Teardown: VeriFone MX 925CTLS Payment Terminal

Regular Hackaday readers may recall that a little less than a year ago, I had the opportunity to explore a shuttered Toys “R” Us before the new owners gutted the building. Despite playing host to the customary fixture liquidation sale that takes place during the last death throes of such an establishment, this particular location was notable because of how much stuff was left behind. It was now the responsibility of the new owners to deal with all the detritus of a failed retail giant, from the security camera DVRs and point of sale systems to the boxes of employee medical records tucked away in a back office.

Clipping from New York Post. September 24th, 2018.

The resulting article and accompanying YouTube video were quite popular, and the revelation that employee information including copies of social security cards and driver’s licenses were left behind even secured Hackaday and yours truly a mention in the New York Post. As a result of the media attention, it was revealed that the management teams of several other stores were similarly derelict in their duty to properly dispose of Toys “R” Us equipment and documents.

Ironically, I too have been somewhat derelict in my duty to the good readers of Hackaday. I liberated several carloads worth of equipment from Geoffrey’s fallen castle with every intention of doing a series of teardowns on them, but it’s been nine months and I’ve got nothing to show for it. You could have a baby in that amount of time. Which, incidentally, I did. Perhaps that accounts for the reshuffling of priorities, but I don’t want to make excuses. You deserve better than that.

So without further ado, I present the first piece of hardware from my Toys “R” Us expedition: the VeriFone MX 925CTLS. This is a fairly modern payment terminal with all the bells and whistles you’d expect, such as support for NFC and EMV chip cards. There’s a good chance that you’ve seen one of these, or at least something very similar, while checking out at a retail chain. So if you’ve ever wondered what’s inside that machine that was swallowing up your debit card, let’s find out.

Continue reading “Teardown: VeriFone MX 925CTLS Payment Terminal”

Tap ‘N Ghost: A Novel Attack Against Smartphone Touchscreens

Researchers have demonstrated a new vulnerability in NFC, a feature built-in to many smartphones sold today. The vulnerability allows the attacker to to generate ‘ghost taps’ against a device, effectively allowing an attacker to tap your phone without you looking.

The 18-page paper released by a team of three researchers based out of Waseda University in Japan consists of two techniques: an attack against NFC-enabled smartphones and an attack against capacitive touchscreens. It should be noted that nearly all phones have NFC, and nearly every phone released in the last decade has a capacitive touchscreen. Vunlnerable devices include, but are not limited to the Xperia Z4, the Galaxy S6 Edge, the Galaxy S4, Aquos Zeta SH-04F, Nexus 9, and Nexus 7.

The experimental setup consists of a signal generator, high-speed bipolar amplifier, a small transformer (taken from a toy plasma ball), a copper sheet, oscilloscope with high-voltage probe, and an NFC card emulator. No other special equipment is required. When the victim places their smartphone on a table top, the phone is fingerprinted, giving the attacker the make and model of phone. A dialog box then pops up and the phone connects to a network.

This attack can be replicated by anyone, and the tools required are simple and readily available. The mitigation is to disable NFC on your phone.

Continue reading “Tap ‘N Ghost: A Novel Attack Against Smartphone Touchscreens”

Ripping Up A Rothult

NFC locks are reaching a tipping point where the technology is so inexpensive that it makes sense to use it in projects where it would have been impractical months ago. Not that practicality has any place among these pages. IKEA carries a cabinet lock for $20USD and does not need any programming but who has a jewelry box or desk drawer that could not benefit from a little extra security? Only a bit though, we’re not talking about a deadbolt here as this teardown shows.

Rothult has all the stuff you would expect to find in an NFC scanner with a moving part. We find a microcontroller, RFID decoder, supporting passives, metal shaft, and a geartrain. The most exciting part is the controller which is an STM32L051K8 processor by STMicroelectronics and second to that is the AS3911 RFID reader from AMS. Datasheets for both have links in the teardown. Riping up a Rothult in the lab, we find an 25R3911B running the RFID, and we have a link to that PDF datasheet. Both controllers speak SPI.

There are a couple of things to notice about this lock. The antenna is a flat PCB-mounted with standard header pins, so there is nothing stopping us from connecting coax and making a remote antenna. The limit switches are distinct so a few dabs of solder could turn this into an NFC controlled motor driver. Some of us will rest easy when our coworkers stop kidnapping our nice pens.

Rothult first came to our attention in a Hackaday Links where a commenter was kind enough to tip us off to this teardown. Thanks, Pio! If this whets your appetite for NFC, we have more in store.

Which Wireless Is Right Wireless?

Back in the early days of Arduino proliferation (and before you ask, yes we realize there was a time before that too), wireless was a strange and foreign beast. IR communication was definitely a thing. And if you had the funds there was this cool technology called ZigBee that was available, often in funny blue house-shaped XBee boards. With even more funds and a stomach for AT commands you could even bolt on a 2G cell radio for unlimited range. WiFi existed too, but connecting it to a hobbyist ecosystem of boards was a little hairier (though maybe not for our readership).

But as cell phones pushed demand for low power wireless forward and the progression of what would become the Internet of marking Terms (the IoT, of course) began, a proliferation of options appeared for wireless communication. Earlier this week we came across a great primer on some of the major wireless technologies which was put together by Digikey earlier in the year. Let’s not bury the lede. This table is the crux of the piece:

There are some neat entries here that are a little less common (and our old friend, the oft-maligned and never market-penetrating ZigBee). It’s actually even missing some entries. Let’s break it down:

  • Extremely short range: Just NFC. Very useful for transferring small amount of sensitive information slowly, or things with high location-relevance (like between phones that are touching).
  • Short range: BLE, Zigbee, Z-Wave, etc. Handy for so-called Personal Area Networks and home-scale systems.
  • Medium/long range: Wifi, Bluetooth, Zigbee, Z-Wave, LoRaWAN: Sometimes stretching for a kilometer or more in open spaces. Useful for everything from emitting tweets to stitching together a mesh network across a forrest, as long as there are enough nodes. Some of these are also useful at shorter range.
  • Very Long range/rangeless: Sigfox, NB-IoT, LTE Category-0. Connect anywhere, usually with some sort of subscription for network access. Rangeless in the sense that range is so long you use infrastructure instead of hooking a radio up to a Raspberry Pi under your desk. Though LoRa can be a fun exception to that.

You’re unlikely to go from zero to custom wireless solution without getting down into the mud with the available dev boards for a few different common protocols, but which ones? The landscape has changed so rapidly over the years, it’s easy to get stuck in one comfortable technology and miss the appearance of the next big thing (like how LoRaWAN is becoming new cool kid these days). This guide is a good overview to help catch you up and help decide which dev kits are worth a further look. But of course we still want to hear from you below about your favorite wireless gems — past, present, and future — that didn’t make it into the list (we’re looking at you 433 MHz).

Hacker Pops Top On NFC Vending Machines

Vending machines used to be a pretty simple affair: you put some coins in, and food or drink that in all likelihood isn’t fit for human consumption comes out. But like everything else today, they are becoming increasingly complex Internet connected devices. Forget fishing around for pocket change; the Coke machine at the mall more often than not has a credit card terminal and a 30 inch touch screen display to better facilitate dispensing cans of chilled sugar water. Of course, increased complexity almost always goes hand in hand with increased vulnerability.

So when [Matteo Pisani] recently came across a vending machine that offered users the ability to pay from an application on their phone, he immediately got to wondering if the system could be compromised. After all, how much thought would be put into the security of a machine that basically sells flavored water? The answer, perhaps not surprisingly, is very little.

The write-up [Matteo] has put together is an outstanding case study in hacking Android applications, from pulling the .apk package off the phone to decompiling it into its principal components with programs like apktool and jadx. He even shows how you can reassemble the package and get it suitable for reinstallation on your device after fiddling around with the source code. If you’ve ever wanted a crash course on taking a peek inside of Android programs, this is a great resource.

By snooping around in the source code, [Matteo] was able to discover not only the location of the encrypted database that serves as the “wallet” for the user, but the routine that generates the encryption key. To cut a long story short, the program simply uses the phone’s IMEI as the key to get into the database. With that in hand, he was able to get into the wallet and give himself a nice stack of “coins” for the next time he hit the vending machines. Given his new-found knowledge of how the system works, he even came up with a separate Android app that allows adding credit to the user’s account on a rooted device.

In the video after the break, [Matteo] demonstrates his program by buying a soda and then bumping his credit back up to buy another. He ends his write-up by saying that he has reported his findings to the company that manufacturers the vending machines, but no word on what (if any) changes they plan on making. At the end of the day, you have to wonder what the cost-befit analysis looks like for a full security overhaul when when you’re only selling sodas and bags of chips.

When he isn’t liberating carbonated beverages from their capitalistic prisons, he’s freeing peripherals from their arbitrary OS limitations. We’re starting to get a good idea about what makes this guy tick.

Continue reading “Hacker Pops Top On NFC Vending Machines”

Samy Kamkar: Reverse Engineering For A Secure Future

Show of hands: how many of you have parked your car in the driveway, walked up to your house, and pressed your car’s key fob button thinking it would open the front door? We’ve probably all done it and felt a little dopey as a result, but when you think about it, it would be tremendously convenient, especially with grocery bags dangling off each arm and the mail clenched between your teeth. After all, we’re living in the future —  shouldn’t your house be smart enough to know when you’re home?

Reverse engineer par excellence Samy Kamkar might think so, but given his recent experiences with cars smart enough to know when you’re standing outside them, he’d probably have some reservations. Samy dropped by the 2017 Hackaday Superconference in November to discuss the finer points of exploiting security flaws in passive car entry systems, and also sat down with our own Elliot Williams after his talk for a one-on-one interview. Samy has some interesting insights on vehicle cybersecurity, but the practical knowledge he’s gained while exploring the limits of these systems teach some powerful lessons about being a real-world reverse engineer.

Continue reading “Samy Kamkar: Reverse Engineering For A Secure Future”

Homebrew SNES Mini Aims For Historical Accuracy

While “normies” are out fighting in the aisles of Walmart to snap up one of the official “Classic Mini” consoles that Nintendo lets slip out onto the market every once and awhile, hackers have been perfecting their own miniature versions of these classic gaming systems. The “Classic Mini” line is admittedly a very cool way to capitalize on nostalgic masses who have now found themselves at the age where they have disposable income, but the value proposition is kind of weak. Rather than being stuck with the handful of generation-limited games that Nintendo packed into the official products, these homebrew consoles can play thousands of ROMs from systems that stretch across multiple generations and manufacturers.

But for those old enough to remember playing on one of these systems when they first came out, these modern reincarnations always lack a certain something. It never feels quite right. That vaguely uncomfortable feeling is exactly what [ElBartoME] is aiming to eliminate with his very slick miniature SNES build. His 3D printed case doesn’t just nail the aesthetics of the original (PAL) console, but the system also uses real SNES controllers in addition to NFC “cartridges” to load different ROMs.

The project’s page on Thingiverse has all the wiring diagrams and kernel configuration info to get the internal Raspberry Pi 3 to read an original SNES controller via the GPIO pins. He also gives a full rundown on the hardware and software required to get the NFC-enabled cartridges working with EmulationStation to launch the appropriate game when inserted. Though he does admit this is quite a bit trickier than the controller setup.

[ElBartoME] has put a video up on YouTube that shows him inserting his mock cartridges and navigating the menus with an original SNES controller. If it wasn’t for the fact that the console is the size of a smartphone and the on-screen display is generations beyond what the SNES could pull off, you’d think he was playing on the real thing.

We’ve seen some incredibly impressive emulation boxes based on the Raspberry Pi, and builds which tried to embrace original hardware components, but this particular project may represent the best of both worlds.

Continue reading “Homebrew SNES Mini Aims For Historical Accuracy”