Hackaday Links Column Banner

Hackaday Links: June 27, 2021

When asked why he robbed banks, career criminal Willie Sutton is reported to have said, “Because that’s where the money is.” It turns out that a reporter made up the quote, but it’s a truism that offers by extension insight into why ATMs and point-of-sale terminals are such a fat target for criminals today. There’s something far more valuable to be taken from ATMs than cash, though — data, in the form of credit and debit card numbers. And taking a look at some of the hardware used by criminals to get this information reveals some pretty sophisticated engineering. We’d heard of ATM “skimmers” before, but never the related “shimmers” that are now popping up, at least according to this interesting article on Krebs.

While skimmers target the magnetic stripe on the back of a card, simmers are aimed at reading the data from card chips instead. Shimmers are usually built on flex PCBs and are inserted into the card slot, where traces on the device make contact with the chip reader contacts. The article describes a sophisticated version of shimmer that steals power from the ATM itself, rather than requiring a separate battery. The shimmer sits inside the card slot, completely invisible to external inspection (sorry, Tom), and performs what amounts to man-in-the-middle attacks. Card numbers are either stored on the flash and read after the device is retrieved, or are read over a Bluetooth connection; PINs are stolen with the traditional hidden camera method. While we certainly don’t condone criminal behavior, sometimes you just can’t help but admire the ingenuity thieves apply to their craft.

In a bit of foreshadowing into how weird 2020 was going to be, back in January of that year we mentioned reports of swarms of mysterious UAVs moving in formation at night across the midwest United States. We never heard much else about this — attention shifted to other matters shortly thereafter — but now there are reports out of Arizona of a “super-drone” that can outrun law enforcement helicopters. The incidents allegedly occurred early this year, when a Border Patrol helicopter pilot reported almost colliding with a large unmanned aerial system (UAS) over Tucson, and then engaged them in a 70-mile chase at speeds over 100 knots. The chase was joined by a Tucson police helicopter, with the UAS reaching altitudes of 14,000 feet at one point. The pilots didn’t manage to get a good look at it, describing it only as having a single green light on its underside. The range on the drone was notable; the helicopter pilots hoped to exhaust its batteries and force it to land or return to base, but they themselves ran out of fuel long before the drone quit. We have to admit that we find it a little fishy that there’s apparently no photographic evidence to back this up, especially since law enforcement helicopters are fairly bristling with sensors, camera, and spotlights.

When is a backup not a backup? Apparently, when it’s an iCloud backup. At least that’s the experience of one iCloud user, who uses a long Twitter thread to vent about the loss of many years of drawings, sketches, and assorted files. The user, Erin Sparling, admits their situation is an edge case — he had been using an iPad to make sketches for years, backing everything up to an iCloud account. When he erased the iPad to loan it to a family member for use during the pandemic, he thought he’s be able to restore the drawings from his backups, but alas, more than six months had passed before he purchased a new iPad. Apparently iCloud just up and deletes everythign if you haven’t used the account in six months — ouch! We imagine that important little detail was somehere in the EULA fine print, but while that’s not going to help Erin, it may help you.

And less the Apple pitchfork crowd think that this is something only Cupertino could think up, know that some Western Digital external hard drive users are crying into their beer too, after a mass wiping of an unknown number of drives. The problem impacts users of the WD My Book Live storage devices, which as basically network attached storage (NAS) devices with a cloud-based interface. The data on these external drives is stored locally, but the cloud interface lets you configure the device and access the data from anywhere. You and apparently some random “threat actors”, as WD is calling them, who seem to have gotten into some devices and performed a factory reset. While we feel for the affected users, it is worth noting that WD dropped support for these devices in 2015; six years without patching makes a mighty stable codebase for attackers to work on. WD is recommending that users disconnect these devices from the internet ASAP, and while that seems like solid advice, we can think of like half a dozen other things that need to get done to secure the files that have accumulated on these things.

And finally, because we feel like we need a little palate cleanser after all that, we present this 3D-printed goat helmet for your approval. For whatever reason, the wee goat pictured was born with a hole in its skull, and some helpful humans decided to help the critter out with TPU headgear. Yes, the first picture looks like the helmet was poorly Photoshopped onto the goat, but scroll through the pics and you’ll see it’s really there. The goat looks resplendent in its new chapeau, and seems to be getting along fine in life so far. Here’s hoping that the hole in its skull fills in, but if it doesn’t, at least they can quickly print a new one as it grows.

 

Faulty Parking Meter Tracking System? RFID To The Rescue!

How often do you see problems that need fixing? How often do you design your own solutions to them — even if they won’t be implemented at scale? Seeing that many of the municipal parking lots in his native Sri Lanka use a paper ticketing system which is prone to failure, [Shazin Sadakath] whipped up his own solution: an efficient RFID tag logging system.

Digging out an HZ-1050 RFID reader — as well an RFID card and two tags — [Sadakath] set to work connecting it to his Raspberry Pi and cooking up a batch of code and a dashboard to work with. A Python script — using a PiGPIO library — reads the Wiegand Format RFID number, storing it in an SQLite3 database. A Bootstrap, Javascript, and JQuery trifecta make up the dashboard that pulls the RFID info from said server and organizes it into a functional format.

Continue reading “Faulty Parking Meter Tracking System? RFID To The Rescue!”

Compact EPaper Business Card

Is your business card flashy? Is it useful in a pinch? Do they cost $32 each and come with an ePaper display? No? Well, then feast your eyes on this over-the-top business card with an ePaper display by [Paul Schow]. Looking to keep busy and challenge himself with a low-power circuit in a small package, he set about making a business card that can be updated every couple of months instead of buying a new stack whenever he updated his information.

Having worked with ePaper before, it seemed to be the go-to option for [Schow] in fulfilling the ultra-low power criteria of his project — eventually deciding on a 2″ display. Also looking to execute this project at speed, he designed the board in KiCad over a few hours after cutting it down to simply the power control, the 40-pin connector and a handful of resistors and capacitors. In this case, haste made waste in the shape of the incorrect orientation of the 40-pin connector and a few other mistakes besides. Version 2.0, however, came together as a perfect proof-of-concept, while 3.0 looks sleek and professional.

Continue reading “Compact EPaper Business Card”

Reverse Engineering An ATM Card Skimmer

While vacationing in Bali, [Matt South] walked into a nice, secure, air-conditioned cubicle housing an ATM. Knowing card skimmers are the bane of every traveller, [Matt] did the sensible thing and jiggled the card reader and the guard that hides your PIN when punching it into the numeric keypad. [Matt] found the PIN pad shield came off very easily and was soon the rightful owner of a block of injection molded plastic, a tiny camera, and a few bits of electronics.

The first thing that tipped [Matt] off to the existence of electronics in this brick of plastic was a single switch and a port with four contacts. These four pins could be anything, but guessing it was USB [Matt] eventually had access to a drive filled with 11GB of video taken from inside this PIN pad shield.

An investigation of the videos and the subsequent teardown of the device itself revealed exactly what you would expect. A tiny pinhole camera, probably taken from a ‘spy camera’ device, takes video whenever movement is detected. Oddly, there’s an audio track to these videos, but [Matt] says that makes sense; the scammers can hear the beeps made by the ATM with every keypress and correlate them to each button pressed.

Of course, the black hats behind this skimmer need two things: the card number, and the PIN. This tiny spy cam only gets the PIN, and there wasn’t a device over or in the card slot in the ATM. How did the scammers get the card number, then? Most likely, the thieves are getting the card number by sniffing the ATM’s connection to the outside world. It’s a bit more complex than sticking a magnetic card reader over the ATM’s card slot, but it’s harder to detect.

Hacking Oklahoma State University’s Student ID Cards

[Sam] took an information security class at Oklahoma State University back in 2013. For his final project, he and a team of other students had to find a security vulnerability and then devise a theoretical plan to exploit it. [Sam’s] team decided to focus on the school’s ID cards. OSU’s ID cards are very similar to credit cards. They are the same size and shape, they have data encoded on a magnetic strip, and they have a 16 digit identification number. These cards were used for several different purposes. Examples include photo ID, physical access to some areas on campus, charges to an online account, and more.

[Sam] and his team analyzed over 100 different cards in order to get a good sample. They found that all cards started with same eight digits. This is similar to the issuer identification number found in the first six digits of a credit card number. Th analysis also showed that there were only three combinations used for the next two digits. Those were either 05, 06, or 11. With that in mind, the total possible number of combinations for card numbers was mathematically calculated to be three million.

OSU also had a URL printed on the back of each card. This website had a simple form with a single field. The user can enter in a 16 digit card number and the system would tell the user if that card was valid. The page would also tell you if the card holder was an employee, a student, or if there were any other special flags on the card. We’re not sure why every student would need access to this website, but the fact is that the URL was printed right on the back of the card. The website also had no limit to how many times a query could be made. The only hint that the university was aware of possible security implications was the disclaimer on the site. The disclaimer mentioned that usage of the tool was “logged and tracked”.

The next step was to purchase a magnetic card reader and writer. The team decoded all of the cards and analyzed the data. They found that each card held an expiration date, but the expiration date was identical for every single card.  The team used the reader/writer to copy the data from [Sam’s] card and modify the name. They then wrote the data back onto a new, blank magnetic card. This card had no printing or markings on it. [Sam] took the card and was able to use it to purchase items from a store on campus. He noticed that the register reached back to a server somewhere to verify his real name. It didn’t do any checks against the name written onto the magstripe. Even still, the cashier still accepted a card with no official markings.

The final step was to write a node.js script to scrape the number verification website. With just 15 lines of code, the script will run through all possible combinations of numbers in a random sequence and log the result. The website can handle between three and five requests per second, which means that brute forcing all possible combinations can be completed in roughly two days. These harvested numbers can then be written onto blank cards and potentially used to purchase goods on another student’s account.

[Sam’s] team offers several recommendations to improve the security of this system. One idea is to include a second form of authorization, such as a PIN. The PIN wouldn’t be stored on the card, and therefore can’t be copied in this manner. The primary recommendation was to take down the verification website. So far OSU has responded by taking the website offline, but no other changes have been made.

RFID Tag Cell Phone

Simple Hack Puts An RFID Tag Inside Your Mobile Phone

RFID security systems have become quite common these days. Many corporations now use RFID cards, or badges, in place of physical keys. It’s not hard to understand why. They easily fit inside of a standard wallet, they require no power source, and the keys can be revoked with a few keystrokes. No need to change the locks, no need to collect keys from everyone.

[Shawn] recently set up one of these systems for his own office, but he found that the RFID cards were just a bit too bulky for his liking. He thought it would be really neat if he could just use his cell phone to open the doors, since he always carries it anyways. He tried searching for a cell phone case that contained an RFID tag but wasn’t able to come up with anything at the time. His solution was to do it himself.

[Shawn] first needed to get the RFID tag out of the plastic card without damaging the chip or antenna coil. He knew that acetone can be used to melt away certain types of plastic and rubber, and figured he might as well try it out with the RFID card. He placed the card in a beaker and covered it with acetone. He then sealed the beaker in a plastic bag to help prevent the acetone from evaporating.

After around 45 minutes of soaking, [Shawn] was able to peel the plastic layers off of the electronics. He was left with a tiny RFID chip and a large, flat copper coil. He removed the cover from the back of his iPhone 4S and taped the chip and coil to the inside of the phone. There was enough room for him to seal the whole thing back up underneath the original cover.

Even though the phone has multiple radios, they don’t seem to cause any noticeable interference. [Shawn] can now just hold his phone up to the RFID readers and open the door, instead of having to carry an extra card around. Looking at his phone, you would never even know he modified it.

[Thanks Thief Dark]

An Attempt To Replace Multiple RFID Cards With A Single Hacked-together Tag

It’s kind of a convoluted title, but [Hudson’s] attempt to replace multiple HID Prox cards with one AVR chip didn’t fully pan out. The project started when he wanted to reduce the number of RFID access cards he carries for work down to just one. The cards use the HID Proximity protocol which is just a bit different from the protocols used in most of the hobby RFID projects we see. He ended up taking an AVR assembly file that worked with a different protocol and edited it for his needs.

The device above is the complete replacement tag [Hudson] used. It’s just an AVR ATtiny85 and a coil made of enameled wire. The coil pics up current from the card reader’s magnetic field, and powers the chip through the leakage on the input pins (we’ve seen this trick a few times before). The idea he had was to store multiple codes on the device and send them all in a row. He was able to get the tag to work for just one code, but the particulars of the HID Prox reader make it difficult if not impossible to send multiple codes. The card must send the same code twice in a row, then be removed from the magnetic field before the reader will poll for another combination.