Hit enter after type your search item
Wzy Word


Gregory Pickett – Breaking the Back End Sometimes it's Just Bad Design – DEF CON 27 Conference


>>Uh so welcome to the last uh track speaker, here for track 3 for Friday uh we've got uh Gregory Pickett uh going into breaking the back end So here we go, Gregory

>> Hi [applause] Alright Breaking the back end DefCon 27, got that number right, right? Long day My name is uh as you said, I'm Gregory Pickett with Hellfire Security with the cybersecurity operations groups

Our talk today, alright, the transit system our target Reverse engineering, the target Alright, the discoveries that I made reverse engineering it Then of course the exploit, that I developed, with what I discovered And of course, lessons to be learned

Always lessons Without the lessons, what's the point, right? Alright, how is this different? We're not sneaking in the station, we're not hacking the terminals We aren't socially engineering anyone or hacking the wire to a wireless network It's not about the hardware We're not going to be breaking any encryption

We're not going to be cloning magstripes or NFC cards Instead this is about flaws in application logic There is some cloning involved, but it is not vulnerability exploited Instead we're using AppSec to attack a complex multilayered, real-world solution Okay

Our target, the elevated train is the Bangkok mass transit system That's the elevated uh train in Bangkok, Thailand Serves the greater Bangkok area Think about the time I started this, 43 stations Uh 2 lines but I believe there are more now and actually more being added uh as we speak

That transit uses uh 2 different types of tickets Stored-Value card, using NFC And then a single pass journey using a magstripe Uh let's see Magstripe that we're gonna look at

Those uh tickets have 2 magstripes, there's a hole through one of the magstripes And it is only zero point 27 millimeters thick Uh picture there At the top is the single journey ticket The bottom is the all-day pass

You can mouse over there, you can see the little hole right there Okay See how thin it is You are not going to be opening up a catalog and ordering it, you're going to be able to go down to the store and ask for it Alright

Course the first thing you're gonna do is read it Alright, the equipment there Standard reader/writer manufactured in China before the tariff, so not quite as expensive as it could have been Standards are raw read so I would tell you, of course, take the data and then decode it according to uh standards or just dump the data in a raw read Errors are rare

It's able to handle that hole, which I originally thought was a 1980s style copy protection If you're familiar with that uh they used to damage a sector n the discs so if you attempted to copy an area, and error out and of course you then couldn't copy it and pass on the copy to a friend Turns out the hole is just to make sure that the ticket is properly aligned Alright Turned up the right direction and facing the other right direction so it would be going to the feeder properly

And then there's reliable performance They're gonna start analyzing any data you wanna make sure the data is reliable or otherwise you can't really perform any analysis that way It's not reliable First thing you do is sit down in a lab and you attempt to decode this according to standards Using uh the international organization for standardization

Uh there's lot there actually, but it boils down to 6 bit and 4 bit characters, some with parity and some without I have attempted to code this both forwards and backwards I am uh a perfectionist uh somewhat anal retentive I think is the term I used to use So I'm going over and over again to make sure that isn't wasn't the software making a mistake, but I'm not making a mistakes 'cause I would do it with the software and also would do it manually So I finally decided after doing this again and again and again that it wasn't using the standards

And um maybe it's not encoded at all, alright Maybe it's just raw data So we'll see Okay So I'm looking at the data, it's not encrypted

There are sections that repeat If it's repeating, it's not encrypted No parity checks If you break up the bits, you count that parity and then you check the ticket to see if it's represented that way there on the ticket It's not

So now uh no CRCS, no LRCs, and no time stamps If you buy a ticket and you wait 10 seconds, nothing increments by 10 So after this, I think we can say it's just raw data But what does that data mean, alright? Uh it's the field work You run that ticket to the system, you vary the input each time, and then you're gonna see how the data changes

It's gonna, you know, use those changes to identify the meaning Okay And before you do that analysis you want to try to reduce your workload, alright? The less work you have to do the better So I talked about duplication or duplicated sections The yellow sections up there were essentially duplicated

Didn't need to look at them, then you just dump them out There's sections that uh had utilitarian use This data actually sits in zeroes Alright It gives the uh ticket a chance to line up properly in the reader, alright

So there's basically a delay with those zeroes Well, that's a start sentinel It functions as a start sentinel It's a single bit saying data is now coming So I don't really need to analyze that

Knew it just looking at it That's another benefit of going over the data again and again earlier is that you have some insights later on The 7826 which is the red uh You can't see that probably very well I was buying tickets and taking a look at them

I would have a one particular value for the single journey and then I have a different value for the all-day pass, so quite obvious at that point in time that that's a ticket type This here, this little, this two little uh these 2 nibbles there ended up being a 100 plus the ticket price So all that jumped out at me, I don't really need to do any deeper analysis on that That leaves me with 4 sections This one here, this one here, this one here, and this one here

So it's a lot less work Now each of these of course is different from ticket to ticket It's important to note also that this here, and you probably can't tell that, but it's blue Uh that actually changes as the ticket is used, as it goes through the system Okay

Alright, so after I observed those changes, this is what I found Each ticket has a GUID associated with it And the location Initially it's in a dispenser And it's a GUID associated with its arrival there

When the ticket moves, the location is updated to a turnstile There it is Uh and GUID associated with its arrival there When the ticket moves it also changes state Goes from issued to used to collected

When you buy it, it comes out of that dispenser, it's in the issued state You go and use it to enter, it goes through the turnstile, now in the used state Then when you exit, alright, it gets captured by the turnstile, and it's then in the collected state Okay There's also some handling rules

To enter, the ticket must have previously been in the collected state Meaning it was just sitting in a turnstile somewhere Previous uncollected state, coming out of the dispenser now currently in issued state Alright, that's what the object uh was, where it was and where it is now Then of course you can use it to enter

To exit, the ticket must now be in the used state Okay So gonna look to exploit this system Gonna cover briefly, you know, what we've learned so far Kind of summarize everything up

Talk about uh system safeguards that become evident as you examine the system The assumptions that they must have had uh when putting together the safeguards And then we'll talk about attacks against their uh assumptions And then of course, obviously, this is why I'm here, there was an epic fail there We don't have regular fails here at DefCon, we have epic fails

Alright, so uh what we've learned so far It's an object-based system It has a physical object and a database object We know this one because uh, well I, primarily you go ahead and try to modify any of the data on the ticket, and the little screen at the turnstile says, go to the office It's like, you know, school

You do something wrong and you go to the office Uh now I knew there was a database representation Alright, a database object because there was no integrity checking on that ticket so there had to be an external reference and it's typically a database And each of these objects, alright, whether it's physical object, whether a database object, has properties There's identification

There's a type of value and a location So actually rather different uh than most systems or transaction base This is more of an object base Okay Alright and this object also has states

Issued, used, collected, and a history Alright Now there's some system safeguards that become evident Ticket composition and ticket design There was mirrored physical object and a database object

There were handling rules and there's life cycle, alright It was only good for 24 hours, basically And this ticket will be collected after you've used it, alright There's assumptions using these particular safeguards is that no one, right, no one will be able to reproduce their ticket And their system has the only valid objects, alright

Handler rules will prevent concurrent use I can't hand this to my buddy, alright I go through and then hand it back to someone No one can do that At least that was their assumption

Uh damage is limited to life cycle, right? So if somehow someone is able to bypass these safeguards, well what damage could they do in 24 hours? And finally after use, the ticket will be in their possession, right? You have in your possession, now you feel safe Attacks against those assumptions First one, right, acquire a suitable ticket They say, or they believe, that they, no one else can make these tickets Let's find out if that's true

Capture a valid object Bypass those handling rules, and then uh extend the attack to increase the damage Right Get beyond that 24-hour, it's probably a little shorter than that, window Okay

It was indeed an epic fail there I did find someone to make blank tickets It took me a really long time Most companies said you couldn't do it But I was persistent

Uh I also had Alibaba Anyone out here ever use Alibaba? Familiar with it? Yeah it's great, right? Um and then I did copy a s**t ton, hmm, of the objects, and I feel comfortable enough to say that here, s**t ton Um in the issued state, and I just found a flaw in the handling rules Alright? What I found was the collected state found in a current lifestyle overrides all other states, alright So the object is always seen as recently collected

You run that virtual ticket through, that recently uh that recently collected, it's stuck in there So it doesn't matter if you have all these other tickets currently in use, it doesn't see that, doesn't see that it has a previous state, doesn't see that there's concurrency going on It just sees that one collected You're stuck in there until any of these other copies that you use out there they're all valid Alright

And I'll demonstrate that It's really simply It's a very simple attack Um just have to look at it, and but it's very effective, alright So in normal circumstances, if there's concurrency, other you know multiple tickets or copies being used, you attempt to use one of them and it's just seen one

In the uh in the used state, so now it sees it in the issued state and it says nope it does not follow my handling rules So none of the copies would work Okay But if you let it run through, alright Now just hand it back to your buddy, let it go all the way through and every single copy then becomes valid

It doesn't see concurrency Right You could have 3 tickets, 4 tickets, 5 tickets, all the same ones, it doesn't see that It doesn't see that they're being used at it right now It just sees that 1, I was previously collected and now I'm issued and fine, go ahead and go through

So 1, 2, 3, 5, 20, it doesn't matter It'll let all these people go through with the same ticket, okay Of course you can't just say this You have to have some data that backs it up And I'll have a video here in just a second

Alright so we have at the top there, this is all the same ticket, alright This is an original and 2 copies Have all the same GUID Coming out of the same dispenser and at the very same instant because it's the same ticket So it's got the same GUID and you can see it's actually used 3 separate times

It's very hard to make that out right, it's very small hex letters But you can at least uh see that it's different So we have the same ticket being used 3 separate times, 3 separate turnstiles, and actually I believe in one instance, different uh station altogether, with different GUIDs And same thing here for these all-day passes It's actually the same all-day pass

It's used 2 separate times in 2 separate stations and do it with 2 separate turnstiles, and uh 2 separate instances of the GUIDs And a video Have it get it over there though I had, it's only 20 minutes Uh originally it was a 45-minute talk and there was a lot more about Thailand uh this was where the research was done, obviously, in Bangkok

Uh they are currently, they were at the time and they're currently uh currently still, okay get the button there, uh run, the country's run by junta, a military dictatorship, guys in machine guns uh with, you know, no questions asked, you wanna be arrested, okay, disappear Um so I was a bit skittish We have an error message? I can't really see that Let me have a few minutes Let me go and drag this back over here

We can't Alright, I have no idea where that's at Do you guys know where this stuff's at? We're good on time, so, you know, we can make mistakes >>Um >>It didn't bring it up, it just We can't play it, it's too bad because most um most of it's my feet

>>Supposed to be right here? >>Yeah Okay, let me pause that Yes, there's a lot of the ground and my feet See it here Hmm, there we go

Great sandals, right? Here we are So yes uh at the time this research was done, oh I forgot about the audio Junta was in charge, guys with machine guns, so I was a little worried I could be disappeared Um as I found, it's white men, white guy uh in Thai Lots of privileges but no rights

Which means, and you combine that with junta, yeah it's quite easy, it would be easy for them to make me disappear You'll see, here we go, obviously not a genuine ticket Uh there we go As I said, that was mostly my feet 'cause I was worried about being put in jail, disappeared Uh so I kept the phone by my side, as you can tell

Um and then of course, when it was time for the money shot I pulled that up and then and then see if you guys, if anybody could uh see that it's not a genuine ticket It was in fact a counterfeit, okay Um and you could run around with 5 of these, 10 of these, 20 of these, it really um the system would let all of them through at that point Okay Alright, so that was fun, right? Um but to turn this into an exploit, alright

From an exploit to an attack, you have to have those blank tickets and you have to have a plan Because we actually have one more safeguard, right? Get beyond that 24 hours So I did find someone, as I said, to make these tickets Took a long time, many many months uh with vendors, talking to them, trying to get them to understand what I wanted And then try to get them past, the no we can't make it

So there are the tickets there So the plan is buy all day pass, copy that ticket, and you're gonna go ahead and then use the original Put that in that state And you have the copies, have fun Now you can do that yourself, you can do that with your friend and your pastor, your monk, whatever, everyone can ride, but they're actually, it can turn into something more

Uh, you can go beyond just a couple of your friends there You know, 5 of ya You can go ahead, instead, make 10 or 20, or a thousand First uh time you run the attack, it's about 3 dollars for the all-day pass You're buying your blanks for about a 100 dollars

Um so a 105 dollars to do damage to the [inaudible] organization of about 5 thousand dollars Lasts the first day, but they're all-day passes You get to keep the all-day pass It actually, you have to use it all day, right? Well just keep it with you at the end of your day, don't bring it back Um end your day a little early and so you use it again the next day so each day of the attack is about 3 dollars to do about 5 thousand dollars worth of damage

And you can of course do that a whole lot more Uh if you're going uh I hate to say cyber warfare but if documenting undermining a country, start making uh their infrastructure unreliable Alright, reducing trust, trust in these sorts of uh things that people rely on You could just do this with a group of people, you could do this over years, you can very cheaply, do you know uh 3 dollars every day right, end up doing 8 million dollars worth of damage You undermine their operations, and you start looking at um really hurting the company to the point where they can't make their repairs they need to make, where the system becomes unreliable

Um you could do the opposite You turn it into a PR nightmare where you decide to go out with 10 thousand of these things and start handing them out And mean, and after that, the system shuts down because they have to stop everyone to take a look at their tickets People can't get to work, um it's a huge PR nightmare to do it that way So a lot can be done with this

So yes, you can extend the attack beyond those, the 24-hour window You can do a lot more damage that you think, that you realize you can do Okay So obviously, to avoid their fate, test all layers of the solution Not just hardware despite, that the fact that's your interaction, alright bypassing this ticket through a hardware system

It's not just hardware, there's software in there somewhere So you're gonna have to at some point in time, test for application solutions And more importantly, check your assumptions I suspect that many years ago, when this was first implemented, the assumptions were mostly true Mostly

Um but things have changed and so you have to check, that's why I think, you know, good idea, right? Do a pen test every single year Do some sort of assessment every single year to make sure your assumptions are still valid Okay And then compensating and mitigating controls I did this on and off

I spent a lot of time in Asia I was doing this on and off for two years Alright I think that they were watching, if they had any sort of monitoring going on, they would have noticed They would have found the problem, they would have resolved it

Since they didn't, they must not do any sort of monitoring, any sort of oversight of their own enterprise, their own system, right? And it's a very bad, bad idea As we all know, people eventually get in, so we have to be ready when that, when they do Okay So that's obvious that they were not using compensating, mitigating control, so it's important that we as practitioners, recommend and do so ourselves Don't end up like them

And then links I do this lots of information and that you can learn about from the hardware I use the standards involved in uh, I don't think I have it with me But uh I do So you know, the hardware involved

Um the different talks prior to this section, all that got cut was the talks, these other talks, other ways to looking at the transit systems and attack them Um there is information about our friends at the BTS, right? Um and I say it's important to look at these sort of things because this was actually what I got today from, still using magstripe Lots of places are using magstripe So learn about it Look at other magstripes that are out there This came from, does anyone recognize it? Monorail, right

Um I wanna what this is on this,right? What's, I wanna look at this Um, I'm tempted to just to start carting my magstripe reader everywhere I go Um just because you're done seeing all these things Um there's lots of opportunities That is the talk

That's everything I think I'm out, over early, right? Yeah Any? Yeah [applause]

Source: Youtube

This div height required for enabling the sticky sidebar