Defcon 20 Skytalks: Jukebox Jacking
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Defcon 20 Skytalks: Jukebox Jacking

  • 3,972 views
Uploaded on

This is a Defcon 20 Skytalk presentation about hacking jukeboxes. For more information see http://www.antitree.com

This is a Defcon 20 Skytalk presentation about hacking jukeboxes. For more information see http://www.antitree.com

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
3,972
On Slideshare
3,151
From Embeds
821
Number of Embeds
6

Actions

Shares
Downloads
3
Comments
0
Likes
0

Embeds 821

http://www.antitree.com 811
http://www.slashdocs.com 4
http://antitree.com 3
http://www.docseek.net 1
http://webcache.googleusercontent.com 1
http://www.docshut.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • This is stupid
  • http://americanmafia.com/Feature_Articles_377.html

Transcript

  • 1. Jukebox JackingHungover 303 OMG FTW! Version
  • 2. Jukebox Hacking Overview• Start with the conclusion• Define the target• Mobile hacking• Radio Hacking• Hardware Hacking
  • 3. Who are you why are you talking to me?• Mark Manning @antitree• Intrepidus Group• Mobile• Rochester, NY: Interlock Rochester, Rochester 2600, DC585, TOOOLROC, BSidesROC• KD2ACP• Drinking problem hobby
  • 4. JustBill• [not JustABill] JustBill @justbill6942• I’m the Data Center manager for my company.• Rochester, NY as well. Interlock Rochester, attend 2600• KC2YPJ – General• New Papa
  • 5. What this isn’t so get over it• This is not an Information Security presentation, it’s a hacking presentation• You will not feel safer or in control at the end of this presentation• I will not by applying for any DARPA grants with this information• I will not say the word “cyber”
  • 6. What this is• The answer to “Has anyone ever looked into hacking that jukebox?”• A reminder to hack all the things. All of them. Yes even that thing.• Introduction to mobile, web, hardware, and RF hacking
  • 7. Here’s the meat• Yes that jukebox you see is hackable.• It has a mobile app that lets you MiTM song requests. I’ll show you what you can do• There is an RF remote that controls the jukebox but it has a default PIN code.• We can improve the remote to make a Juke Box B Gone
  • 8. Jukeboxes and The Mafia• The Mafia have had control of vending machines and juke boxes since at least 1930• Coin money was laundered with dirty cash• Mobsters just coming up would pick up the cash from juke box routes• In the 40’s and 50’s all the jukeboxes in NYC were run by the Mob• Maybe those same people run juke boxes today? Who knows
  • 9. JukeBox 1.0
  • 10. JukeBox 2.0
  • 11. The Mobile App
  • 12. Function Overview• Plays songs remotely• Accepts credit card payments• Keeps track of song history, social networking, blah blah blah• Credits + location = Play
  • 13. Playing songs remotely• You sign in• You check into a juke box location• You add credits to the jukebox• You play the song• A message is sent to backend servers• Backend sends a push notification to the juke box to play your song and collect money• Bar collects 50% of the money, vendor collect 50%
  • 14. Hung-Over Version:
  • 15. Android Network Analysis• MitM between your device and a remote host• Current Favorite method: Proxydroid + BurpSuite
  • 16. Playing songs remotely: Network Analysis• Credentials are sent over SSL to web backend• Server replies with a session identifier• Searching and playing songs are all done over HTTP• When playing a song the following parameters are sent: – Session ID – GPS coordinates – “Call_key”
  • 17. Replay
  • 18. Profit?• MiTM + Replay = Repeat play• You play the same crappy song that someone else just played• Lame.
  • 19. Call Key• Call key verifies that a request has not been modified in transit• generated by taking all of the parameters passed in the HTTP request, appending a secret key (salt) and the timestamp• If this value is not the same as what the server expects, your song will not play
  • 20. Making The Call Key• Reverse the app• Extract the call key code• Make my own script to generate that code• …• Profit
  • 21. Android Reversing in 30 Seconds• APK (ZIP) – use APKTool• Dalvik VM (DEX) – use Dex2Jar• Java Byte Code (JAR) – use JAD/JDGUI• Pseudocode – almost the original source code
  • 22. Reversing
  • 23. Modify in Transit
  • 24. Profit?• MiTM + Replay + Call Key Creation == Traffic Manipulation• You can change someone’s song request to any other song• It will say that THEY played it
  • 25. Sessions: how do they work?Question: Name some commonmisimplementations of session managementHungover version:Should sessions expire?
  • 26. Steal Credits
  • 27. Profit Redux• MiTM + Replay + Call Key Creation + Session Fixation == Playing any song at any time• Play a song without them being there• Makes it look like they played it• Reusable, over, and over• They can’t do anything about it!
  • 28. Remote Attacks• I wish I could Rick Roll someone when they get to the bar• The problem is that you can only play songs when you’re near the Jukebox• Based on your GPS coordinates
  • 29. GPS Spoofing1. Android app: FakeGPS – Android allows you to spoof your GPS location as a development feature.2. Modifying parameters: lat=xx, long=xx
  • 30. Profit Redux Directors Cut• MiTM + Replay + Call Key Creation + Session Fixation + GPS Spoofing == Playing any song, at any time, from anywhere• 3000 Mile Rick Roll?
  • 31. DEMOZ!?This will never work..
  • 32. Mobile App Summary• Successfully stop people from playing Bon Jovi• Steal people’s song requests• Rick Roll your friends in any city• Script: Done. Just ask for it• Questions about mobile before we move on?
  • 33. The Remote
  • 34. How I got involved• I attended some local 2600 hacker thing.• Antitree knew I knew something about radios.• I like scanning radio freqs, and got into HAM radio as a result.• I know more about HAM than I know about ISM, so forgive me• I like to drink and play with radios at the same time. So it was a good fit.
  • 35. The Power Of The Remote• Adjusts volume (shhhh!)• Pauses• Skips songs• Adds free credits (<<What?)
  • 36. Remote and RF• Remote operates on 433.92MHz FM FSK or 27.145 AM ASK• Supports a PIN code to set which remote controls which jukebox• There is a default PIN code!
  • 37. Possible Attack Vectors• Record and replay the remote’s RF signal (In general)• Record and replay the remote RF signal using a smart phone and an HT• Generate the same RF signal and send to the juke box (Juke Box B Gone?)
  • 38. Who’s your friend? The FCC• http://transition.fcc.gov/oet/ea/fccid/
  • 39. The right tool for the job. $20 SDR Radio
  • 40. USRP• Universal Software Radio Peripheral• WBX, 50 MHz–2.2 GHz Transceiver, 100 mW output.• Thanks Intrepidus Group!
  • 41. USRP• Who would bring a USRP to a bar?
  • 42. • Successful record and replay attack!• We can now emulate a remote control … but it requires a USRP• WFM!!!!!!!!!
  • 43. Thing to be observant about.• This part of amateur band is shared.• HAM license does not allow you to do this• It’s the equipment, stupid. Type approval.
  • 44. RF Review• We know the freq• We know the modulation• We don’t know the data transmitted yet• We can record and replay a signal• Narrow FM Fails• WFM seems to be the key
  • 45. With a big enough antenna..
  • 46. The Whole City?
  • 47. Hardware Hacking
  • 48. WARNING!!1!
  • 49. Step One: Stop Scaring Patrons• Couldn’t keep going to the bar (your welcome liver)• $40-$80 to authorized juke box vendors• Game over
  • 50. The End.• Adjusts volume• Pauses• Skips songs• Adds free credits• Game over!
  • 51. Hynix IR IC• Designed for IR remotes
  • 52. Lolz…Newb…
  • 53. Data TransmittedSync: 0101101PIN Code (0-255): 00000000Button Press: 01111000Bit Flip: 10000111
  • 54. Remote: Hardware hacking
  • 55. Remote Review• Know the frequency (433.92MHz)• Know the modulation (FSK)• Know the data being transmitted (4 bytes)• Now what?
  • 56. Juke-box-b-goneWtf…
  • 57. Remote StatusMess with juke boxes by buying a remoteEmulate a remote and control a jukeboxusing a USRPSend an RF signal using an ArduinoGenerate the RF signal and create adevice (Juke Box B Gone)Open source the hardware and watch thehavoc?
  • 58. Who has one of these?
  • 59. Skytalks/303 Badge• Plays chiptunes• Is a breathalizer• POV messages• Transmits STDs when you come in proximity with another badge
  • 60. Technical Details• PIC board• RF IC• Transmits on 433MHz FSK
  • 61. 303 Badge Jukebox Edition Jukebox B Gone Donghttp://github.com/antitree/303Badge2012
  • 62. RF and Hardware Questions?
  • 63. WTF JUST HAPPENED AND WHEREAM I?
  • 64. Juke Box Review• The Mobile app allows us to mess with people’s song requests, steal credits,etc• We can fake a remote signal• Thanks to 303 and Skytalks, we can make a Juke-Box-B-Dong
  • 65. Near the airport…• Coyote Ugly• Cathouse• TGI Friday’s• Slice of Vegas• Goodtimes• Murphy’s Law
  • 66. Special Thanks• Dan Meehan @meehan23• Pee• Jason Ross• Robo Alex• Corey Benninger and the Intrepidus Group• Rochester 2600, DC585• Interlock Rochester• 303!
  • 67. Thanks! @antitree @justbill6942 Antitree.comhttp://github.com/antitree/303Badge2012 @meehan23 << friend him!