Hacking Non-Traditional Systems

um these badges are awesome but it's hard to walk around cuz they keep smacking me um so this is hacking non-traditional systems by Louis Santana that's me uh I go by connection I prefer connection actually surprisingly a lot of people are called lwis and it's really really weird when I like someone calls someone else and I look around um I've met a lot of you guys you guys are cool uh I probably has connection so shouldn't come as a surprise I guess and that did not CLI in the slid all right so uh who am I I'm a independent security that got cut off uh independent security researcher um just kind of do my own thing and hang out I'm

a security consultant at acuant Labs man there's some weird lines on this screen is it just is it the projector okay um so uh I'm a security consultant with acuant Labs because I like to get paid to hack things it kind of works pretty well for me I'm a newbie Hardware hacker newbie got cut off somehow um there's some people in here that were like hacking the badges and I was like no I can't do any of that um I don't know I'm I'm not the biggest electrical engineer guy on Twitter I go by hack talk blog so you've probably seen me retweet things or like yell at people um that's my favorite pastime and on the general

interwebs that go by connection so what's the point um the major point in this talk is that physical security sucks um a lot of these hacks are pulled off simply because due to the very nature of what I have called nontraditional systems uh you have to have that user interaction you've got to have that physical security uh that physical availability to your clients and it's it's often an afterthought as I'll talk about and man if physical security would just set their game up a bit a lot these hacks would be inefficient and I wouldn't be giving this talk today so I guess thanks for crappy physical security um so yeah the big problem physical security if you

can see here um here I'll go on this side uh there's a lock a lock box something important but like with this really really really really really bad like electrical tape they made like a keychain with and here's a key that goes directly into that lock I hope that's not Mission critical um accessible USB ports there's no reason no reason uh why you should ever let a consumer plug their USB port into your machine it's going to end badly except for the hacker so let's talk more about physical security it's rudimentary um often a second thought and quite honestly in a number of occasions it's completely non-existent um um rudimentary in that like it might be like a really bad lock

and like like two pins I've seen two pins in locks to cash boxes not smart come on guys uh it's often a second thought I look at a lot of these machines and I'm like oh it's it's really like locked down from a software level from a network level but I feel they just like slapped a lock on it and called it a day for physical security they were like oh a lock it's good enough we won't even bother testing the lock or making sure it's a good lock and it's also like I've run into things where it's completely non-existent I've uh I've tested self checkout units where there's like latches that look like they're locked and it's got access to

various parts of the machine you walk up you move the latch a little bit to left and oh it's not actually a lock it's just a latch uh it's opened up and you got uh access to the guts access to a bunch of fun stuff and so that that's why I say like it it seems like it's a second thought like had they been thinking it through hey we've got this storage area we're going to put a bunch of stuff maybe we should put a lock nah no one will ever open that thing uh so with these systems there are a ton of common vulnerabilities like you will see the same vulnerabilities over and over and over it's it's almost

nauseating how how prevalent they are um but some some key points from this are that devices within the same manufacturer or even within the same product line often like have a t ton of code reuse or like a similar form factor design and so if you find a physical flaw or a security flaw in one of these things they don't know that it's vulnerable so they apply it to all the things which causes problems because uh if you manage to get your hands on one bug you can spread it along their entire product line and own them each and every time pretty reliably they're highly trivial um and this includes like breaking out their kios software or like

even just some of the hacks you can pull off um like I I've seen really bad things where like they're running really old school War ftpd uh on their box and you're like wow really there's an exploit for that in met exploit that everyone knows about and that's not hard at all um so and you'll see that because they they've never had the like they don't see them as a non-traditional system which is like um I guess I should have defined that earlier uh sorry but a non-radical system is uh a network connected device which you're not seeing as your typical computer so like if this projector was connected to your network uh I I like

I'd want to hack that because your projector is probably not that secure but it's connected to your network so if I can pop that I can start scanning your network and attacking you uh so this includes things like kiosks vending machines um self checkout units like damn near anything you'll see in a store that's plugged in lets you interact with it and have fun those like uh those little like cell phone charging stations I've to taken a look at some of those and stuff um so yeah like a lot of these things are highly triable it's easy it's easy to hack these things cuz no one's out hacking projectors or like cell phone charging stations um a lot of

them use PL text communication uh this is both on the hardware level as well as like the the software and network communication level so like on the hardware level you're looking at things like just your typical stuff like i2c and um and you are but they're not uh applying any encryption along the way so uh if you're able to get get your hands on the actual Hardware guts you can often like man in the middle some of that and steal some information off the wire um but a lot of them I've also seen call backs to web servers and they're not even like https it's just like plain htcp protocol talking to web servers you

can sniff that in line and uh and see what's going on and we'll see that a bit more later on there it's easiest pie to to own these things like I was saying earlier it's highly trivial it's a lot of old techniques on new devices uh so I mean I I see bugs like ms03 Das whatever on on some like devic that was made in 2012 and it's just because they're running Legacy systems a lot of times it's really common for these devices to be running things like Windows XP sp0 or Windows XP embedded or like really old Linux versions so you'll you'll notice that like you've got this treasure Trope of like bugs and

techniques that you use like in years's past and you can reuse them and it's almost like like reliving the Golden Era all over again like yes it's actually worked um I've seen devices where like there is no Etsy Shadow file because it's so old that it only uses Etsy password and like just just really crazy stuff like that um oh my God oday everybody likes to have like zero day exploits and um these devices will have a bunch of those and even if it's not something you've seen before it's it's really easy to find out uh whether it's like a call back to a web server that's like vulnerable to file inclusion or or if like there's a race condition in the

login screen that you can bypass and become the admin regardless um the kind of things that I find like 90% of the time don't require a ton of skills so it's kind of fun and electrical engineering skills are not needed when I first started doing this they're like oh it sounds like what you're doing it's called Hardware hacking and I was like oo Hardware hacking that's that's kind of a good name for it and then I like Googled for like Hardware hacks and I was like oh like obviously you stumble onto stuff like uh like hack a day you're like man these people are like getting down in there like hacking away super n's and like making them super

cool like I'm way too Noob for that I'll never be able to do this in my life I should just give up now but uh I've picked up some skills as I've gone along but in general I've noticed a lot of these skills aren't down low on the hardware level you can definitely get that low and like extract the firmware of of the device and start looking at bugs in its operating system but a large chunk of the bugs uh you're just going to find just in the UI because their UI has to be really uh it has to have a lot of functionality because they have to have users using it all the time it has

to be inviting and that often uh takes precedence over securing it as long as it looks pretty so I was talking about some of the uh the pl Tex protocols earlier so when I got into this I was uh I was looking for a way to interface with like a ton of Serial protocols so that if I had to go down to the hardware level I could and I was like well maybe I can use my Rd node for this this and I started working on it and it was fun but it was hard and then someone said hey dude you're an idiot the bus Pirate's 30 bucks and it already does this so I went

and I bought a bus pirate and it's that little red thing right over there um very similar to an uino and that like you can uh you can program it over USB to make it do different things or you can even just like completely interface over it and uh just through USB and do a bunch of really fun stuff and it has a bunch of like the the standard serial protocols Like i2c Ur JT tag SPI uh ftdi just basically everything under the sun uh they're they're super common and it allows you to do a lot of things like really easily like um earlier today we were like hacking away at the badges and one of the people I

was hanging out with was like man I really wish I could uh sniff like the U what was going on over USB to see how it's sending this information well with a bus pirate had we had I brought mine we would have been able to plug into it and they've got like sniffers for almost every one of these protocols so you just like and it's a macro too you're just like M1 and it starts sniffing like it's it's not hard at all super easy to do and uh yeah and just like sits there and lets you know all the data that comes through so it makes makes life really easy especially when uh I was actually

on a gig and we had Hardware level access and I noticed that when a credit card was being swiped it was being encrypted further down in the hardware and so I I found a live Trace I plugged into it and uh I actually sat there with my bus pirate swiped the test credit card and saw my credit card information in plain text uh I then did that did that again further down uh where I assumed all the encryption was happening and then it was like it was gone it was all encrypted and jumbled and just completely useless but had I been a criminal I would just like I would do something where I would solder onto that

live trace and start colleting credit card information that way so you start to really see some some of the underlying issues with uh on the hardware level when you start poking around with it uh poking around at it with things like the bus pirate so I've kind of broken non-traditional systems up into a couple different categories and these are just the most common that I've seen um like these are by far the most prevailing kiosk like systems oh my God they're everywhere they're in airports they're in hotels they are um like in stores I've seen a couple of them just like so much so much craz about kiosk there everywhere um I like them a lot because

they're really easy to hack and uh I like things that are easy to hack so here's kind of like some of the criteria and things I see with with uh Kos kiosk like devices they're often touchcreen um hell we've had touchscreen kios before we had touchscreen telephones um it's just like that was their signature thing can oh you can walk up to it at an airport and check your flight information or print out your uh your boarding pass um so just kind of touching away having a good time USB for the win these things have USB out the Yahoo uh just start looking around for them and you'll see USB ports everywhere that they shouldn't be exra only facing

um there's like they almost like except when you're dealing with Linux systems I'd say and even sometimes then uh like they run as local administrator so like as soon as you break out of that kiosk thing that looks all nice and pretty you have administrator access on that box you can run what ever you want start your Bitcoin miner make them join your botnet uh do whatever you want to do uh even just like RM it and just be like a figure it out um there's hidden menus on these things and that's the coolest thing I found out like oh yeah I can break out and run commands but there's like hidden menus to let you do really

funky stuff um so like I I'll be showing an example of a hidden menu later on but I've developed a technique for finding hidden menus besides just like poking all the corners like crazy if the company has their logo on the kiosk um just like bash away at that logo and like nine times out of 10 that is where the hidden menu is and it's used for stuff like employee login or whatnot um but it's really cool when you see that little box pop up and you're like yes uh it's easy breakouts if they've got a keyboard you can like often times break out using their own keyboard or if if you do unexpected things to their user

interface a lot of times you'll C you'll crash the user interface and just be dumped back out into a Windows uh environment and like start poking around doing cool things um if you've got USB access plug in a USB keyboard and it's game over uh at like 99% of the time I've done that I've broken out of the kiosk and destroyed it um often Windows XP and there it's really prevailing to have pixie booting on these things um I guess let show a hands who knows what pixie booting is all right cool almost everybody so here's the cool thing about Pixie booting metlo has a module already built in that will uh listen for pixie

booting and serve it back up a malicious image where it adds you as an administrator so basically the attack is like this you sit there with a here I've actually got one with a network tap of some sort or like use a switch or however you want to do it here's a network tap to just kind of let me sit in line um I got this one from the hack five people so shout outs to them um but yeah so like you sit down there with your computer and you run the Metate mod module and then you like yank the power cord out of the kiosk and you plug it back in and then you wait for it

and by default it's like boting up by Pixie it sees uh the metas server that's like hey I've got this pixie image owned uh it's really that easy when I discovered that I was like mind blown this is the easiest hacking I've ever done and it's so cool like forget all your protection you just got owned I don't care how strong your password was cuz now I'm an administrator on your box so kiosk like systems um like other systems but probably more than the others have accessible USB ports which was another really bad thing to have USB ports should be hidden customers don't need them and you shouldn't leave stuff around that's USB accessible so

um I guess it's the first time I do this uh does anyone have a legitimate reason why you should like why you would ever have a customer plug their USB drive or keyboard or mouse or anything into your device photo so that's the only one I've noticed right and amazing they've got decent security um I because because they've seen that they're like oh um that's the only one I've noticed those Juke boxes have USB I've seen some jukeboxes they not very popular I think Juke boxes in general are not that popular and DDR machines like there's this off brand of like DDR where you can upload your like songs and high scores those the only

reasons like that's the only thing that even makes sense to me and yet I've seen even ATMs with USB ports like what why so you can put my receipt on my flash drive like I I don't knowes well yeah so for updates it should be on the inside of the Box you shouldn't really give it to your your your consumer like the text you have to come out open up the ATM plug in and do the updates um you shouldn't just like have them out um but yeah so you definitely don't want to leave things especially things that are connected to USB ports like keyboards uh this is in a self checkout unit I was uh testing it

and uh this is at a live store we were uh make we found a bunch of vulnerabilities uh in their their line of self checkout units and then he said well I want to see if these uh cuz it was in a lab and he was like I want to see if these affect our real units so we went out there and the first thing I did was like I opened up the latch and B there's like a USB keyboard in there and it may not seem that important but a lot of our breakouts and attacks depended on USB keyboard and out in the field they had actually covered up the USB ports normally you could like lift the screen

tilt it back and you would see the USB ports they had a metal plate over that and so we had no USB access but uh as soon as I opened that latch I saw the keyboard I was like I wonder if it's plugged in I broke out of the kiosk cuz it was plugged in and then like just started uh attacking their their payment card uh network from there kind of proving that like it's got visibility into that cuz it has to cuz it's uh it's doing transaction data and uh and yeah yeah and so it's really bad to the point where they had like a nationwide uh like check to see if there was keyboards under there and uh I

retested them this year and there's no keyboard so they did a really good job um but yeah so don't leave things it's it's too easy I know it's for a convenience thing for like the next tech that comes out but if it's convenient for a tech it's convenient for a hacker so I gave this talk at beside Seattle I want to say and someone had to make make me look bad um I was like there's no legitimate reason and I I had addressed the original things uh like oh yeah like photo printers this that and the other but I was like I TR that there's no reason like there's no reason for for consumers to have it and so I go

to the Seattle Airport and I'm waiting to fly back home to Orlando and I see this thing it's like the digiboo um I won't even talk about how bad this thing is like it's got open wi-fi and you can just like connect to it like that's that's a whole other talking in of itself um yeah there's like two USB ports and they're right next to the credit card reader so I was like oh this is this is interesting um I asked really really politely to the uh to the airport if I could like poke around if they had it in the lab and sure enough they did so they let me poke around and I plugged in my USB and I was

kind of goofing around I I noticed that it mounted it so I like that's cool then I plugged in my keyboard broke out of the kios software not only stole all the movies they had on there but also uploaded my own uh movies that were just like a troll face going troll over and over again to every like I just replaced every file with that and uh and sure enough I went and like I even I I feel stupid for doing this but I paid for a troll of LF face I knew I was going to get but [Music] uh best $20 ever spent um but more importantly it um there was there some really bad weaknesses with these USB

ports in particular and uh long story short like it's really flimsy in this area and you can break off from the USB ports and it's so close to the credit card reader I was actually able to interface with the credit card reader and see data come through um yeah no bueno it's not the it's not the stealthiest of packs but it definitely was interesting like they were standing there kind of freaked out that I was reading credit card information and they uh I'm surprised they didn't pull it I flew through Seattle recently I saw this thing so I was like I need free Wi-Fi I'm hop on that dig boo so if you're ever in Seattle CAC

airport need Wi-Fi

digo all right um vending machines vending machines are awesome I love hacking vending machines because it typically means I'm going to get some kind of free merchandise free food free coffee free something free money is even better but um yeah vending machines oh how I love them oh a so very much so the big things with vending machines are debug codes um to allow people to like check how much money they've made off the vending machine or like adjust sales or prices a bunch of different things um this one's kind of popular like with especially with old school Coke machines like the 4231 thing where oh my God and then it got on the internet so they like they made that

completely useless but it's still kind of cool to show your friends like hey watch this bam B bam um they have limited security cuz who the heck's going to hack a vending machine right um but uh so like they've got decent physical security but even that's lacking a lot of them will just have like a a seven pin tubular lock and you're like oh really okay I'll just go buy a pick for that and I'll be through that in two seconds um there's no encrypted swipe um I don't know if this is like an actual term but basically when you swipe your credit card it doesn't encrypt it in the reader it encrypts it later on in the hard Ware

which means like the hack I was talking about earlier if you're able to tap into that reader you can read it before it's encrypted and then happy happy fun times um there's uh despite the fact that they take payment card uh information their uh businesses are not required to be to have their vending machines tested for PCI compliance because um they either use the the cellular network using like a CDMA or GSM so they're like oh that's secure like right what was that like GSM is even secure yeah like exactly but they're like no it's on its own network and like no I I'll set up a fto cell and sniff all this anyway um or they use Wi-Fi I've

only seen one vending machine that I was actively trying to hack that use uh cuz none of them really like broadcast out their SSID but only one of them used encryption and it was web so doesn't matter woo it's going to take an extra 5 Seconds um so it's like it's on just open wi-fi so you can hop on that and do all sorts of Nefarious things Kismet is your friend there when identifying those access points so I was talking about debug codes hacking vending machines is no longer just about like 4231 uh there's like physical hacks you can do this is one I found on forchan that uh it's about buy one get one and

basically it's kind of hard to read these steps so uh I'll stand here I get read them so there's a lot of arrows and lines and those things are confusing but basically you put your money where the money thing goes um you select your drink with the drink selector things you immediately push on the door flap to block the drink on Bel so basically the way it works is on these newer machines there's like this slidy down thing and then it has another um like SL up thing uh so a conveyor what was that it's a conveyor it's like a yeah it's a conveyor yeah conveyor on Rails and then the conveyor goes up and then there's a

conveyor belt on on that yeah that way yeah so basically what they're doing is um they have a block here that allows the refrigerator to stay cold and then like that slides into another thing where you get your soda but if you like push it in in this case it's the green thing if you push down the green thing you can put your hand against the the sliding thing and keep it from opening um so what that does is it's like oh cuz the basic logic behind this is if this lever goes up or like if this lever gets pushed out then uh then there's a soda in in there and I guess it's a decent

way to think about it cuz if it's empty it wouldn't move so I guess that makes sense but they could have also just checked hey how much quantities is left in this spot CU that they allow you do that from the debug menu but because they decid to implement it that way it's not able to open the door and it says oh I must have not actually grabbed the soda my bad and it goes and grabs your soda again it drops it to the bottom and it grabs it again so now you've got like two it's really cool when it when it works it's really terrible when it fails when it works out they'll like it's like

tet they line up perfectly when it fails it's like an atomic bomb just went off because like and not a good time so yeah that's a a really good way to to buy one get one sodas if you're into that kind of thing but it's these kind of these kind of vulnerabilities that aren't really looked into like no one decided to check their logic to be like hey what happens if there is a soda but they're like what happens if there's a soda and the Machine jams and it can't open the door like no one decided to test that and I think this still works I'm I'm pretty sure this still works um actually they changed the design of machines now

to lock that door so you can't actually access it and block the soda from coming through um I've been looking for some reason I was looking at them this past few weeks and that's they changed the design specifically where you can't access that that's pretty cool but what happens if like I force it down I don't know so uh yeah so uh and like what he was saying they basically just they were like oh to stop this we'll just make the door not open like not be able to open until a soda in there but they didn't fix the the primary cause which is the fact that they're not checking for quantity before going and grabbing a

soda like that's even just more energy efficient like hey is there a soda here nope not even going to bother um but Coke and Pepsi and who else whoever else just wants to do it that way hacking's delicious oh my God I'm like I'm a pretty skinny looking dude but I have the like the fattest of inner fat man in me I love sweets I love dessert oh like I packed one of these things heaven um like that's a lot of ice cream to choose from for free and eat and call it a pentest I don't know about you guys like you don't even have to pay me I just got stuffed on this ice cream but

uh hackings i' I've gotten free coffee before that that was a cool pentest I got free coffee and like coffee for the entire office and like hot cocoa and um but it was really cool cuz uh one of the findings was that like I don't remember exactly what I wrote it up as but like what I really wanted to call call it was like coffee trolling uh you could change the recipes so you're like oh you want hot chocolate yeah 90% water like no milk no marshmallows oh you want coffee make it all decaf um so you can totally troll with people like if you just want to like mess with people for fun uh yeah

there's some really I think one of the hot chocolates I made was like straight chocolate like no milk no water just like gunky gunky mess I want to find a chicken nugget vending machine because chicken nuggets are Om Nom Nom delicious if you know of one please let me know please Japan man Japan so here's some uh here's some story time uh everyone loves stories this is the device that cried SQL ey um actually some people oh yeah I have one question real quick you start making the on the pizza machine yeah that g up against one of I have not yet but I need to like I'm telling like oh cheese pizza with all the toppings same price that's

the only hack I need I need to go to japaner V yeah oh my God I would be so drunk so drunk but uh so this this is a device that that cried SQL eye SQL injection uh some of the people in this room actually kind of worked with me on this uh there's there's this kios software in a lot of hotels uh we discovered it during Derby con and uh they had like if you went to derbycon last year they had these like mounted touchscreen things like directories and we were like huh LS knows how to do this kind of stuff let's mess around so um so we started like just messing around and I found like a

hidden menu this had other but it had a password prompt shortly after we like we come back to Orlando and we're hanging out and I get a phone call like dude this thing's like calling back to a web server and so I'm like all right I need to I need to see this now so uh I get sent over the details and I'm like man it's making a a SQL query I wonder if this thing is vulnerable so like one thing led to another and SQL map um SQL injection like you see the database there's a bunch of fun stuff and then like I'm like well I wonder what they're doing so I start poking around a little

bit more and it's like oh username table or users table usernames passwords passwords aren't encrypted admin user password was admin win um I find the admin panel log in at this point I'm like I need to report this cuz this is terrible that this is even on the internet right now I log in and notice like the back end uh is like has a bunch of fun stuff and but it's nothing that I can really do that's like really cool I guess like let me check the status of their like 50,000 directories worldwide so that was kind of cool like oh like that's how large they are but I tried the same credentials on FTP and it threw

me to a different directory a directory that had their source code and their updates so that I could like oh this works out cool cuz there was an update portion of that admin panel so I now I can push out my update to 50,000 uh machines worldwide easy botnet um so like I'm like this is kind of crazy and like I go through the source code and their source code has like hard-coded passwords in it it's just like terrible like they had hardcoded information to their sequel database FTP server uh the default uh user and login for the actual directory system like this thing like couldn't have been worse like I I just I to this day I don't know how they could

have made it worse um but I report it and I'm like this is bad I don't hear anything don't hear anything don't hear anything so I'm like I'm going to reach out again maybe they're just a really busy company I haven't heard of them before but maybe they're busy email them again don't hear anything don't hear anything don't hear anything it's been like 6 months now I'm really not liking this company I decided to fdp back in can still FTP in can still access the admin panel can still make a really quick like Bitcoin botn net um they still haven't passed it as of today it's really bad uh that's why I won't disclose the actual vendor but what was

that NSA NSA maybe but um yeah this is kind of the stuff that you'll see like like really dumb stuff like making a a call to a MySQL data base and like having the username and password of admin admin and just being really really dumb cuz they're like who's going to hack our wall mounted directory this guy cool story bro tell it again they say pictures are worth or yeah pictures worth a th words so I've got a couple thousand words for you guys that Source uh I blanked it out if I messed up whoops um as up here it says the server ftp.com username password SK root path special FTP updates update path special FTP

updat common folder path blah blah blah this is an important but here's like where it installs okay I really got to make sure I didn't mess up here okay yeah so here's where it installs and um has all the information on that so I was like oh that that's kind of cool more Source SE server info there's SQL servers at SQL do.com user is DSi password is DS catalog is 44 I catalog is what they name their database by the way I don't know who uses that nomenclature but whatever so the admin info the user pin is 1 2 3 4 this is I don't think anyone ever guessed this thing this is legit uh the admin pin is

the admin pin was $196 and we we'll see where the admin pin's used for a little later on there's no default welcome logo um there's a timeout so like if you don't log in within 5 seconds it's like screw you I'm going home um yeah so that's kind of cool so what can we do with this hidden menus so this one was really easy bash L crazy right here um I actually noticed the same kiosk during my company Retreat out in Denver and I was like oh I'm going to have some fun time so I start bashing up here um so right down here you can see the Shon logo uh had the admin menu not been in

like one of those Corners like always go for the logo like Bam Bam and it'll work uh so I do this and I get presented with this screen I know 1196 and 1 2 3 4 doesn't work doesn't work I'm like a no default how can I get past this then I was like What if I do things that it's not expect so like what if I open up a menu and then close a menu and open another one really fast and do that for an obnoxiously amount of for an obnoxious amount of time it took a lot shorter than I thought after basically going like this oh I guess you need the other slide uh after basically tapping this

corner and pressing okay like five times I was like it thought that I was logged in that raise condition um so then we get pred with this thing and like there's even a cursor up here which is kind of cool I didn't mess around too much with that but we get to like another hidden menu there's one two one through nine it's like I have no idea what this even means it might help if I was actually logged in I'm sure I shouldn't even be able to see this right now but I was like whatever fives in the middle that's a that's a good idea so I pressed on five and it gave me a bunch of options

like hey man this room's way tooot so put down the AC or hey this room is way too cold put up the AC I need AB assistance hey I'm just you know what I'm going to unlock this room right now this conference room it's cool it's it's fine don't worry about it I can order food food I can order beverages beverages I could like get a meeting I don't even know what a meeting specialist is and I can refresh the room which again I don't know what that is like they run around with for Breeze or something five on the room yeah yeah they just F five the room and then you're good right but so I did like a bunch of

really fun things like I unlocked all the conference rooms and like started having like parties and land like it was it was some really fun stuff and then I remembered that uh I remember that I wanted to troll people because that's what I love to do so what did I do I said well all the rooms already got the AC off cuz we're in Denver and it's like winter time I'm going to say it's still too cold in fact it is so cold you should crank the heater up to the max it is that cold a lot of sweaty people in

suits I don't Advocate trolling your company that's a great way to uh get promoted to

customer so what's next I got to research there's a lot of research uh it's kind of hard to like categorize like all the different things like I want to I want to test ATMs more I want to test voting machines because I want to pick the next president um by all by like one vote can count damn it when no one else can um uh I want to work with vendors because like i' I've hacked a certain vendor so many times where at this point I'm like dude uh I'm basically giving you free pentest testing and I kind of want to get paid for that uh and I want to help them patch their bugs like if

they're going to release a new product let me test it I'll make sure it's all right and then you can release it and then you won't have to hear from me in two months when I hack it anyway I have to develop methodologies like this is another issue with like the the the large scale of non-traditional systems like I can't really apply ATM hacking to a self checkout like some things might be crossover but like it's not going to work and I I can't really apply like hacking a little black box that works as like a proxy to hacking a hotel directory system like it it's hard to develop like spec specified toolkits and uh toolkits and methodologies uh

just because it's it's it's so much stuff uh to the point where I kind of like I've started developing a couple methodologies but my go-to methodology is what I call a kitty cat attack basically I don't know how many of you guys have cats show P actually who has cats you guys are all awesome um cats like to show their affection by like massaging you like kneading on you and so like they do this kind of motion so whenever I go up to a kiosk I just go like I love you kiosk I love you man and like a lot of I'll find breakouts like hidden menus that way like kitty cat attack it works uh but like that's not a

real methodology like today I'll be teaching you guys the kitty cat attack um just did that is odate none of you guys can use that so I need funding because like no one really wants to get their non systems test tested which means I need to go out and test these or like buy them and like do my own testing uh I've been looking into buying an ATM holy crap that's a lot of money like it might be cheaper for me to make my own business and then rent an ATM than it would be to just buy one flat out um kiosks are also pretty expensive especially when you get to kiosk software it's pretty proprietary stuff I

can't just go on like pirate bay and pull it down um like it it's it's hard to get your hands on it's expensive because it's it's a very niche market uh so dollar dollar bill y'all I accept monies and Bitcoins and litecoins um but uh in all seriousness though like it's it's hard like between finding time and money it's it's really hard to cover this all by myself so I hope that after this talk you guys all kind of want to hack all the things Kickstarter Kickstarter let Lewis hack things Kickstarter um chicken nugget vending machine hacker Kickstarter it's a new market um we kind of saw this blow up with mobile security right where they're like everyone's like

oh God cell phones are crap like they are like the most insecure thing ever well it's because for years before we never pent tested them kind of like vending machines and kiosks and ATMs we never really pent tested them so it's a new market to kind of go out there and do research and it feels kind of cool because like I was a '90s kid but I didn't really get into hacking until the early 2000s so by the time I was coming in like a bunch of research was already done like I didn't get to pave the way I wasn't a pioneer of hacking but like doing this I I'm one of the only people

I know of um that's like going after these systems so I'm kind of pioneering and doing my own thing and it feels cool to be able to give back to the community that like they kind of raised me I guess um yeah so it's it's cool it's a new market for both making making that money and uh and just research in general so oh man I Ed this pretty well um so any questions anyone about anything maybe even not related to the top yeah arade machines like game things are are considered under the same categor oh yeah a lot of those uh especially like stuff like David David Busters where they take your card and uh and diminish

points and stuff on there hey oh you have two questions I didn't

that what was I holding nwork oh the network tap yeah here Daddy oh yeah there you go it's just like this theowing it's do you want it I've got like nine of them here you go yeah no problem was your other [Applause] question it on the TV look silly oh this guy over here yeah yeah president's lost thanks um getting back to your arcade machine question um especially things like that's blizzard she's awesome by the way I've been hanging out with her like all weekend she's amazing um you guys suck yeah free badge scor a land social

engineer um yeah so to get back to the arcade machine thing um yeah they're they're just as vulnerable and they're they're connecting to the networks a lot because they've got to have a server that says hey this ID is matched with this card and they've got this much money left on their card so definitely well I won't Advocate you going out and hacking them but it's right down the street yeah it's right down the street so I mean hey Anything Can Happen what okay with that what about those like golden team machines that take the credit card readers on them I don't think I've seen one of those you want to explain more golf games oh yeah dude I

would totally want to hack one of those things like those are definitely a hardware level thing just because there's not much to interface with but um I would love like if anyone knows a mini golf owner operator I don't know what they're called I would love to hack one of those things uhx uh like Network maxers you consider that to be one of your oh hell yeah dude like even if the even if the Mac Shar beer itself isn't Network connected if it's on a device is Network connected like cuz you've got to call back to a database somewhere right like you've got to do your logging or like your reading uh those are fair game like those are

not systems if I've ever seen one like who thinks about hacking a magstripe reader you know so oh sorry the mag oh they're in plain text IED yet all right there you go yeah like a lot of them like there there's an algorithm you can use to decrypt the cuz it turns it into sound and then it processes it but yeah you can totally hack them have you messed with the price scanners at like stores so the most common price scanner let me see if I can remember this uh starts with a I can't remember but I have uh I have messed around with it a little bit uh I have a buddy who works at a Target and

they like they had one that was kind of out of commission and so I was like can I mess around with it and he was like yeah go for it have fun um I've like broken their their admin menu uh it's really crappy like the password was like 1 2 3 4 uh I don't know if that's through all the machines but it was definitely the case in this and yeah it like to do really fun stuff like update prices and so that's always fun like get milk for 2 and they're looking at you like readers are also frequently their USB or PS2 keyboard inputs and they usually not saning all so if you have a

car yeah you can do stuff like like d I've seen uh ATMs where like they're dumped out into a Windows like environment with a command pumpt open I'm like I want to know how the heck they did that so yeah I'm sure it's like something like that like a like a the reader had a bug in it anyone else oh yeah I would like to point out uh region B ATM windows at there you go so when are you planning your trip to Japan I actually I I want to go to Japan within the next year or two and if I do I'll probably never come back like they've got vending machines for everything used

panties that was my question I was going to ask if you're going to hack a used pting machine hey dude totally like I'll have all the used pants I can sell them on eBay and make a profit so it's a good thing the magri aren't like anything like gas pumps that have three or four Keys across the us that are you know plain Tex so thing they can't be stolen there if you own a gas pump I totally want to hack one so um what about likeing machines that have like high value oh like the like the Best Buy machines um yeah yeah like so uh at the Orlando International Airport there's like a Best Buy machine and they're

they're all over but that's the most common one I see um proactive too the face stuff yeah proactive has the the face the the the same system Apple's got them yeah like so those things where it's like oh man I would totally love that $3,000 MacBook um yeah they're vulnerable too they're they're vulnerable as well and to a lot of these same attacks uh I wouldn't Advocate going out and hacking one but I can tell you that they're pretty easy to hack yes is there a way to hack like those like self redemption centers like you put a doll and you try to KN the thing over is there a way to hack that and you get like unlimited

drives um that might be something more on a hardware level or like you could uh mess with it so similar to that um what the Russians are doing in casinos like worldwide is they've built like a tiny uh em generator and they'll stick it next to the uh next to a slot machine and when the EMP goes off this brand or maybe every slot machine um it goes off it causes a short circuit and it jackpots the machine so suddenly they get like all the money so like that that attacks the hardware it's like a hardware denial of service so I'm sure you could do something similar like uh maybe not ex exactly similar but yeah

there's always like those weird bugs where like if you can cause the hardware to like freak out for a second like unlimited lives god mode status anyone else oh yeah not a question butam PL since at the end of the day um raffle tickets and spare badges are s for sale if you want a bad happy things yeah uh the spare badges are awesome cuz if you if you fry yours it sucks um and the raffle tickets we're giving out some pretty cool things there's a mini poner uh which is a really cool piece of equipment to let you hack all the things there's like books from no starch press that uh really good like practical Mal analysis

is in there gray hat hacking like a lot of really cool books so and the raffle chickets are cheap so may as well at least try also going to help us do this thing yeah they they help us do it next year we try to do this as three as possible this year well yeah we have two lock we have uh two lockpick sets um one that comes with a bunch of stuff from serah pick and then a south or pick uh set which is a very quality pick set and they're actually located here in Orlando Florida um and both those guys have graciously donated that um the only thing with those is uh we don't actually

have them so we'll have to get your name and address uh if you would those and social credit card number your mom's maid name P you know Street you grew up on any anyone else oh uh raffle tickets $2 or $5 for uh $9 for five tickets something else what was that the picture picture part of the raffle yeah um they have to be shipped to you cuz they're not here yeah um so just I like to give thanks to people in my slides uhe if they weren't able to be here um Patrick Fleming he's like uh he's been like a mentor to me he gave me my first non-traditional system gig where he basically told me hey go do this and I

said I've never done that he said listen I need you to think like a criminal can you do that and I was like yeah I can do this do what a criminal would do go get out of here um but I like that he threw me into the fire and I came out alive and uh a lot better for it acuant labs for letting me poke at hardware and like work on this talk cuz I sure as hell wasn't working on reports when I was working on this and uh and you for coming to my talk and hopefully learning some new things or laughing at pictures at the very least uh that's all I got so

thanks

guys um we're just going to gather ourselves real quick and we're going to