This is Alex and Micos and I had to practice like 10 times. Speaking about point of sale vulnerabilities specifically in places that the TSA won't like so be nice to them because they're probably stuck here. Gentleman.
>> Hello. Thank you. Thank you for the introduction. We're going to present a case study of an attack of POS that takes place in an airport. This is a real airport but we're not going to disclose the name. So, our presentation and now I give this to Mr. Alex.
>> So, we're going to discuss about specially involved POS attacks but before we talk about that let's discuss about why they choose to target travelers. So travelers are really vulnerable people. They're running around trying to catch a flight and they don't think about what kind of wireless access they use or what especially if they trust the place in which they're using let's say an airport. It's supposed to be a place very trustworthy. So you have a number of travelers running around, causing many devices and trying to juggle around trying to catch a flight and he guards his mobile phone, laptop, tablet, maybe his corporate mail. I know most of you think that's not a secret service guy so we're talking about these guys, too
So let's get a little better closeup look at the point of sale attack interpretation. It's a little bit different than usual, what we usually know about POS attacks where we target credit card details. In our case we're trying to identify the traveler so we're looking about the names, the traveler, his flight number, his seat, who is he communicating and the worst case we're trying to get passport ID so we're talking about this stuff and not credit cards which is usually what happens in POS attacks.
So let's go through the ways usually the point of sale attack is introduced. There are three ways. We're talking about the first one in our case but I'll go through all three of them.
So the first thing is when a system has unpatched vulnerabilities someone might find out and expose the whole system and get the information he needs out of the system
The second way is maybe an employee of a company which is not aware of how things work about security, send mail, a link or whatever and introduces a trojan in the company's network and it reaches the point of sale system so that's where you get the information from.
Or the third way is that the employee himself is the bad guy, the inside man that produces the malware in order to harm.
So first of all who is going to benefit from this? Okay. Well, there are three but maybe more but I'm quoting three there, Cyber criminals, usually for identity theft in the case of passwords and stuff. Private investigators who just want to find you, or maybe the government if they want to find you.
What do you get out of a point of sale attack. As I said before we're trying to provide the traveler, we don't get airport data to do so, we do it on our own so what we can achieve is like at the end of getting information is that we can find out the designation and perform queries like who's traveling from Greece to Germany in the last month, or which company is used by most travelers or what class were these travelers traveling? Or on a specific flight and date who was traveling.
So here's the case study now. We're talking about the real airport and this really happened. So the airport has different systems that can be exploited the way we're describing here in order to see information. So we have the check-in kiosks which probably you've all used before. There are some systems that we have exploited but you can purchase wi‑fi time and have other information but usually you can find in many airports. Also we can find internet access points and all of them hold information that could be found useful by us attackers, in order to exploit the traveler.
Let's get some more information about the airport, how big is the attack vector that we're dealing with and how much the people are affected. These are from the specific airport, we're talking about an average of 12 million travelers per year of whom 30 percent as you can see these are from 2012. 30% are business passengers which are really more interesting to attack or learn more about them.
The first two numbers are real but the last one is the hypothesis that says 100% of them are using the POS system. 36,000 people can be attacked per year. Seems small but it isn't that small.
>> No, keep going.
>> Okay. I'll continue. So we chose to attack this, it seemed better than the rest, seemed to have less security, it's supposed to even buy wi‑fi time in order to default. Change back you can check your flight details by scanning your ticket and you can also make VOIP calls,it has a web cam in it, and there were six machines in there.
>> Excuse me for a second. May I take the podium for a quick second?
>> So we have a first time speaker, and for those of you who are not familiar, for a first time speaker.
>> We have a little bit of a welcome tradition here and unfortunately we don't have any vodka. But yeah, next time
>> You guys are from Greece?
>> We got the wrong information.
>> A little bit of support. Here. Are you good?
>> I'm better now.
>> Would you like some help?
>> No, no.
>> Thank you guys. So I'll give the slide from the beginning because I'm drunk now. So wi‑fi, you can buy wi‑fi time, they accept coins and bills and they give you change back. You can take your flight scanning your bar code on your ticket and you can make VOIP calls on them. There are six perfectly placed around the airport so what better things to attack? So let's go a little bit more. On them there's a screen of the wi‑fi interface, this is for the VOIP calls and this is the simplest attack you can do on them, press alt tab and escape the front end also yes the thing didn't work from the left but it worked from the right. So, but it's not the worst thing. They also had the USB port open. So you can understand what's going on here.
>> Excuse me. It was clearly visible when you went in upstairs from arrivals to departures so when you get upstairs via the automated stairs you can clearly ‑‑
>> You are like oh ‑‑
>> So, so, okay. After going on a bit more about the system we show that the escape used Windows 7, they had a connect because of the protocols, it was getting worse and worse, because if you hit escape button there were processes running in the background they were giving you full control of the system so they were running in the background. So you sent some money, which we did without using the machine we clicked how much we want and we said pay and you know slot machines you've seen are worse than, I mean they're harder to get money. This is real easy. So okay some more victims here. The communication with the process behind the front end is talking to the back end. This makes sense. It's in Greek but I will explain. This is how much money is in there. Around 500 in Europe are missing and the good thing we find how much money we want to get out of them. Where you can see down there is you just pick how much money you want and there's a pay button in the middle. Get the money out of the system. So you want to talk about how we ‑‑
>> So why this happen? This happens because we're using the airport to go around the world working the security industry so when this was found we decide to inform the airport because its not only the risk of losing money at the airport, it's also things an attacker can do with these type of skills so we decided to call the airport. When we called the airport they didn't believe us. They said no, there's no way. And then we called again. And it was one week time before they sent people to check it. After one week they called us back and told us you are lying, this is not possible to happen because we checked and it is not happening. We insisted, we said no it's happened. They said come here. So we went there, showed them the bug.
So after a while they decided to fix the alt tab issue and then we decided to see who can do further stuff regarding the point of sale at the airport and everywhere else but we did more testing after they fixed the alt tab there's still a possibility to have access from the Skype interface that locates your flight.
They do a fork from Skype and internet explorer from where you can see your flight status and when your flight arrives. Then you can get access to XML and then you can get access to whatever you want from there you can download whatever malware you want also internet explorer is an old version, so it's probably exploitable. We can't show you this stuff because it's highly illegal.
>> So this, we found these extra bugs and the other was the bar code. So you have a lot of point of sales, you have this infrared scanner and from there they pass product bar codes, they send information back to the machines so we decided to build an application that would generate not so random bar codes or QR codes to applications
Here you can see the interface, you can see that there's a map showing the flag if you point there then it opens up a Gmail account to the mail to send to look in and use Google Maps for the information. It will be exposed again after they are fixed okay so you can have the pay option.
>> It was a really bad application. The service we've seen before. This black screen. This one. If you close this window the call service went down so they executed something like CNV cell and then it will run the application something like that. Whenever you scan the code there the code was displayed in this console okay? So that's one of the things you can take information from the bar code.
We will see the maps and we will go to the mail account information. Here can you pay yourself, and so we found that it was very interesting, they also have web cams in it. So if you own this part of the network you can possibly monitor all of the cameras in these machines so can you take pictures of all of the passengers passing by. These were placed in important places inside the airport so you can have a very good view of the passengers going in or out.
They then, the malware must have RAM scrapping capabilities so they can take the information from RAM of the machine. And the fast way will be able to pass the infrared in the interface and cause more errors. So here's the camera, we're having issues because we cannot see the image here. The functionality of the kiosk- so whenever you went to buy wireless time, you had the ability to get flight information so you scan your boarding pass, the QR code in the boarding pass and then comparing it back with the web service, the flight if it's in time or your information if it's valid. That means that kiosk has access to a service to confirm passengers,
if it turns back the flight information everything is valid. Or if there is a possibility for the application. Also there's a possibility to do net reports, to Skype, to wherever we go. From what we saw it was possible to access whatever you wanted on the internet from that kiosk so I will tell you later and he will continue with the possible risks posed.
>> So this talks more about the code. Your tickets, a bar coded boarding pass. It was a bar code introduced by the International Air Travel Association in 2005 and more than 200 airlines use them, and some of them have a mobile version. What we saw is that the more common is the PDF417 and for the digital type its Aztec code or Datamatrix and QR code because we couldn't extract all of them we decided to do one from paper and one from digital we talk about and prove our things in real life from the tool that we've developed
So information about PDF417. The linear bar code we say use in transportation identification and inventory management, and what ticket looks like inside is like this, this is a QR code PDF417 code that I scanned from aerial ticket and it belongs to me and there's information inside it. You can see the data under the QR code, under the bar code and I have broken down the information of each feed so you can see my name, my slide, my booking, where I'm sitting and from where I booked the ticket and which airline I'm using, passenger seat, everything is there. So you know everything about my flight. Also can you see if I am business class or what type of, first class or what class I'm flying.
Also again, without the code here we're talking about digital version of the same thing, it's usually present in mobile phones and handheld devices where you can see the eticket version of that. You can see the standards, you can see again that it has less information of the previous one but again the code has lots of stuff thats useful to get out of a machine, so here is the attack vector all in the machine that we previously showed, we can do the following: We will have a traveler going to kiosk scanning his ticket. We have malware on that kiosk, the point of sale malware that we're going to discuss later about more. it has RAM scrapping capabilities so whatever is in its RAM its ours, we're going to do is we can display that information and maybe clone the ticket if we want, so we can get through tax free area and get some alcohol. So, okay, two things that are here, the first one is that we need malware to do these and then we need an application to do the duplication or other stuff that we'll explain later.
The malware must have full capabilities as most malware must have, and perform the RAM scrapping that we talked about before in order to get every ticket that was scanned before. And what else, maybe exploited the webcam and get some picture of a guy scanning so we know who he is, and of course to do so you have to hook the barcode scanner so you can synchronize the picture taking otherwise you're taking random pictures and may have the ability of getting commands through a QR code so it would thus scan a specific QR code and get money out of the machine because we can do that. And of course it would be great if you could have the connect back process. even if you didn't have that we could give commands to the QR code again so it's fine
So we would go through the, yes, so the image capturing is harder than you think, because we have to hook and synchronize with the code, scanner with the camera and it's not that easy because the RAM scrapping thing works asynchronous, it runs like every two hours and gets all the information so you have to just have them in place and then combine them to see who was scanning on a specific time it has some drawbacks so most of them will have to do with timing, correlating images with travelers data, and of course when you create files inside the system you might get noticed easier than without doing so. so its mostly detectable but you can actually do that.
I believe the most interesting part and it's what characterizes this attack as a point of sales attack. its the RAM scrapping feat, so you have 3 things you do in the point of sales attack. You extract the RAM of the process that you want, probably the bar code scanner. Also it's interesting to attack the explorer process and you should do it periodically around every two hours maybe because it's a time consuming process so you can do it every 5 seconds and the second thing you do is you search, you search for the string thats interesting, in our case the QR code with your traveler's information so with the code inside RAM so you are looking for specific values which are fixed sizes, specific values, which are specific in our case, using regular expressions you get the information. Sometimes youll have false positives but get them too because you can you know clear things later, and you store them
and the third thing is the exfiltration, it's a bit harder because if you have connectivity it will send back to you try not to get caught. And if not you just store them locally and you go there physically and send a command to the QR code and it brings back all of the information you needed. You get them by some, you know maybe scan them again or write them down or whatever.
But you know how it looks when you do it thru volatility dumping a the process, get the information, this is from a real machine. And a real process scanning a ticket and you discard what's not useful and you get what you want out of the machine and the third thing that we want our malware to do is get command from aztec code so you scan a specific QR code and then do stuff like example turn on and off the image capturing or exfiltrate a specific thing, or maybe send someone a few commands if you wanted to so that's another thing we want our malware to do
So we have on the one end we have the malware standing by on the machine that we hack, and then we have another tool, that's a multipurpose tool. Can you use that tool in order to do two or three stuff. I'll explain. It works again, it's on android mobile, you will get that material after the conference, it has 3 modes, it supports PDF417 and Aztec code, and it has 3 modes the one is in order to duplicate stolen tickets. And the second the PenTest one is the most interesting mode is fuzzing the barcode and I will explain later. And you could use all your favorite commands that you can store in the text file and load to our fuzzer, ill explain later and attack the barcode and the malware command mode where you would send from to the barcode to the malware installed from the kiosk, so the duplicator looks like this and we use it for impersonation reason. so you want to create the ticket that, like this so you input their information and you just create another ticket then you go to the check you show your ticket, it's valid, it's from another guy. Try not to use a woman's ticket if you are a guy and probably you will go through that first check and get that free booze, more information about the fuzzing.
For the fuzzing we 4 kinds of fuzzing, we have string, integer, random string, predefined, you have all the SQL and XSS on there. It won't actually work in other systems but it work and crash other systems so it's pretty useful. You should try that download application and do your own research if you want. and hgow the fuzzing works, you just down there is the ticket you had. You just place where you want the files to be and then you start. It generates bar codes every five seconds. You can set your own intervals because the QR code reader different intervals depending on that you are attacking this has generated QR codes attacking the QR code reader. You can stop it at any time copy the code and use it later and then stop it and go one by one in your own pace in order to test the system better.
So, and the last one is the commands to talk about. So you can choose what commands you want to send. You actually send dump RAM commands and you can perform network scans so you can actually set on and off the image capturing thing or you can cash out money depending on the command you want to send the way you do it is you click the command, the command is enabled through mobile application, the malware is running on the machine you want and I'm sending lets say the last scanned person command and the malware responds back with a pop up window this is the guy this is hie picture this is the data.
So closing what you should do and what you should not do or what you should do, especially for those manufacturing jobs like this. You should use strong passwords to access the point of sales devices. You should keep your point of sales software up to date. This is the most important thing. You should not use buggy software. You should firewalls to isolate the point of sales production networks from other networks on the internet and it's a good idea to have an antivirus there not that it will identify all malware running but probably some would. Use limit access to the internet if possible and disable all remote access to the point of sales system and one good idea is to check both the hardware and the software running from the kiosk and not separately. You should check them as a whole. This is very important. if you want to identify more and more attack vectors for the system and keep it secure so this is all from me. I don't have ‑‑ you want to talk more about?
>> Yes. Furthermore, just to other point, you have a lot of uhm in all the airport alot of kiosks like that provide free internet access or they give you some functionality to have in the airport to play games or Skype talk with your girlfriend and do stuff like that.
If you can imagine, if the attacker can own these machines which are on the same network how much time it will need to get deeper into the airport network okay because it's not a fact that you can just attack all the passengers or the machine surf the internet who put the credit cards. It's not only that. It's the fact that having an attacker being there for the infinite time, that means there will be a case that people go deeper into their network, that means a real threat to the airport.
Furthermore, we have another room next to us here where they are developing router exploits at the moment so I don't know if the router thats on the file is not enough so the best solution for these kind of problems if you have in a network, kiosks that provide user services, the best solution is have physically have different internet lines different equipment for this type of information from the airport.
>> Furthermore I would like to point out that although this attack seems random it can get more specific and more personal if you want. using a little bit of social engineering So from what you see here it's like okay, I would like to say you are attacking a random strangers that are traveling but you are not liking this specific person that you want to get information from, well if it's not true if you get some social engineering in that, since you own the machine And most of the people traveling would probably think its a safe machine to use and we can run anything on that. I could run a campaign like a phishing campaign on that machine and then go around to a line of people awaiting to get their ticket, one of them is the guy that I want to attack. And I will be like oh sir, you are traveling? Here is a QRcode you can use that on that machine and maybe get free wi‑fi. All you have to do is scan this code and your ticket and you will get free wi‑fi.
Even worse I would be like you get some free money
>> 50 bucks.
>> So he would be like "oh cool guy" but I get information. Yes it seems random but it's not that random if you own the machine and people trust the machine. You can get them to use a machine you can get that machine to work for you in your favor and you will get what you want. It's not at random. It seems random but it's not. That's all from us. Do you have any questions?