SlideShare une entreprise Scribd logo

StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coin

StHack
StHack

Le protocole ccTalk est utilisé dans la communication entre les périphériques de gestion de monnaie que l'on retrouve dans la plupart des machines de vente, comme les distributeurs automatiques. Ce protocole n'est pas très connu, et peu d'information existe sur Internet à ce sujet. Cette présentation vise en premier lieu à présenter le protocole ccTalk et ses applications. Divers outils permettant de travailler avec ce protocole seront aussi présentés ainsi que plusieurs faiblesses d'implémentation ou de protocole.

Technologie
1  sur  43
Télécharger pour lire hors ligne
Please insert inject more coins St'hack 2013 Press start
  x 2 Me ? ● Nicolas Oberli (aka Balda) ● Security engineer @ SCRT ● CTF enthusiast ● Retro gamer ● Beer drinker / brewer
  x 3 It all started so simply... ● I wanted to add coin handling to my MAMEcab ● Bought a coin acceptor on an auction site
  x 4 Coin handling devices ● All kinds of machines use coin handling devices – ATMs – Vending machines – Casino slot machines – … ● Multiple devices are used in these machines
  x 5 Coin / Bill acceptors ● Used to count coins and bills ● Can detect coin/bill value ● Detects false coins/bills
  x 6 Coin sorters ● Used to sort coins into different trays ● Connected after a coin acceptor – The acceptor tells the sorter which channel (tray) to place the coin in
  x 7 Coin hopper ● Used to give coins back to the customer – One hopper per coin value – Gives coins back one by one
  x 8 Communication protocols ● Multiple protocols are used to communicate with these devices – Parallel – Serial (RS232) – MDB – ccTalk ● The protocols are very vendor-specific ● ccTalk is what we will be talking about
  x 9 ccTalk ? ● “coin-controls-Talk” ● Semi-proprietary protocol – Maintained by Money Controls LLC, England – Protocol specs available on cctalk.org ● Some parts of the specs are only available after signing a NDA :-(
  x 10 ccTalk ? ● Request / response messages ● RS232-like data transmission – Uses only one wire for both sending and receiving – 9600 bits/s, 8N1, TTL signals (0 - 5V) ● Each device has its own address on the bus – By default 1=controller, 2=coin acceptor
  x 11 ccTalk message format ● All frames use the same format – Header is the actual command sent to the device ● Header equal to 0 means it's a response ● Payload length can vary from 0 to 252 – Data length != packet length ● Checksum is the complement to 0xFF of the packet destination data length source header [data] checksum 1 byte
  x 12 ccTalk headers ● Each command is assigned a header – Since its coded in a byte, 256 possible commands ● From the doc :
  x 13 Sample communication ● 02 00 01 FE ff – Sample poll from @01 to @02 ● 01 00 02 00 FD – Response from @02 to @01 ● 02 00 01 F6 07 – Request manufacturer ID ● 01 03 02 00 4E 52 49 11 – Response (length 3) : NRI ● (ASCII encoded)
  x 14 Coin acceptor handling ● The controller can ask a coin acceptor its status using header 229 – The response contains the following payload ● Counter is incremented for each event generated by the acceptor – Event counter cycles from 1 to 255 Result 1A Result 1Bcounter Result 2A Result 2B Result 3A Result 3B Result 4A Result 4B Result 5A Result 5B 1 byte
  x 15 Coin acceptor results ● The last five results are sent in the response – Result A contains the validation channel ● A device can recognize a certain amount of different coins which are organized in channels ● Either set by the manufacturer or by config – Result B contains the error code (Bad coin, mechanical error, ...) ● Again, the codes are vendor specific – Sometimes, results A and B are switched
  x 16 Initial project ● Implement the ccTalk protocol to handle a coin acceptor ● Use a Teensy in keyboard mode – When a coin is inserted, determine its value and send the corresponding number of keystrokes to MAME
  x 17 Teensy ? ● Hardware prototyping board ● Can use the Arduino IDE to write code ● Adds the possibility to emulate USB devices – Mouse, serial port, keyboard, ...
  x 18 Demo !
  x 19 Can we do more ? ● Other vending machines may use other headers and / or functions ● It is difficult to track responses – You need to decode the request first ● There is no open source sniffer for ccTalk...
  x 20 Introducing ccSniff/ccParse ● Python utilities used to sniff data on a ccTalk bus and parse the sniffed data to a readable format – Uses a ccTalk library developed from scratch ● Can use a bus pirate to sniff – It's the best way, since it can handle UART signals correctly
  x 21 Bus pirate ? ● Open source hardware hacking tool ● Easy interfacing with a lot of protocols – UART, SPI, I2C, 1-Wire, JTAG, … ● Usage can be scripted
  x 22 Demo !
  x 23 Can we do even more ? ● What if we can inject some data on the bus ? – Like telling the controller “Hey ! I'm the coin acceptor and I received a LOT of money !” ● The problem is, we only have one wire for the whole bus – Both us and the device receive the request at the same time – That means we would answer at the same time and jam the signal
  x 24 ccTalk multidrop commands ● Used by the controller to resolve addressing conflicts – Header 251 – Address change – Used by the controller to force a device to change its address in case of conflicts
  x 25 Device in the middle ● Simply tell the device at address x that it needs to change its address to y ● Using these requests, we are now able to hijack the device – It allows us to intercept all communications between the controller and the device
  x 26 Timing ● We need to be sure that we won't jam the current traffic ● At 9600b/s, it takes 1.04ms to send a byte – To send the address change request (6 bytes) it takes us 6.24ms ● ccTalk specs indicate that devices such as coin acceptors and hoppers need to be polled every 200ms – Largely enough time for us
  x 27 Device hijacking ● To hijack a device on the bus : ● Scan the bus to search for silence ● If sufficient periods of silence, prepare injection ● Craft an address change packet ● Wait for silence period, then inject packet ● Respond to requests from the controller ● When finished, set the device to its original address ● Remember, we need to do this while the bus is in use
  x 28 Introducing ccJack ● Automates the hijacking process ● Can emulate any device by sniffing the current responses and reply the same ● Can use a bus pirate to sniff and inject
  x 29 Example : Inject coins ! ● Once the coin acceptor is hijacked, just respond by incrementing the counter – It is also possible to modify the coin code to increase the value of the injected coin ● Be careful ! The counter must be higher or equal to the last value – Any lower value will make the controller throw an error and likely reset itself
  x 30 Demo !
  x 31 More ? ● As the acceptor is “offline”, we can do whatever we want to it – Some coin acceptors can be re-calibrated by ccTalk ● Look for headers 201 and 202 ● What if CHF 0.10 becomes CHF 5.- ? – The path the coin takes after being accepted can be modified ● Look for headers 209 and 210 ● What if the new sorter path is the money return ?
  x 32 Hopper handling ● Hoppers follow a special schema to release money (simplified) – Controller asks for a challenge (Header 160) – Hopper responds with 8 random bytes – Controller encodes this challenge and sends the response with the number of coins to release (Header 167) – Operation is checked periodically by the controller (Header 166)
  x 33 Hopper bias ● To simplify these steps, some vendors provide hoppers with no challenge/response support – Sometimes, you just need to send the hopper serial number as the response – Sometimes... If the hopper Product Code is "SCH2-NOENCRYPT", then the DISPENSE COINS command still needs an 8-byte code, but the value of the code does not matter.
  x 34 Grab the money ! ● After a hopper is hijacked, just tell it to dispense 0xff coins – Will only work if the hopper does not use the challenge/response method ● Better : Use the “Purge hopper” command (Header 121) – Does not take any challenge/response – Hardly ever implemented in practice, but you never know...
  x 35 Isn't there any protection ? ● Some devices only respond after having been provided a PIN code – Only for a subset of commands ● Depends on the device / firmware / vendor – Well, just wait for the PIN to be sent by the controller ● Check for header 218 – We can “help” it by pulling the power cord – It could be possible that the PIN code is the same for a vending machine model
  x 36 Encryption ● In later versions of the specs, the ccTalk payload and headers can be encrypted – Two encryption methods are available ● Proprietary encryption – 24 bit key ● DES encryption – 56 bit key – Use a pre-shared key between the controller and the devices ● Encryption uses different headers – Header 229 vs header 112
  x 37 Future – Research fields ● More things to discover on the protocol – Encryption support seems suspicious ● Keys can be transferred using ccTalk ● Proprietary and closed-source encryption could be weak – Some devices accept dumping their internal memory by ccTalk ● Maybe there are vulns in the firmwares ? – It is possible to upload a new firmware to the devices using ccTalk ● Evilgrade ccTalk edition ?
  x 38 Future - Hoppers ● Coin hoppers challenge / response algorithm – Algorithm protected by NDA – Still working on that one, there may be a new version of ccJack coming in a near future ;-)
  x 39 Connectivity ● Vending machines normally protect their contents – It usually requires a second key to get the money ● Access to the bus “only” requires that the machine be open – An evil employee could do it
  x 40 More realistic attack ● For the moment, we still need to connect a bus pirate on the ccTalk bus – Therefore, we also need a laptop – Not really stealth ● It would be possible to use an Arduino and a bluetooth shield to do the same
  x 41 Conclusions ● Specific protocols can be fun to analyze – You never know where you can find exotic protocols ● ccTalk definitely needs more attention – Since it transports money-related information, there are interesting applications ● If you don't have one, buy a bus pirate – It's pure awesomeness !
  x 42 Availability ● The tools ara available on my Github account – https://github.com/Baldanos/ccTools
  x 43 Many thanks ! Any questions ? @Baldanos Did I mention I LOVE beer ?

Recommandé

Computer network (3)
Computer network (3)Computer network (3)
Computer network (3)NYversity
 
Arduino - Peripherals and interface
Arduino - Peripherals and interfaceArduino - Peripherals and interface
Arduino - Peripherals and interfaceEmertxe Information Technologies Pvt Ltd
 
Smart Lamp With a GSM Module SIM800L
Smart Lamp With a GSM Module SIM800LSmart Lamp With a GSM Module SIM800L
Smart Lamp With a GSM Module SIM800Lfarid_giffari
 
Multi Sensory Communication 1/2
Multi Sensory Communication 1/2Multi Sensory Communication 1/2
Multi Sensory Communication 1/2Satoru Tokuhisa
 
An introduction to Arduino
An introduction to ArduinoAn introduction to Arduino
An introduction to ArduinoEmertxe Information Technologies Pvt Ltd
 
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injectionStHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injectionStHack
 
blockchain-and-trusted-computing
blockchain-and-trusted-computingblockchain-and-trusted-computing
blockchain-and-trusted-computingYongraeJo
 
Fredericksburg LUG Bitcoin slides
Fredericksburg LUG Bitcoin slidesFredericksburg LUG Bitcoin slides
Fredericksburg LUG Bitcoin slidesAlex Akselrod
 

Recommandé

Computer network (3)
Computer network (3)Computer network (3)
Computer network (3)NYversity
 
Arduino - Peripherals and interface
Arduino - Peripherals and interfaceArduino - Peripherals and interface
Arduino - Peripherals and interfaceEmertxe Information Technologies Pvt Ltd
 
Smart Lamp With a GSM Module SIM800L
Smart Lamp With a GSM Module SIM800LSmart Lamp With a GSM Module SIM800L
Smart Lamp With a GSM Module SIM800Lfarid_giffari
 
Multi Sensory Communication 1/2
Multi Sensory Communication 1/2Multi Sensory Communication 1/2
Multi Sensory Communication 1/2Satoru Tokuhisa
 
An introduction to Arduino
An introduction to ArduinoAn introduction to Arduino
An introduction to ArduinoEmertxe Information Technologies Pvt Ltd
 
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injectionStHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injectionStHack
 
blockchain-and-trusted-computing
blockchain-and-trusted-computingblockchain-and-trusted-computing
blockchain-and-trusted-computingYongraeJo
 
Fredericksburg LUG Bitcoin slides
Fredericksburg LUG Bitcoin slidesFredericksburg LUG Bitcoin slides
Fredericksburg LUG Bitcoin slidesAlex Akselrod
 
Bluetooth Low Energy - A Case Study
Bluetooth Low Energy - A Case StudyBluetooth Low Energy - A Case Study
Bluetooth Low Energy - A Case StudyFReeze FRancis
 
JVM Memory Model - Yoav Abrahami, Wix
JVM Memory Model - Yoav Abrahami, WixJVM Memory Model - Yoav Abrahami, Wix
JVM Memory Model - Yoav Abrahami, WixCodemotion Tel Aviv
 
Ch07
Ch07Ch07
Ch07Asim Raza Gardezi
 
Aerospike Go Language Client
Aerospike Go Language ClientAerospike Go Language Client
Aerospike Go Language ClientSayyaparaju Sunil
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
Kernel Recipes 2016 - Speeding up development by setting up a kernel build farm
Kernel Recipes 2016 - Speeding up development by setting up a kernel build farmKernel Recipes 2016 - Speeding up development by setting up a kernel build farm
Kernel Recipes 2016 - Speeding up development by setting up a kernel build farmAnne Nicolas
 
Building a robot with the .Net Micro Framework
Building a robot with the .Net Micro FrameworkBuilding a robot with the .Net Micro Framework
Building a robot with the .Net Micro FrameworkDucas Francis
 
Computer System and Architecture
Computer System and ArchitectureComputer System and Architecture
Computer System and Architecturesarfraz1411
 
One library for all Java encryption
One library for all Java encryptionOne library for all Java encryption
One library for all Java encryptionDan Cvrcek
 
serial_busses_i2c.pptx
serial_busses_i2c.pptxserial_busses_i2c.pptx
serial_busses_i2c.pptxSKUP1
 
Certifying (RISC) Machine Code Safe from Aliasing (OpenCert 2013)
Certifying (RISC) Machine Code Safe from Aliasing (OpenCert 2013)Certifying (RISC) Machine Code Safe from Aliasing (OpenCert 2013)
Certifying (RISC) Machine Code Safe from Aliasing (OpenCert 2013)Peter Breuer
 
Microprocessor and Application (8085)
Microprocessor and Application (8085)Microprocessor and Application (8085)
Microprocessor and Application (8085)ufaq kk
 
module4.ppt
module4.pptmodule4.ppt
module4.pptSubhasis Dash
 
Digital logic-formula-notes-final-1
Digital logic-formula-notes-final-1Digital logic-formula-notes-final-1
Digital logic-formula-notes-final-1Kshitij Singh
 
Serial Busses.pptx
Serial Busses.pptxSerial Busses.pptx
Serial Busses.pptxssuser1542b11
 
networking.pdf
networking.pdfnetworking.pdf
networking.pdffdsfds12
 
Chapter 2-8085 Microprocessor Architecture and Microcomputer Systems
Chapter 2-8085 Microprocessor Architecture and Microcomputer SystemsChapter 2-8085 Microprocessor Architecture and Microcomputer Systems
Chapter 2-8085 Microprocessor Architecture and Microcomputer Systemscmkandemir
 
Peddle the Pedal to the Metal
Peddle the Pedal to the MetalPeddle the Pedal to the Metal
Peddle the Pedal to the MetalC4Media
 
8253,8254
8253,8254 8253,8254
8253,8254 jemimajerome
 
Embedded systems and robotics by scmandota
Embedded systems and robotics by scmandotaEmbedded systems and robotics by scmandota
Embedded systems and robotics by scmandotascmandota
 
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"StHack
 
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cash
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cashSthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cash
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cashStHack
 

Contenu connexe

Similaire à StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coin

Bluetooth Low Energy - A Case Study
Bluetooth Low Energy - A Case StudyBluetooth Low Energy - A Case Study
Bluetooth Low Energy - A Case StudyFReeze FRancis
 
JVM Memory Model - Yoav Abrahami, Wix
JVM Memory Model - Yoav Abrahami, WixJVM Memory Model - Yoav Abrahami, Wix
JVM Memory Model - Yoav Abrahami, WixCodemotion Tel Aviv
 
Aerospike Go Language Client
Aerospike Go Language ClientAerospike Go Language Client
Aerospike Go Language ClientSayyaparaju Sunil
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
Kernel Recipes 2016 - Speeding up development by setting up a kernel build farm
Kernel Recipes 2016 - Speeding up development by setting up a kernel build farmKernel Recipes 2016 - Speeding up development by setting up a kernel build farm
Kernel Recipes 2016 - Speeding up development by setting up a kernel build farmAnne Nicolas
 
Building a robot with the .Net Micro Framework
Building a robot with the .Net Micro FrameworkBuilding a robot with the .Net Micro Framework
Building a robot with the .Net Micro FrameworkDucas Francis
 
Computer System and Architecture
Computer System and ArchitectureComputer System and Architecture
Computer System and Architecturesarfraz1411
 
One library for all Java encryption
One library for all Java encryptionOne library for all Java encryption
One library for all Java encryptionDan Cvrcek
 
serial_busses_i2c.pptx
serial_busses_i2c.pptxserial_busses_i2c.pptx
serial_busses_i2c.pptxSKUP1
 
Certifying (RISC) Machine Code Safe from Aliasing (OpenCert 2013)
Certifying (RISC) Machine Code Safe from Aliasing (OpenCert 2013)Certifying (RISC) Machine Code Safe from Aliasing (OpenCert 2013)
Certifying (RISC) Machine Code Safe from Aliasing (OpenCert 2013)Peter Breuer
 
Microprocessor and Application (8085)
Microprocessor and Application (8085)Microprocessor and Application (8085)
Microprocessor and Application (8085)ufaq kk
 
Digital logic-formula-notes-final-1
Digital logic-formula-notes-final-1Digital logic-formula-notes-final-1
Digital logic-formula-notes-final-1Kshitij Singh
 
networking.pdf
networking.pdfnetworking.pdf
networking.pdffdsfds12
 
Chapter 2-8085 Microprocessor Architecture and Microcomputer Systems
Chapter 2-8085 Microprocessor Architecture and Microcomputer SystemsChapter 2-8085 Microprocessor Architecture and Microcomputer Systems
Chapter 2-8085 Microprocessor Architecture and Microcomputer Systemscmkandemir
 
Peddle the Pedal to the Metal
Peddle the Pedal to the MetalPeddle the Pedal to the Metal
Peddle the Pedal to the MetalC4Media
 
Embedded systems and robotics by scmandota
Embedded systems and robotics by scmandotaEmbedded systems and robotics by scmandota
Embedded systems and robotics by scmandotascmandota
 

Similaire à StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coin (20)

Bluetooth Low Energy - A Case Study
Bluetooth Low Energy - A Case StudyBluetooth Low Energy - A Case Study
Bluetooth Low Energy - A Case Study
 
JVM Memory Model - Yoav Abrahami, Wix
JVM Memory Model - Yoav Abrahami, WixJVM Memory Model - Yoav Abrahami, Wix
JVM Memory Model - Yoav Abrahami, Wix
 
Ch07
Ch07Ch07
Ch07
 
Aerospike Go Language Client
Aerospike Go Language ClientAerospike Go Language Client
Aerospike Go Language Client
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
Kernel Recipes 2016 - Speeding up development by setting up a kernel build farm
Kernel Recipes 2016 - Speeding up development by setting up a kernel build farmKernel Recipes 2016 - Speeding up development by setting up a kernel build farm
Kernel Recipes 2016 - Speeding up development by setting up a kernel build farm
 
Building a robot with the .Net Micro Framework
Building a robot with the .Net Micro FrameworkBuilding a robot with the .Net Micro Framework
Building a robot with the .Net Micro Framework
 
Computer System and Architecture
Computer System and ArchitectureComputer System and Architecture
Computer System and Architecture
 
One library for all Java encryption
One library for all Java encryptionOne library for all Java encryption
One library for all Java encryption
 
serial_busses_i2c.pptx
serial_busses_i2c.pptxserial_busses_i2c.pptx
serial_busses_i2c.pptx
 
Certifying (RISC) Machine Code Safe from Aliasing (OpenCert 2013)
Certifying (RISC) Machine Code Safe from Aliasing (OpenCert 2013)Certifying (RISC) Machine Code Safe from Aliasing (OpenCert 2013)
Certifying (RISC) Machine Code Safe from Aliasing (OpenCert 2013)
 
Microprocessor and Application (8085)
Microprocessor and Application (8085)Microprocessor and Application (8085)
Microprocessor and Application (8085)
 
module4.ppt
module4.pptmodule4.ppt
module4.ppt
 
Digital logic-formula-notes-final-1
Digital logic-formula-notes-final-1Digital logic-formula-notes-final-1
Digital logic-formula-notes-final-1
 
Serial Busses.pptx
Serial Busses.pptxSerial Busses.pptx
Serial Busses.pptx
 
networking.pdf
networking.pdfnetworking.pdf
networking.pdf
 
Chapter 2-8085 Microprocessor Architecture and Microcomputer Systems
Chapter 2-8085 Microprocessor Architecture and Microcomputer SystemsChapter 2-8085 Microprocessor Architecture and Microcomputer Systems
Chapter 2-8085 Microprocessor Architecture and Microcomputer Systems
 
Peddle the Pedal to the Metal
Peddle the Pedal to the MetalPeddle the Pedal to the Metal
Peddle the Pedal to the Metal
 
8253,8254
8253,8254 8253,8254
8253,8254
 
Embedded systems and robotics by scmandota
Embedded systems and robotics by scmandotaEmbedded systems and robotics by scmandota
Embedded systems and robotics by scmandota
 

Plus de StHack

Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"StHack
 
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cash
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cashSthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cash
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cashStHack
 
Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...
Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...
Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...StHack
 
Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...
Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...
Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...StHack
 
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...StHack
 
Sthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practice
Sthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practiceSthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practice
Sthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practiceStHack
 
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack
 
StHack 2014 - Benjamin "@gentilkiwi" Delpy Mimikatz
StHack 2014 - Benjamin "@gentilkiwi" Delpy MimikatzStHack 2014 - Benjamin "@gentilkiwi" Delpy Mimikatz
StHack 2014 - Benjamin "@gentilkiwi" Delpy MimikatzStHack
 
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack
 
StHack 2014 - Ninon Eyrolles Obfuscation 101
StHack 2014 - Ninon Eyrolles Obfuscation 101StHack 2014 - Ninon Eyrolles Obfuscation 101
StHack 2014 - Ninon Eyrolles Obfuscation 101StHack
 

Plus de StHack (10)

Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
 
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cash
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cashSthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cash
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cash
 
Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...
Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...
Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...
 
Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...
Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...
Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...
 
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
 
Sthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practice
Sthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practiceSthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practice
Sthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practice
 
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
 
StHack 2014 - Benjamin "@gentilkiwi" Delpy Mimikatz
StHack 2014 - Benjamin "@gentilkiwi" Delpy MimikatzStHack 2014 - Benjamin "@gentilkiwi" Delpy Mimikatz
StHack 2014 - Benjamin "@gentilkiwi" Delpy Mimikatz
 
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
 
StHack 2014 - Ninon Eyrolles Obfuscation 101
StHack 2014 - Ninon Eyrolles Obfuscation 101StHack 2014 - Ninon Eyrolles Obfuscation 101
StHack 2014 - Ninon Eyrolles Obfuscation 101
 

Dernier

Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 

Dernier (20)

Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 

StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coin

  • 2.   x 2 Me ? ● Nicolas Oberli (aka Balda) ● Security engineer @ SCRT ● CTF enthusiast ● Retro gamer ● Beer drinker / brewer
  • 3.   x 3 It all started so simply... ● I wanted to add coin handling to my MAMEcab ● Bought a coin acceptor on an auction site
  • 4.   x 4 Coin handling devices ● All kinds of machines use coin handling devices – ATMs – Vending machines – Casino slot machines – … ● Multiple devices are used in these machines
  • 5.   x 5 Coin / Bill acceptors ● Used to count coins and bills ● Can detect coin/bill value ● Detects false coins/bills
  • 6.   x 6 Coin sorters ● Used to sort coins into different trays ● Connected after a coin acceptor – The acceptor tells the sorter which channel (tray) to place the coin in
  • 7.   x 7 Coin hopper ● Used to give coins back to the customer – One hopper per coin value – Gives coins back one by one
  • 8.   x 8 Communication protocols ● Multiple protocols are used to communicate with these devices – Parallel – Serial (RS232) – MDB – ccTalk ● The protocols are very vendor-specific ● ccTalk is what we will be talking about
  • 9.   x 9 ccTalk ? ● “coin-controls-Talk” ● Semi-proprietary protocol – Maintained by Money Controls LLC, England – Protocol specs available on cctalk.org ● Some parts of the specs are only available after signing a NDA :-(
  • 10.   x 10 ccTalk ? ● Request / response messages ● RS232-like data transmission – Uses only one wire for both sending and receiving – 9600 bits/s, 8N1, TTL signals (0 - 5V) ● Each device has its own address on the bus – By default 1=controller, 2=coin acceptor
  • 11.   x 11 ccTalk message format ● All frames use the same format – Header is the actual command sent to the device ● Header equal to 0 means it's a response ● Payload length can vary from 0 to 252 – Data length != packet length ● Checksum is the complement to 0xFF of the packet destination data length source header [data] checksum 1 byte
  • 12.   x 12 ccTalk headers ● Each command is assigned a header – Since its coded in a byte, 256 possible commands ● From the doc :
  • 13.   x 13 Sample communication ● 02 00 01 FE ff – Sample poll from @01 to @02 ● 01 00 02 00 FD – Response from @02 to @01 ● 02 00 01 F6 07 – Request manufacturer ID ● 01 03 02 00 4E 52 49 11 – Response (length 3) : NRI ● (ASCII encoded)
  • 14.   x 14 Coin acceptor handling ● The controller can ask a coin acceptor its status using header 229 – The response contains the following payload ● Counter is incremented for each event generated by the acceptor – Event counter cycles from 1 to 255 Result 1A Result 1Bcounter Result 2A Result 2B Result 3A Result 3B Result 4A Result 4B Result 5A Result 5B 1 byte
  • 15.   x 15 Coin acceptor results ● The last five results are sent in the response – Result A contains the validation channel ● A device can recognize a certain amount of different coins which are organized in channels ● Either set by the manufacturer or by config – Result B contains the error code (Bad coin, mechanical error, ...) ● Again, the codes are vendor specific – Sometimes, results A and B are switched
  • 16.   x 16 Initial project ● Implement the ccTalk protocol to handle a coin acceptor ● Use a Teensy in keyboard mode – When a coin is inserted, determine its value and send the corresponding number of keystrokes to MAME
  • 17.   x 17 Teensy ? ● Hardware prototyping board ● Can use the Arduino IDE to write code ● Adds the possibility to emulate USB devices – Mouse, serial port, keyboard, ...
  • 19.   x 19 Can we do more ? ● Other vending machines may use other headers and / or functions ● It is difficult to track responses – You need to decode the request first ● There is no open source sniffer for ccTalk...
  • 20.   x 20 Introducing ccSniff/ccParse ● Python utilities used to sniff data on a ccTalk bus and parse the sniffed data to a readable format – Uses a ccTalk library developed from scratch ● Can use a bus pirate to sniff – It's the best way, since it can handle UART signals correctly
  • 21.   x 21 Bus pirate ? ● Open source hardware hacking tool ● Easy interfacing with a lot of protocols – UART, SPI, I2C, 1-Wire, JTAG, … ● Usage can be scripted
  • 23.   x 23 Can we do even more ? ● What if we can inject some data on the bus ? – Like telling the controller “Hey ! I'm the coin acceptor and I received a LOT of money !” ● The problem is, we only have one wire for the whole bus – Both us and the device receive the request at the same time – That means we would answer at the same time and jam the signal
  • 24.   x 24 ccTalk multidrop commands ● Used by the controller to resolve addressing conflicts – Header 251 – Address change – Used by the controller to force a device to change its address in case of conflicts
  • 25.   x 25 Device in the middle ● Simply tell the device at address x that it needs to change its address to y ● Using these requests, we are now able to hijack the device – It allows us to intercept all communications between the controller and the device
  • 26.   x 26 Timing ● We need to be sure that we won't jam the current traffic ● At 9600b/s, it takes 1.04ms to send a byte – To send the address change request (6 bytes) it takes us 6.24ms ● ccTalk specs indicate that devices such as coin acceptors and hoppers need to be polled every 200ms – Largely enough time for us
  • 27.   x 27 Device hijacking ● To hijack a device on the bus : ● Scan the bus to search for silence ● If sufficient periods of silence, prepare injection ● Craft an address change packet ● Wait for silence period, then inject packet ● Respond to requests from the controller ● When finished, set the device to its original address ● Remember, we need to do this while the bus is in use
  • 28.   x 28 Introducing ccJack ● Automates the hijacking process ● Can emulate any device by sniffing the current responses and reply the same ● Can use a bus pirate to sniff and inject
  • 29.   x 29 Example : Inject coins ! ● Once the coin acceptor is hijacked, just respond by incrementing the counter – It is also possible to modify the coin code to increase the value of the injected coin ● Be careful ! The counter must be higher or equal to the last value – Any lower value will make the controller throw an error and likely reset itself
  • 31.   x 31 More ? ● As the acceptor is “offline”, we can do whatever we want to it – Some coin acceptors can be re-calibrated by ccTalk ● Look for headers 201 and 202 ● What if CHF 0.10 becomes CHF 5.- ? – The path the coin takes after being accepted can be modified ● Look for headers 209 and 210 ● What if the new sorter path is the money return ?
  • 32.   x 32 Hopper handling ● Hoppers follow a special schema to release money (simplified) – Controller asks for a challenge (Header 160) – Hopper responds with 8 random bytes – Controller encodes this challenge and sends the response with the number of coins to release (Header 167) – Operation is checked periodically by the controller (Header 166)
  • 33.   x 33 Hopper bias ● To simplify these steps, some vendors provide hoppers with no challenge/response support – Sometimes, you just need to send the hopper serial number as the response – Sometimes... If the hopper Product Code is "SCH2-NOENCRYPT", then the DISPENSE COINS command still needs an 8-byte code, but the value of the code does not matter.
  • 34.   x 34 Grab the money ! ● After a hopper is hijacked, just tell it to dispense 0xff coins – Will only work if the hopper does not use the challenge/response method ● Better : Use the “Purge hopper” command (Header 121) – Does not take any challenge/response – Hardly ever implemented in practice, but you never know...
  • 35.   x 35 Isn't there any protection ? ● Some devices only respond after having been provided a PIN code – Only for a subset of commands ● Depends on the device / firmware / vendor – Well, just wait for the PIN to be sent by the controller ● Check for header 218 – We can “help” it by pulling the power cord – It could be possible that the PIN code is the same for a vending machine model
  • 36.   x 36 Encryption ● In later versions of the specs, the ccTalk payload and headers can be encrypted – Two encryption methods are available ● Proprietary encryption – 24 bit key ● DES encryption – 56 bit key – Use a pre-shared key between the controller and the devices ● Encryption uses different headers – Header 229 vs header 112
  • 37.   x 37 Future – Research fields ● More things to discover on the protocol – Encryption support seems suspicious ● Keys can be transferred using ccTalk ● Proprietary and closed-source encryption could be weak – Some devices accept dumping their internal memory by ccTalk ● Maybe there are vulns in the firmwares ? – It is possible to upload a new firmware to the devices using ccTalk ● Evilgrade ccTalk edition ?
  • 38.   x 38 Future - Hoppers ● Coin hoppers challenge / response algorithm – Algorithm protected by NDA – Still working on that one, there may be a new version of ccJack coming in a near future ;-)
  • 39.   x 39 Connectivity ● Vending machines normally protect their contents – It usually requires a second key to get the money ● Access to the bus “only” requires that the machine be open – An evil employee could do it
  • 40.   x 40 More realistic attack ● For the moment, we still need to connect a bus pirate on the ccTalk bus – Therefore, we also need a laptop – Not really stealth ● It would be possible to use an Arduino and a bluetooth shield to do the same
  • 41.   x 41 Conclusions ● Specific protocols can be fun to analyze – You never know where you can find exotic protocols ● ccTalk definitely needs more attention – Since it transports money-related information, there are interesting applications ● If you don't have one, buy a bus pirate – It's pure awesomeness !
  • 42.   x 42 Availability ● The tools ara available on my Github account – https://github.com/Baldanos/ccTools
  • 43.   x 43 Many thanks ! Any questions ? @Baldanos Did I mention I LOVE beer ?