Jukebox Hacking Overview• Start with the conclusion• Define the target• Mobile hacking• Radio Hacking• Hardware Hacking
Who are you why are you talking to me?• Mark Manning @antitree• Intrepidus Group• Mobile• Rochester, NY: Interlock Rochester, Rochester 2600, DC585, TOOOLROC, BSidesROC• KD2ACP• Drinking problem hobby
JustBill• [not JustABill] JustBill @justbill6942• I’m the Data Center manager for my company.• Rochester, NY as well. Interlock Rochester, attend 2600• KC2YPJ – General• New Papa
What this isn’t so get over it• This is not an Information Security presentation, it’s a hacking presentation• You will not feel safer or in control at the end of this presentation• I will not by applying for any DARPA grants with this information• I will not say the word “cyber”
What this is• The answer to “Has anyone ever looked into hacking that jukebox?”• A reminder to hack all the things. All of them. Yes even that thing.• Introduction to mobile, web, hardware, and RF hacking
Here’s the meat• Yes that jukebox you see is hackable.• It has a mobile app that lets you MiTM song requests. I’ll show you what you can do• There is an RF remote that controls the jukebox but it has a default PIN code.• We can improve the remote to make a Juke Box B Gone
Jukeboxes and The Mafia• The Mafia have had control of vending machines and juke boxes since at least 1930• Coin money was laundered with dirty cash• Mobsters just coming up would pick up the cash from juke box routes• In the 40’s and 50’s all the jukeboxes in NYC were run by the Mob• Maybe those same people run juke boxes today? Who knows
Function Overview• Plays songs remotely• Accepts credit card payments• Keeps track of song history, social networking, blah blah blah• Credits + location = Play
Playing songs remotely• You sign in• You check into a juke box location• You add credits to the jukebox• You play the song• A message is sent to backend servers• Backend sends a push notification to the juke box to play your song and collect money• Bar collects 50% of the money, vendor collect 50%
Android Network Analysis• MitM between your device and a remote host• Current Favorite method: Proxydroid + BurpSuite
Playing songs remotely: Network Analysis• Credentials are sent over SSL to web backend• Server replies with a session identifier• Searching and playing songs are all done over HTTP• When playing a song the following parameters are sent: – Session ID – GPS coordinates – “Call_key”
Profit?• MiTM + Replay = Repeat play• You play the same crappy song that someone else just played• Lame.
Call Key• Call key verifies that a request has not been modified in transit• generated by taking all of the parameters passed in the HTTP request, appending a secret key (salt) and the timestamp• If this value is not the same as what the server expects, your song will not play
Making The Call Key• Reverse the app• Extract the call key code• Make my own script to generate that code• …• Profit
Android Reversing in 30 Seconds• APK (ZIP) – use APKTool• Dalvik VM (DEX) – use Dex2Jar• Java Byte Code (JAR) – use JAD/JDGUI• Pseudocode – almost the original source code
Profit Redux• MiTM + Replay + Call Key Creation + Session Fixation == Playing any song at any time• Play a song without them being there• Makes it look like they played it• Reusable, over, and over• They can’t do anything about it!
Remote Attacks• I wish I could Rick Roll someone when they get to the bar• The problem is that you can only play songs when you’re near the Jukebox• Based on your GPS coordinates
GPS Spoofing1. Android app: FakeGPS – Android allows you to spoof your GPS location as a development feature.2. Modifying parameters: lat=xx, long=xx
Profit Redux Directors Cut• MiTM + Replay + Call Key Creation + Session Fixation + GPS Spoofing == Playing any song, at any time, from anywhere• 3000 Mile Rick Roll?
Mobile App Summary• Successfully stop people from playing Bon Jovi• Steal people’s song requests• Rick Roll your friends in any city• Script: Done. Just ask for it• Questions about mobile before we move on?
How I got involved• I attended some local 2600 hacker thing.• Antitree knew I knew something about radios.• I like scanning radio freqs, and got into HAM radio as a result.• I know more about HAM than I know about ISM, so forgive me• I like to drink and play with radios at the same time. So it was a good fit.
The Power Of The Remote• Adjusts volume (shhhh!)• Pauses• Skips songs• Adds free credits (<<What?)
Remote and RF• Remote operates on 433.92MHz FM FSK or 27.145 AM ASK• Supports a PIN code to set which remote controls which jukebox• There is a default PIN code!
Possible Attack Vectors• Record and replay the remote’s RF signal (In general)• Record and replay the remote RF signal using a smart phone and an HT• Generate the same RF signal and send to the juke box (Juke Box B Gone?)
Who’s your friend? The FCC• http://transition.fcc.gov/oet/ea/fccid/
Remote StatusMess with juke boxes by buying a remoteEmulate a remote and control a jukeboxusing a USRPSend an RF signal using an ArduinoGenerate the RF signal and create adevice (Juke Box B Gone)Open source the hardware and watch thehavoc?