFERENCE CON 26/DEF CON 26 receipt.pdf · Title: DEF CON 26 HACKING CONFERENCE Author: DEF CON 26 Subject: DEF CON 26 RECEIPT Keywords: DEF CON Conference, DEF

DEF CON 26 HACKING CONFERENCE CON 26/DEF CON 26 receipt.pdf · Title: DEF CON 26 HACKING CONFERENCE Author: DEF CON 26 Subject: DEF CON 26 RECEIPT Keywords: DEF CON Conference, DEF

Aaron Bayles DC101 @ DEF CON 22 - DEF CON® Hacking Conference · Aaron Bayles DC101 @ DEF CON 22 ... //media.blackhat.com/us ... Lockpicking, Hackers, Infosec, Hardware Hacking,

Aaron Bayles DC101 @ DEF CON 22 - DEF CON® Hacking Conference · Aaron Bayles DC101 @ DEF CON 22 ... //media.blackhat.com/us ... Lockpicking, Hackers, Infosec, Hardware Hacking,

Network Protocol Reverse Engineering - DEF CON CON 24/DEF CON 24...Katea Murray –murrayka@leidos.com 2016-08-05 Estell/Murray Eavesdropping on the Machines 28. Title: DEF CON 24

Network Protocol Reverse Engineering - DEF CON CON 24/DEF CON 24...Katea Murray –[email protected] 2016-08-05 Estell/Murray Eavesdropping on the Machines 28. Title: DEF CON 24

Bypass firewalls, application white ... - media.defcon.org CON 22/DEF CON 22 presentations... · DEF CON 22, 2014. Hungary. root@ ... ... DEFCON, DEF CON, Hacker, Security Conference,

Bypass firewalls, application white ... - media.defcon.org CON 22/DEF CON 22 presentations... · DEF CON 22, 2014. Hungary. root@ ... ... DEFCON, DEF CON, Hacker, Security Conference,

DEF CON 23 Presentation

DEF CON 23 Presentation

1408 DC10 Program - Def Con

1408 DC10 Program - Def Con

Kiosk Security - DEF CON

Kiosk Security - DEF CON

DEF CON 25 Hacker Conference - DefCon Media Server CON 25/DEF CON 25 presentations/DEF… · functionality = self.checklist["Functionality"] ... Manually add ancillary data (pentest/other

DEF CON 25 Hacker Conference - DefCon Media Server CON 25/DEF CON 25 presentations/DEF… · functionality = self.checklist["Functionality"] ... Manually add ancillary data (pentest/other

DEF CON 24 Hacking Conference CON 24/DEF CON 24 presentations/DEF CON 24...RDS-1 or "Stalin's Jet Engine" Inside knowledge of the Manhattan Project combined with looting Germany's

DEF CON 24 Hacking Conference CON 24/DEF CON 24 presentations/DEF CON 24...RDS-1 or "Stalin's Jet Engine" Inside knowledge of the Manhattan Project combined with looting Germany's

DEF CON 24 Hacking Conference CON 24/DEF CON 24 presentations/DE… · Samsung Pay Tokenized Numbers, Flaws and Issues. About Me Salvador Mendoza (Twitter: @Netxing) Researcher o

DEF CON 24 Hacking Conference CON 24/DEF CON 24 presentations/DE… · Samsung Pay Tokenized Numbers, Flaws and Issues. About Me Salvador Mendoza (Twitter: @Netxing) Researcher o

DEF CON 26 Hacking Conference - DEF CON Media Server CON 26/DEF CON 26 presentations/DEF… · started in late 2017 to prepare for the 2018 CCDC season. We ended up using the BETA

DEF CON 26 Hacking Conference - DEF CON Media Server CON 26/DEF CON 26 presentations/DEF… · started in late 2017 to prepare for the 2018 CCDC season. We ended up using the BETA

DEF CON 26 Hacking Conference CON 26/DEF CON 26...Find us on Twitter: @michaelossmann / @dominicgs Title DEF CON 26 Hacking Conference Author DEF CON Speaker Subject DEF CON 26 Presentation

DEF CON 26 Hacking Conference CON 26/DEF CON 26...Find us on Twitter: @michaelossmann / @dominicgs Title DEF CON 26 Hacking Conference Author DEF CON Speaker Subject DEF CON 26 Presentation

Abusing Firefox Extensions - DEF CON

Abusing Firefox Extensions - DEF CON

HACKING HOTEL KEYS - DEF CON CON 24/DEF CON 24 presentations/DEF… · HACKING HOTEL KEYS Security Consultant ... Researcher. 9About 11 years pen-testing, Security Research, ... 912

HACKING HOTEL KEYS - DEF CON CON 24/DEF CON 24 presentations/DEF… · HACKING HOTEL KEYS Security Consultant ... Researcher. 9About 11 years pen-testing, Security Research, ... 912

DEF CON 24 Hacking Conference CON 24/DEF CON 24 presentations/DEF… · •Dummy frame injection •Delaying acknowledgments ECU CAN High CAN Low ... #wireshark -X lua_script:ethcan.lua

DEF CON 24 Hacking Conference CON 24/DEF CON 24 presentations/DEF… · •Dummy frame injection •Delaying acknowledgments ECU CAN High CAN Low ... #wireshark -X lua_script:ethcan.lua