Signal Sniffing Some Laundry Pay Cards

It seems that [Limpkin] was up to no good this weekend. He decided to snoop around inside a smart-card laundry machine. He posted about his larceny  adventure and shared the details about how card security works with this machine.

We’re shocked that the control hardware is not under lock and key. Two screws are all that secures the panel to which this PCB is mounted. We know that machines using coins have a key lock, but perhaps there isn’t much need for that if there’s no currency to steal. [Limpkin] made a pass-through connector for the ribbon cable coming in from the card reader. That’s the rainbow cable you can see above and it’s being fed to his logic sniffer. He used the ‘card detect’ signal as a trigger and captured enough data to take back to his lair for analysis. Using what he found and a Bus Pirate to test the smart card he laid bare all the data that’s being sent and received by the controller.

19 thoughts on “Signal Sniffing Some Laundry Pay Cards

  1. Either the system is ‘older’ (pre-hacker generation), or the manufacturer is relying heavily on security through obscurity. I’m still amazed at the things that *aren’t* more secure, just because whomever built it doesn’t expect the general public to be intelligent enough to reverse-engineer the device.

    1. >Either the system is ‘older’ (pre-hacker generation), or the manufacturer is relying heavily on security through obscurity.

      Or the cost-benefit ratio wasn’t there for the armored electronics. Remember, the manufacture actually has to sell some of these things before they can recoup any R&D costs.

      Hopefully, Limpkin is an ethical hacker, but if one person out of 1337 students gets free laundry for a semester, would that pay for the extra R&D to make the thing more secure?

      Also, lookup “blueboxing” sometime. This is post-hacker hardware for sure. “Hacking” predates the first guy that discovered that a lid from a tobacco tin placed on a telegraph key makes the Morse code easier to copy.

    2. This was possible on the machines at college. The coin box was secured and would have been more difficult to hack, however the front panel of the machine was attached using security screws. One trip to the hardware store and the machine could be opened.

      Whether or not it was planned, the schematics for the machine were inside the case! Instead of hacking the coin counter, it was possible to simply put the machine into diagnostics/program mode and change the price of operation to $0.00.

  2. @medix: The “General Public” isn’t smart enough to do this kind of thing.

    It takes some decent electronic skills to be able to customize/interact/extend these circuits.

    1. Well, perhaps not this kind of tech (though the numbers of intelligent, capable individuals is growing rapidly), but think about the security ‘hack’ that was tested against the Chicago Transit Authority. From what I remember, all of the information gained and methods used were not overly complicated, and very easily obtained from the internet.

      This example doesn’t quite address the ‘security through obscurity’ point, but you get the idea. When there’s a will, there’s a way.

  3. More like: The cost of implementing “””proper””” security against unmitigated and unreasonable to expect attacks outweigh the benefits, when out contacts will indemnify us anyway. You know why they don’t bother? One, they expect that a person won’t be able to access the equipment without being caught, or won’t risk breaking and entering or other criminal charges to get at best, free laundry. Minimal payout = less incentive to attack, less reason to care.

  4. As far as security goes in this instance this most likely is secure enough. I could be wrong, but even in the “general public” of hackerdom, few will have the tools used here in their shop. For the thieving hacker that has the equipment the monetary gain here probably isn’t worth an effort. Even in a world where many wouldn’t pay a cent for a song recording if they could download it for free.

    1. Smart Card Breakout board:
      http://www.sparkfun.com/products/9440
      = $8
      I2C interface:
      http://dangerousprototypes.com/docs/Bus_Pirate
      (or any microcontroller for that matter)
      = $30
      Logic analyzer:
      http://www.saleae.com/logic
      = $150….(or $30 from china.. sorry)
      Screw driver + Soldering iron + ribbon cable + pin header:
      …From anywhere….
      = Less than 20 bucks.

      I’m pretty sure the “general public of hackerdom” can figure out where to get that stuff and can afford it. If not, then there you go, and just write the cost off on all the money you’ll save from not paying for laundry. It’s not rocket surgery.

  5. Also have to realize that the cost of laundry isn’t so much. They are more worried about people stealing the coins. If a couple of geeks get some free laundry, it doesn’t make much of a difference. Depending on the level of geekery (in the classic sense), they can consider it a public service.

  6. A lot of people are excusing the manufacturer, saying that this is not a high-value target.

    But high value targets do the same thing. There was an instance a few years ago where somebody compromised a point of sale card reader/keypad. Turns out that it communicated with its host computer over plain unencrypted RS232, and all the miscreant had to do was install a sparkfun 232 -> wireless converter.

  7. it does seem to me that this kind of thing is so easy to secure that it’s just plain silly not to do so.

    Card carries ID number
    Reader scans ID, asks server (which is connected by some free public key jazz, ssh/ssl/etc) how much cash the user has.
    Tell server how much you charged and fire up laundry.

    At some point the signals need to get sent to the motors that run the machine, but I don’t see a practical way to stop that if you are facing users who can/will dismantle the machine.

    I’ll never understand why these systems store the critical data on the card, it’d be like if paypal just trusted you to tell them how much money was in your account.

    1. Your system needs a central server and network enabled laundry machines or some cryptographic key assignment system. If the value is in the card, none of that is needed, except at the recharge station for the debit/credit card transactions. Cost vs benefit vs hackers ;)

      Once a laundry machine I used had the coin deposit full and wouldn’t accept more. Since the person responsible wasn’t able to come for a week and I had laundry to do, I opened the front panel (protected with a few regular screws) and shorted the wire that detects the coins. That was easy to do since the machine had the schematics in there! Me and all my building neighbors were happy about it.

  8. We did this back in the day by replicating the “quarter drop” signal that was sent to the board from the lock box (one wire – pulsed to ground). Forget getting to the coins, the hardware AND THE SCHEMATICS FOR THE UNIT were neatly hidden behind two screws. :D Gotta’love fresh laundry!

  9. I am really impressed, not only by his clear, uncluttered explanation, but also by the fact that he doesn’t hide behind the typical fake hacker justification of “I’m doing this to show you an irresponsible security flaw of a careless manufacturer” when in reality most hackers are trying to keep the attention on the manufacturer specifically because they don’t want the audience to start realizing how illegal or at least semi-immoral what they’re doing is. It’s such an old and deflated stance. He comes out and makes it clear that he’s doing something borderline legal, and admits you could get in trouble for it. Thanks for at least being honest.

  10. I dislike all this self-censorship and apologetic mealy-mouthed rhetoric when it comes to being plain curious. I understand why an ethical person wouldn’t post detailed instructions for making a bomb but wishing to know this stuff doesn’t make you a terrorist. Pretty soon the population will be so stupid we will not have anyone capable of stopping bad guys. We will all be too busy freaking out over elementary school projects involving wires and magnetic LED signs.

Leave a Reply to SethCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.