Fedex Kinko’s Smart Cards Hacked

fedex

Researchers at Secure Science Corporation have managed to break the ExpressPay system used at FedEx Kinko’s stores which is provided by enTrac. The cards are write protected using a 3 byte security code. You can sniff this data using a logic analyzer and then use the code to write any data you want to the card since it is unencrypted. The security code is the same across all cards. FedEx Kinko’s stated that the article is inaccurate, so Lance James and Strom Carlson made a video of themselves doing the hack in the store: They put $1.00 on a card at the kiosk and then use it to log into a computer and show the balance of $1.00. They logout and use a separate laptop and card reader/writer to change the balance to $50.00 and modify the serial number. Next they use the card to log back into a computer and show the balance of $50.00. They let one minute pass so that $0.20 is charge to the card. Finally they logout and use the self-service kiosk to print out a receipt showing their balance of $49.80 with the fake serial number. At this point the attacker can take the card to the service counter and ask for the balance in cash.

[thanks Sith from Midnight Research Labs]

[fix: I had originally stated they bought a new card at the kiosk]

[photo: caribb]

67 thoughts on “Fedex Kinko’s Smart Cards Hacked

  1. This was a bunch of fun doing this at Kinkos with Strom! It’s actually a very easy concept once you see it done.

    Like Mitch Hedberg said:

    Kinko’s is my favorite copy place ’cause it’s open 24 hours. Like, if it’s three in the morning, and I suddenly decide I need two of something, I’m covered. Sometimes I will wake up in the middle of the night in a cold sweat: “Shit… oh ya, Kinko’s… alright, that will not remain singular.”

  2. I imagine things are hectic right now at fedex kinkos HQ

    You’d think they’d be more careful with these things, it shouldn’t have to take actual exploitation to get a company to consider their security.

  3. Wow. Talk about a glaring flaw in the system. I wonder how long it will be before they even aknowledge the problem. How many decades it will take to fix it is anyones guess.

  4. very slick. it used to be much easier way back when they first implemented the keycard kiosks.

    31337 – classic! ;P

    most likely the limit is 200 or something and their device allows them to put on any amount, so any amount over X will give that response. definitely intentional. ;)

  5. The maximum value you can put on the card at the kiosk is $100 (though the way the value is encoded on the card, the theoretical maximum is one hundred thousand centillion dollars). I needed a not-unreasonably-huge value which was highly unlikely to be achieved through normal everyday use, yet be fairly obvious that it wasn’t just some random occurrence. Thus, $313.37 :)

  6. One part I found funny, are they shown buying a brand new card with a balance of one dollar that just happened to have some writing from a marker on it, or did they have the card in advance? Seems it would be a better demo if they bought a fresh card first for the hack.

    This took forever to d/l. Here’s an azureus magnetic link (16.19 MB):

    magnet:?xt=urn:btih:A3PNUUOZHN53GVT5A42G6Q3HMIQLX2WN

    1.copy the link text with a control-c
    2.launch everyones favorite java powered p2p app: azureus
    3.hit control-l, follow the dialog box to download the .torrent file
    4.right-click on the file listing and select queue, to start the d/l

  7. The college I went to had similar ones to these as our ID cards. They used a magnetic strip instead of a microchip. We also used them as a paperless money system. It was several years back so you couldn’t get a card reader for under $100. (a little steep for a college student) Some CS friends of mine and I were working on converting a cassette tape backup drive to work as a reader and writer. We had to disasseble it ad write our own driver for it to get it to work. We eventually were able to read some of the info off the card but ran out of time to disect it. Was a pretty cool project. Where there is a will there is a way.

  8. There is discrepancy in the description of their hack though. I went to a Kinko’s store and got a stored value card and the smart chip has six contacts on it, yet the data sheet for the SLE4442 shows eight contacts.

    I’ve e-mailed Strom and hopefully he will clear this up!

  9. Hi Strom, I just sent you e-mail but you can reply to me here so that others can see your reply. I had the same question about the 8 contacts in the data sheet vs. the 6 contacts on the actual card.

    Is the pinout of the smart chip the same as in:

    http://www.smartcardsupply.com/PDF/DS_sle4432_42_0795.pdf

    except that the bottom two no-connects are just missing?

    The data sheet shows a total of 3 no-connects and my question basically is: if I start at the top of the chip card and then go counter-clockwise, are the contacts: VCC, RST, CLK, I/O, N/C, GND?

    Is there a particular smart card reader/writer that you recommend? I saw that you use the ACS in your video. Can you give the exact model number that you use?

    Thanks!

  10. Not on behalf of strom, but…. He won’t release the security code because he did not intend this as a way for people to steal from kinkos. Just to alert people that it can be done. Unlike other “exploits” done at stores, this one requires a certain degree of practicle knowledge to pull off, and the need for certain equipment not very common as well. So, if you want to do it, learn to do it, don’t just follow a set of directions.

  11. Hey all,

    I’m a Fedex Kinkos employee but think that this is a great hack as it was bound to happen! Anyway, here are some things they didn’t mention, that i know about the cards from working there.

    There are three card types… Purple, Blue and Green (Green is the Skeleton key.. read on).

    * Purple cards have a stored value. Money can be added at the kiosk or at the counter, and can also be refunded at the counter, but you have to fill out your name, phone number and sign for it.

    * Blue cards are called convenience cards. They can be preauthorized at the counter to make either 10 or 25 copies, so that the person can just make a few copies and pay after, instead of getting a card. They expire after 24 hours.

    * Finally is the mega card, the green card. Green cards are for EMPLOYEES ONLY. They can be activated for 24 hours using any employee’s name. Once activated they can be used to make unlimited free copies or minutes on the computers, and are so that we can do copy jobs in the express area without having to pay. The green card can also be made into a config card which lets you mess around with the server settings on the card readers.

    If someone could someone change the type, they could have access to all of these functions. Good luck and hopefully corporate will fix this soon!

  12. I’ve gotten legitimate refunds on my stored-value expresspay cards many times, and not once have I ever been asked for a single piece of personal information. I hand in the card and get back my cash, no questions asked.

    I would be interested in reading the blue and green cards to gain more insight into how the ExpressPay system operates, although I’ve never had either one in my possession.

  13. I like #32 especially after 31 just said that was not the intention.

    Anyhow, Strom, great hack here. I like how everyone wants to try it now (have to admit it interests me too). Anyhow I hope nobody writes a step-by-step, they’d be the one getting sued (if anyone) Strom made a point, a step-by-step is basically stealing. (or accessory thereof)

  14. Question:How do you find out what chipset is used for the smartcard? I’ve been interested in this project but stopped when the connections didn’t look like the one on my other smart card(s). What is the best way you reccomend to get a data sheet on a smart card?

  15. Alright , I’m going to agree with the minority. they can’t come out and just tell you, “Use this program, build this circuit, press this button” That would be stealing. My advice, get data sheets, learn to read them, learn to actually write some code, a little low level programming and a parallel port can open up the world

  16. the ACR30 is a nice reader/writer specifically for Siemans smartcards and some others.

    “Siemens: SLE4406, SLE4418, SLE4428,SLE4432, SLE4442”

    the cheapest i found was $29.95, free ship at:
    http://www.smartcardsupply.com/Content/Hardware/ACR30.htm
    ebay is even cheaper, but slower and with compatibility issues.

    as for logic analyzers, you could buy a relic one on ebay for $50 and lug it to fedex (size of an oscilloscope) or a $200 portable one .. or do either of the following:

    1.) Use a microcontroller of your choice, or laptop serial port to record the communications between card and Kinkos reader; emulating what a logic analyzer does (and later downloading to a computer, if you chose the microcontroller path). locating the three reference data bytes is trivial.

    2.) Use a microcontroller of choice (as i’ll be doing this weekend) or PC’s parallel port to brute force thru the security codes 2^24 possibilities – attempting 3 at a time, reset power, reset/memread command, then repeat until found. Expect it to take the better part of 24hrs, your mileage will vary. This is done safely at home however, and without you being present – safest approach IMHO.

    *This definitely assumes you listen to #38’s advice, datasheets are your friend*
    http://www.acs.com.hk/downloads_datasheet/SLE4432_42.pdf
    http://www.sample.microchip.com -free PICs

    Long post sry, and not for the kiddies

  17. Naive Hackers should keep their training wheels on.

    This ones NOt for you.

    Besides, Kinkos knows about this and I will guarantee you that they have now instructed employees to call the police at even the slightest suspicion of smart card funny business, to curb their losses and set an example to others.
    an electronic fraud/petty theft conviction, even if its just a misdemeaner, will absolutely ;kill; your chances of ever getting a great job or getting any kind of security clearance, for the rest of your life.
    consider this hack burnt if you value your future.

  18. This just reminded me of something. I got an American Express Smart Card reader a while back and it’s been sitting in the box for over a year. Is this card reader just a rebadged generic card reader or can I use it to read other smart cards. Anyone know?

  19. This just reminded me of something. I got an American Express Smart Card reader a while back and it’s been sitting in the box for over a year. Is this card reader just a rebadged generic card reader or can I use it to read other smart cards. Anyone know?

  20. #44 you’ll need to buy a magstripe reader/writer.. but it’s considerably more expensive than a smart card one. Look to spend around 150 on ebay :/
    as for the software.. StripeSnoop is a great program and free.
    http://stripesnoop.sourceforge.net/

    #46 it’s a safe bet that it’s a rebranded reader from another company. it’s much easier for them to pay licensing fees and get a product now, than to hire a programmer for the same price and have him reinvent the wheel for several months. However, their drivers may be crippleware, and then you’ll have to reinstall with generic PC/SC drivers. Try looking at its datasheet if they give one, and poking around its drivers with a tool called Dependency Walker. it’ll be a DLL in the system32 folder. Google the exported function names, and see if you find another SC driver with a similar naming scheme..

    **Also for those buying the ACR30 .. you’ll have a hard time programming for it if u don’t buy the 99$ SDK kit. Without either the ACR30.h header file, or information of the SCardControl() command to select the card type, it wont be able to read memory cards (like Kinko’s) without first changing this option. I’ll try reverse eng it later this week .. but if someone successfully has, or has ACR30.h/ACR38.h .. feel free to email it to arserbin3 at yahoo dot fr ^^ (fr not com)

  21. **update to end of #47 .. if you ignore the flowchart on page 4 of ACS’s pc/sc programming reference: http://acs.com.hk/downloads_manual/PMA_ACx30.pdf

    you can connect just fine without ‘selecting’ the memory type.. just connect with SCARD_PROTOCOL_T0 (or SCARD_PROTOCOL_DEFAULT)

    flowchart to follow:
    SCardEstablishContext
    SCardListReaders (use first string returned)
    SCardConnect (SCARD_SHARE_SHARED & SCARD_PROTOCOL_T0 <-zero not 'oh') SCardTransmit (SCARD_PCI_T0 & SendBuffer filled with {0x00, Command, Arg1, Arg2, ...} all transmits.. SCardDisconnect (SCARD_LEAVE_CARD) SCardReleaseContext Commands for Transmit: Read: 0x00, Write: 0x01, WriteProtected: 0x02, SubmitSecCode(PCODE): 0x03, ChangeSecCode:0x04?, ReadSecCode: SendBuff[0xFF,0xB1,0x00,0x00,0x00] *write/writep/changecode untested as i haven't gotten the seccode yet - batt wires crossed on way home :/ .. tape em up as i shoulda done.. also, #48s method works, although his example isnt a how-to.. read your datasheets. also, i HIGHLY advise u invest the $2.49+tax at fryes or an electronic store and buy some conductive copper tape instead of using 22-26 gauge wire.. its too thick to fit in the reader conductive tape is paper thin and copper on the top side.. extend it 2-3inches past card across tape/paper, as it gets sucked in kinda deep.. then u can solder on some wires http://www.tedpella.com/16067.jpg

  22. to add to what #33 said and #34’s comments…

    I also work at FedEx Kinko’s and I’ve worked at several branches so let me clarify; technically anyone who attempts to refund the money off of a purple stored value card is only supposed to fill out a refund form when they are receiving more than $10 back. However in my experiance management never enforced this policy except at one store, and even in that case the customer can make up completely false information as we don’t check their actual ID.

    Quick question, why does this seem so much of a longer process than it looks in the video? do logic analyzers connect to the stores card readers or to your own? and what is #48’s method? does anyone have his page saved, the page is now gone…

Leave a Reply to dan diemerCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.