Last week we reported on some work that Sparkfun had done in reverse engineering a type of hardware card skimmer found installed in gasoline pumps incorporating card payment hardware. The device in question was a man-in-the-middle attack, a PIC microcontroller programmed to listen to the serial communications between card reader and pump computer, and then store the result in an EEPROM.
The devices featured a Bluetooth module through which the crooks could harvest the card details remotely, and this in turn provides a handy way to identify them in the wild. If you find a Bluetooth connection at the pump bearing the right identification and with the right password, it can then be fingered as a skimmer by a simple response test. And to make that extra-easy they had written an app, which when we reported on it was available from a GitHub repository.
In a public-spirited move, they are now calling upon the hardware hacker and maker community to come together today, Monday, September 25th, and draw as much attention as possible to these devices in the wild, and with luck to get a few shut down. To that end, they have put a compiled version of the app in the Google Play Store to make it extra-easy to install on your phone, and they are asking for your help. They are asking for people to first read their tutorial linked above, then install the app and take it on the road. Then should any of you find a skimmer, please Tweet about it including your zip code and the #skimmerscanner hashtag. Perhaps someone with a bit of time on their hands might like to take such a feed of skimmer location data and map it.
It would be nice to think that this work might draw attention to the shocking lack of security in gas pumps that facilitates the skimmers, disrupt the finances of a few villains, and even result in some of them getting a free ride in a police car. We can hope, anyway.
In the early 1980s, there were a plethora of 8-bit microcomputers on the market, and the chances are that if you were interested in such things you belonged to one of the different tribes of enthusiasts for a particular manufacturer’s product. If you are British though there is likely to be one machine that will provide a common frame of reference for owners of all machines of that era: The Acorn BBC Microcomputer which was ubiquitous in the nation’s schools. This 6502-driven machine is remembered today as the progenitor and host of the first ARM processors, but at the time was notable for the huge array of built-in interfaces it contained. Its relatively high price though meant that convincing your parents to buy you one instead of a ZX Spectrum was always going to be an uphill struggle.
To be fair, running classic hardware on an FPGA is nothing new and there have been a few BBC Micros implemented in this way, not to mention an Acorn Atom. But this project builds on the previous FPGA BBC Micros by porting it entirely to Verilog and incorporating some of the bug fixes from their various forks. There are screenshots of the result running several classic games, as well as test screens and a benchmark revealing it to be a faithful reproduction of a 2MHz BBC Micro.
In unlocking the extra performance, he takes readers through a primer on the device tree, and is happy to report that his transfer rate has increased from 26 to 36 MB/s, a tidy return on his work.
However, the story doesn’t end there. The 8GB Samsung eMMC chip wasn’t quite as roomy as he’d have liked, so it was time to replace it with a 32GB version. Even with careful desoldering, he managed to lift a few pads, though very fortunately they were ones that were either NC or power rails that were duplicated elsewhere. Some tricky reflowing of what is quite a formidable BGA package to do by hand, and he was rewarded with a working board featuring higher flash capacity. We salute him for taking it on, we probably wouldn’t have had the courage.
When your publication is about to hold a major event on your side of the world, and there will be a bring-a-hack, you abruptly realise that you have to do just that. Bring a hack. With the Hackaday London Unconference in the works this was the problem I faced, and I’d run out of time to put together an amazing PCB with beautiful artwork and software-driven functionality to amuse and delight other attendees. It was time to come up with something that would gain me a few Brownie points while remaining within the time I had at my disposal alongside my Hackaday work.
Since I am a radio enthusiast at heart, I came up with the idea of a badge that the curious would identify as an FM transmitter before tuning a portable radio to the frequency on its display and listening to what it was sending. The joke would be of course that they would end up listening to a chiptune version of [Rick Astley]’s “Never gonna give you up”, so yes, it was going to be a radio Rickroll.
I evaluated a few options, and ended up with a Raspberry Pi Zero as an MP3 player through its PWM lines, feeding through a simple RC low-pass filter into a commercial super-low-power FM transmitter module of the type you can legally use with an iPod or similar to listen on a car radio. To give it a little bit of individuality I gave the module an antenna, a fractal design made from a quarter wavelength of galvanised fence wire with a cut-off pin from a broken British mains plug as a terminal. The whole I enclosed in a surplus 8mm video cassette case with holes Dremmeled for cables, with the FM module using its own little cell and the Pi powered from a mobile phone booster battery clipped to its back. This probably gave me a transmitted field strength above what it should have been, but the power of those modules is so low that I am guessing the sin against the radio spectrum must have been minor.
At the event, a lot of people were intrigued by the badge, and a few of them were even Rickrolled by it. But for me the most interesting aspect lay not in the badge itself but in its components. First I looked at making a PCB with MP3 and radio chips, but decided against it when the budget edged towards £20 ($27). Then I looked at a Raspberry Pi running PiFM as an all-in-one solution with a little display HAT, but yet again ran out of budget. An MP3 module, Arduino clone, and display similarly became too expensive. Displays, surprisingly, are dear. So my cheapest option became a consumer FM module at £2.50 ($3.37) which already had an LCD display, and a little £5 ($6.74) computer running Linux that was far more powerful than the job in hand demanded. These economics would have been markedly different had I been manufacturing a million badges, but made a mockery of the notion that the simplest MCU and MP3 module would also be the cheapest.
We’ve all heard of card skimmers, nefarious devices that steal the identity of credit and debit cards, attached to ATMs and other machines in which unsuspecting consumers use them. Often they have relied on physical extraction of data from the card itself, such as by inserting a magnetic stripe reader in a fake ATM fascia, or by using a hidden camera to catch a picture of both card and user PIN entry.
The folks at Sparkfun write about an approach they received from a law enforcement agency bearing a selection of card skimmer devices that had been installed in gasoline pumps. These didn’t rely on interception of the card itself, instead they sat as a man-in-the-middle attack in the serial line between the card reader unit and the pump electronics. Let that sink in for a minute: a serial line that is readily accessible to anyone with the pump manufacturer’s standard key, carries card data in an unencrypted form. The owner of the skimming device is the criminal, but the company leaving such a wide-open vulnerability should really be joining them in having to answer to authorities.
The device itself is quite simple and well-executed, though it appears that attachment of wires and connectors is a job left to the crook. Some boards boast excellent soldering, while others have joints that are, well, simply criminal. On the board is a PIC microcontroller, a serial Flash chip, and a commodity Bluetooth module. This last component provides the means for the miscreant to harvest their ill-gotten gains, and incidentally a handy means by which compromised pumps can be identified. The Sparkfun people have provided an Android app that interrogates any modules it encounters, and warns of any that return the signature of a skimmer.
It is sad to say that some level of crime is an inevitable feature of the human condition, and therefore it should not be an unreasonable expectation that any entity with which we trust our sensitive data such as a credit card number should take reasonable steps to ensure its security. If a bank transported customer cash through the streets as bundles of $10 bills in open handcarts it is likely that they would get into trouble very quickly, so that the pump manufacturers send card information in the clear over such a readily accessible medium should be a scandal of similar magnitude. That financial institutions prefer to cover up the problem and shift the loss onto the gas stations rather than mandate better device security from the pump manufacturers speaks volumes about their misplaced priorities.
The Mars Climate Orbiter was a spacecraft launched in the closing years of the 1990s, whose job was to have been to study the Martian atmosphere and serve as a communications relay point for a series of other surface missions. It is famous not for its mission achieving these goals, but for the manner of its premature destruction as its orbital insertion brought it too close to the planet’s atmosphere and destroyed it.
The cause of the spacecraft entering the atmosphere rather than orbiting the planet was found in a subsequent investigation to be a very simple one. Simplifying matters to an extent, a private contractor supplied a subsystem which delivered a reading whose units were in the imperial system, to another subsystem expecting units in the SI, or metric system. The resulting huge discrepancy caused the craft to steer towards the surface of the planet rather than the intended orbit, and caused the mission to come to a premature end. Billions of dollars lost, substantially red faces among the engineers responsible.
This unit cock-up gave metric-using engineers the world over a brief chance to feel smug, as well as if they were being honest a chance to reflect on their good fortune at it not having happened on their watch. We will all at some time or another have made an error with respect to our unit calculations, even though in most cases it’s more likely to have involved a simple loss of a factor of ten, and not with respect to a billion dollar piece of space hardware.
But it also touches on one of those fundamental divides in the world between the metric and imperial systems. It’s a divide that brings together threads of age politics, geography, nationalism, and personal choice, and though it may be somewhere angels fear to tread (we’ve seen it get quite heated before to the tune of 885+ comments), it provides a fascinating subject for anyone with an interest in engineering culture.
A trip to London, for provincial Brits, is something of an undertaking from which you invariably emerge tired and slightly grimy following your encounter with the cramped mobile sauna of the Central Line, its meandering international sightseers, and stampede of besuited commuters heading for the City. Often your fatigue after such an expedition will be that following the completion of a Herculean labour, but just sometimes it will instead be the contented tiredness of a fulfilling and busy time well spent.
Such will be the state of the happy band of the Hackaday community who made it to London this weekend for our UK unconference held in association with our sponsor, DesignSpark. A Friday night bring-a-hack social in a comfortable Bloomsbury pub, followed by Saturday in an auditorium next to one of the former Surrey Commercial Docks for a day of back-to-back seven-minute talks laying out the varied and interesting work our readers are involved in.