While we have our fun ethically hacking, its very easy to forget that sometimes our ideas could be used with malicious goals. Take for instance SparkFun’s BlueSMiRF – the device’s original intention is simply to act as a wireless serial cable replacement. After hackers discovered several PIN pads use a serial interface, they put one and one together to steal several hundreds of people’s personal bank accounts.
It seems SparkFun is getting a lot of heat lately, but we’re glad they stand up and address these issues. You can check out the original news clipping here.
good publicity :)
So now we have to boycott evil SparkFun? ;-)
publicity was what I thinking too. Seriously.. Second page of the B section. It’s also a whole page. The cost alone for a full page ad is enormous. Ad look at that pic! Awesome!
Judging from the messy assembly I’m sure those guys are just 2-bit low-life criminals that probably even left their fingerprints on the circuit boards and tape.
I built better looking stuff when I was twelve.
Very creative crooks. I agree good advertising for sparkfun, although probably not the image sparkfun wants to portray.
Anything can be used for good or evil something as benign as a monkey wrench.
The even something as seemingly harmless as the algorithms to scan letters and numbers quickly can be used for good ie to sort mail or for something down right nefarious a roadside big brother.
This is why one must be careful using a technology like bluetooth or avoid using it all together when in crowed places.
Don’t pay any attention to what they write about you. Just measure it in inches.
– Andy Warhol
Why would a PIN terminal be wireless…..? :|
Michiel: it wasn’t till the crooks got hold of it.
Having sparkfun.com front and center on that photo is both a good and bad thing. It’s bad in the fact that it might bring some knee-jerk reactionaries to say “see look evil hackers now can buy pre-made hacking equipment and steal everything”. Then on the flip side, someone with some interest in hardware might go checkout Sparkfun and develop a new hobby or help them with their EE projects for univ.
While the store was tricked, it is ultimately their responsibility for not securing their equipment that consumers rely upon. It’s one thing if it came from the factory pre-modded to steal the PINs but since someone walked in and stole it right in plain sight, and no one from the store caught it, the store should hold some responsibility in the matter. It was only because consumers noticed fraudulent purchases on their CCs/bank accounts that triggered the investigation that found the modified terminal.
Get with the script, kiddies:
“They should thank him for pointing out their crap security, or at least hire him.”
Any tool can be used for good or ‘nefarious’ means.
Spark-fun is making it easier for hardware hackers to find flaws in under-engineered products.
Anything transmitting sensitive information should be encrypted.
This is an example of blaming the messenger, who happens to indirectly be Spark-fun at the moment.
Next Radio Shack taking ‘flak for selling multimeters that helps civilians steal power from the grid.
Technology can’t solve everything.
Why on earth would you assume that something hasn’t been modified if it is stolen and then returned?
For gods sake, use your brain people!
hmmn, sparkfuns fault for providing a simple device that has nothing to do with the target device it just provides access between 2 very common protocols?
Or the target devices manufacturers fault for leaving their devices exposed?
wired or wireless the hack was possible due to their ineptitude….
we can all boycott sparkfun when they get too big and start to sell us crappy products like walmart or micro-flaccid.
SPARC won’t want that tarnished name now ;)
http://hackaday.com/2009/10/23/sparkfun-gets-a-cease-and-desist/
Works for me!!
Take any electronics from any “sparkfun” type store, and this could happen. Most of the time the police hide this information from photo’s to keep the distributors unknown.
Spark-fun bears no responsibility in my eyes only the dimwitted store owners can be to blame for reusing a stolen returned reader without having it inspected.
I am wholly amazed that they didn’t even have tamper proof stickers.
This hack isn’t quantum physics to carry out the fact that a sparkfun module was used is irrelevant.
I can think of several modules from different manufacturers that could have been used.
This is a kids hack any nooblet could do and could have been easily prevented as Reggie said
“wired or wireless the hack was possible due to their ineptitude….”
SparkFun shouldn’t get heat from anybody.
It’s the immoral hacker fault.
The person modified PIN pad with Bluetooth Modem to serial out data. That person had to of worked there.
You need Physical Access to do this easy immoral hack.
Remember Stan Lee’s spider-man quote.”WITH GREAT POWER THERE MUST ALSO COME – – GREAT RESPONSIBILITY!”
Didn’t banks introduce chip+pin payment methods to avoid fraud? I think it’s ludicrus just how easy it is to see someone’s 4-digit code just by being behind them in the queue and watching them, I rarely see people make an effort to cover the pad whilst they’re typing their pin in.
lol, my first thought was “Nice hack, I want to try it”.
lol @ “He also suggested merchants put tape across the pad so if it’s taken apart they’ll notice a split in the tape”
The manufacturers of these PIN pads should be shitting themselves by now. I would hope my bank is telling them to “fuck off and BTW here is a bill for all the fraud your security-free pads have lead to”.
Technology for encrypting serial comms and making a tamper-proof case already exist, and many hobbyists could throw them together. Yet here we have companies who charge a huge premium for supplying something less tamper-proof than the average mobile phone.
Media = evil….. Sparkfun = good :)
“I rarely see people make an effort to cover the pad whilst they’re typing their pin in.”
True but then they need to get your card off you ,, and if they tried with me i’d beat em to within an inch of their lives ,, then beat em another three inches for good measure ; lol
I agree that its stupid that encryption isn’t used down the lead.
It’s always been the case that some dick nooblet hacks for criminal purposes and gives the true innovative hacker a bad rep.
Hence even now you mention that you like hacking your automatically labled as a shady git
Is the guy in the pic a government agent, or Sparkfun executive?
I’m sure the criminals are hurt that a lot boring suburban types and government branches disapprove. If I was unemployed and hungry with no promising outlook I’d be doing the same thing just with no ‘friends’ and at a lower frequency.
Criminals have also used TI products for this as well as many others, where are those articles?
The guy in the pic is a police detective.
Oh noes, someone got into a car and run people over with it – cars are evil Keeel Ford….
Oh noes, someone is using the Internet to steal credit card details – Keeel the Internet…
I can go on…and probably will when I thinks of more…
Actually, I read it and it doesn’t seem to slam sparkfun in any way so its not that bad (the linked article – perhaps the Global Wind Sock that is the media played it up more).
What is interesting is that in the UK something similar happened, but instead perhaps a little more of a hack if we focus on the ‘hacking’ part. They stoled two pads, and combined parts from both to put together a single working unit that also stored/broadcast (can’tremember).
The REAL important part of that case was that it was people employed at the stores who stole and then modified (or facilitated the modifications) and returned them.
All of you saying Sparkfun shouldn’t be blamed and the like – no one’s accusing Sparkfun of anything. The original article doesn’t even mention Sparkfun, nor does it imply that sites like Sparkfun are at all at fault. Stop jumping to stupid conclusions. That goes for the hackaday editor too, since the blurb implies Sparkfun is getting heat over this.
@Tom G: “Anything transmitting sensitive information should be encrypted.”
The PIN pad probably does encrypt the information on the channel that goes back to the bank. And it doesn’t transmit anything wirelessly (in it’s unmodified state.) And obviously there’s no way to prevent a hacker from reading the PIN, since the customer punches it in *on* the compromised device. So there’s really nothing the pad manufacturer could have done. The real responsibility falls on 1) the store for not securing their pads, and 2) card companies for having such a weak security protocol in this day and age.
Video devices have better security than this. Look at the whole HDMI encrypted path, and device bricking when a device is found to be easily cracked…
@ Gene: Sparkfun told HaD and Make about this.
How do you encrypt a button?
With great power comes great responsibility.
Encryption is silly, as others have pointed out.
But seriously, why isn’t their simply a ‘fuse’ that burns and prevents normal operation when the cover is removed. DOH
“How do you encrypt a button?”
You cannot. However if you use some sort of touch-pad input that requires machine-made controllers and covering the entire input board and pad with solid plastic it will definitely make it more difficult to modify the devices at home (Assuming the input board only ever communicates over an encrypted channel).
Then again even if it’s more difficult it’s still possible so you have to rely on physical security from the start. Encrypted communication are still susceptible to man-in-the-middle attacks that can be done at home (Intercepting and issuing fake keys for example).
It’s been a while since I watched these so I can’t remember which is more relevant, but it’s hardly a new idea.
http://events.ccc.de/congress/2008/Fahrplan/events/2953.en.html
http://events.ccc.de/congress/2007/Fahrplan/events/2289.en.html
@MAV “I rarely see people make an effort to cover the pad whilst they’re typing their pin in.”
True but then they need to get your card off you ,, and if they tried with me i’d beat em to within an inch of their lives ,, then beat em another three inches for good measure ; lol”
I watched this video a couple weeks ago before I read your response.
http://www.youtube.com/watch?v=4p6Ff7DcnBc
eh…sorry just wanted to post the link, not the full video box.
I thought the keypads were supposed to be tamper proof.
UK machines don’t work that way the card is power driven into the machine and not returned until after you take you cash. There are link machines in shops that are similar , but no way on earth would I use one. Only machines I use are “hole in the wall types” (built into the brick wall of a retail outlet) as the card mechs are fairly standard a skimmer would stick out like a sore thumb.
So that would leave scam 2 ,, but as your card released is interlocked on our machines you card spends only enough time to get from slot to wallet and as the drug addicts here will happily mug your grany for a score your always on guard.
I stick to my original comment ,, someone would be in for a good kicking if they tried it on with me :)
I always wiggle the slot where the card goes in and check for hidden cameras watching the keypad before I use any atm…
fucking kids you know shitt about how electronics work get real.
This wasn’t done by hackers. It wasn’t done by white people. It wasn’t done by people wearing shirts. It was done by criminals. The word for someone who commits a crime is criminal, NOT HACKER. Fucking hackaday should know that if anyone should. Fuckers.