breaking the back end! - def con con 27/def con 27 presentations/defcon-27-gregory-pickett...epic...
TRANSCRIPT
![Page 1: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/1.jpg)
DefCon 27, Las Vegas 2019
Breaking the back end!
![Page 3: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/3.jpg)
Overview
Transit SystemReverse EngineeringMy DiscoveriesThe ExploitThe Lessons
![Page 4: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/4.jpg)
How This Is Different
This is not illegalWe aren’t sneaking into the stationWe aren’t hacking their terminalsWe aren’t social engineering anyone or attacking their wired/wireless network
This is not about the hardwareWe aren’t cracking anyone’s encryptionWe aren’t cloning the magstripe, RFID, or NFC
![Page 5: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/5.jpg)
How This Is Different
This Is AboutFlaws in the Application LogicOK. Cloning is involved but it is not the vulnerability exploitedUsing AppSec to attack Complex Multi-Layered Real World Solutions
![Page 6: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/6.jpg)
Elevated Train
Bangkok Mass Transit System (BTS)Elevated rapid transit system in Bangkok, ThailandServes Greater Bangkok AreaOperated by Bangkok Mass Transit System PCL (BTSC)43 stations along two lines
![Page 7: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/7.jpg)
Tickets
Stored-Value Card (NFC)All Day Pass (Magstripe) and Single Journey (Magstripe)
![Page 8: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/8.jpg)
Two magstripesHole through one magstripeOnly 0.27mm thick
Tickets
![Page 9: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/9.jpg)
Tickets
![Page 10: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/10.jpg)
Tickets
![Page 11: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/11.jpg)
The Equipment
Standard Reader/WriterManufactured in ChinaStandards or Raw ReadErrors RareReliable Performance
![Page 12: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/12.jpg)
Lab Work
Attempted Decode Using StandardsInternational Organization for Standardization6-bit Character sets and 4-bit Character setsSome With Parity and Some Without
Attempted Decode both forwards and backwardsIt wasn’t using the standards
![Page 13: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/13.jpg)
Lab Work
There is no encryption.There are no parity checksThere was no longitudinal redundancy check (LRC)There are no timestamps
![Page 14: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/14.jpg)
Field Work
* The section “7826”” is the Ticket Type* The section “00FF74” is always 100 + the price of the ticket* For all day passes, the section “00FF74” is used to track trips taken
![Page 15: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/15.jpg)
Field WorkGUID
GUID
GUID
StationDispenser
StationTurn-style
![Page 16: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/16.jpg)
Field Work
![Page 17: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/17.jpg)
Handling Rules
To Enter,Ticket must have previously been in “Collected” StateTicket Must Be Now Be In “Issued” State
To Exit, Ticket Must Be In “Used” State
![Page 18: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/18.jpg)
Exploiting This System
What We Have Learned So FarSystem SafeguardsTheir AssumptionsAttacks Against Their AssumptionsEpic Fail!
![Page 19: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/19.jpg)
What We Have Learned So Far
Object BasedPhysical ObjectDatabase Object
PropertiesIdentificationTypeValueLocation
![Page 20: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/20.jpg)
What We Have Learned So Far
StatesIssuedUsedCollected
History
![Page 21: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/21.jpg)
System Safeguards
Ticket Composition and Ticket DesignMirror Physical Object and Database ObjectHandling Rules Define Valid Use of The ObjectsLifecycle limited to Twenty-Four HoursCollection of Ticket After Use
![Page 22: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/22.jpg)
Their Assumptions
No One Will Be Able to Reproduce Our TicketOur System Has The Only Valid ObjectsHandling Rules Will Prevent Concurrent UseDamage is limited by LifecycleAfter Use, Ticket Will Be In Our Possession
![Page 23: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/23.jpg)
Attacks Against Assumptions
Acquire Suitable TicketCapture Valid ObjectBypass RulesExtend the Attack to Increase the Damage
![Page 24: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/24.jpg)
Epic Fail!
Found Someone to Make Blank TicketsCopied Shit Ton of Objects in “Issued” StateFound Flaw In the Handling Rules
“Collected” State found in Current Lifecycle Overrides all other states!Object Always Seen Recently “Collected”Run The Original TicketAll Copies Immediately Become Valid
![Page 25: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/25.jpg)
Epic Fail!
X X X
![Page 26: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/26.jpg)
Epic Fail!
√√ √
![Page 27: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/27.jpg)
Epic Fail!
![Page 28: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/28.jpg)
Epic Fail! (Demonstration)
![Page 29: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/29.jpg)
Turning The Exploit Into An Attack
TicketsPlan
![Page 30: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/30.jpg)
Tickets
![Page 31: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/31.jpg)
The Plan
Buy Ticket (Daily Pass)Copy TicketUse OriginalHand Out CopiesHave Fun!Repeat Tomorrow!
![Page 32: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/32.jpg)
Results of The Attack
Extend the attack!
![Page 33: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/33.jpg)
Test All Layers of a SolutionTest for Application IssuesCheck Your AssumptionsUse Compensating and Mitigating Controls
Avoiding Their Fate
![Page 34: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/34.jpg)
Linkshttps://wikileaks.org/wiki/Anatomy_of_a_Subway_Hack_2008https://file.wikileaks.org/file/anatomy-of-a-subway-hack.pdfhttps://defcon.org/images/defcon-16/dc16-presentations/anderson-ryan-chiesa/47-zack-reply-to-mbta-oppo.pdfhttps://www.computerworld.com/article/2597509/def-con--how-to-hack-all-the-transport-networks-of-a-country.htmlhttps://www.cio.com/article/2391654/android-nfc-hack-enables-travelers-to-ride-us-subways-for-free--researchers-say.htmlhttps://www.youtube.com/watch?v=-uvvVMHnC3chttps://www.blackhat.com/docs/asia-17/materials/asia-17-Kim-Breaking-Korea-Transit-Card-With-Side-Channel-Attack-Unauthorized-Recharging-wp.pdf
![Page 35: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/35.jpg)
Links
https://www.msrdevice.comhttps://www.msrdevice.com/product/misiri-msr705x-hico-magnetic-card-reader-writer-encoder-msr607-msr608-msr705-msr706https://www.alibaba.com/https://nexqo.en.alibaba.comhttp://www.nexqo.com/https://www.bts.co.th/http://www.btsgroup.co.th
![Page 36: Breaking the back end! - DEF CON CON 27/DEF CON 27 presentations/DEFCON-27-Gregory-Pickett...Epic Fail! Found Someone to Make Blank Tickets Copied Shit Ton of Objects in “Issued”](https://reader034.vdocuments.site/reader034/viewer/2022042300/5ecb493c103d046d6322bede/html5/thumbnails/36.jpg)