Presented at REcon 2015.
We're all used to seeing the ubiquitous cash drawer - that steel box, usually under the point-of-sale terminal, which holds the money received from sales - without giving it a second thought. But in recent years, the cash drawer has imploded in complexity into a full-blown appliance: From USB and Bluetooth support to on-board accounting and verification firmware, this innocuous box has quietly turned itself into a central component of the POS.
And unsurprisingly, the security of these devices has not improved in lockstep with their feature set.
In this talk, we will take apart the design and features of a modern cash drawer, and show why these devices are the proverbial chink in the armour of a POS system. We will discuss how we reverse engineered the firmware and the proprietary protocols used by several cash drawer models, and provide the tools for other reversers interested in following up. Finally, we will demonstrate how, by exploiting several security and design vulnerabilities, we can cause cash to disappear without a trace from a targeted business.
32. PAIGE
I heard that reversing
Atmel code is a mindfuck
because of these issues:
•Inconsistent register naming
•Creepy Harvard architecture
•Find xrefs to debug strings
34. PAIGE
$ rasm2 -d fw.bin
<..>
ldi r30, 0x15
ldi r31, 0xE
st r20, Z
<..>
ldi - load immediate into register
st - store register into byte at address
35. PAIGE
Dafuq did I just see?
What does Z stand for?
Zebra?
Zorg? Zimbabwe?
36.
37. AVR Programmer Manual:
In order to enable 16-bit
addressing, the last six
registers are paired to form
registers X, Y and Z:
r26:27 - X
r28:29 - Y
r30:31 - Z
38. PAIGE
$ rasm2 -d fw.bin
<..>
ldi r30, 0x15
ldi r31, 0xE
// Z is now 0xE15
st r20, Z
<..>
ldi - load immediate into register
st - store register into byte at address
39. PAIGE
Nailed it! But where the
hell are the strings?
•Inconsistent register naming
•Creepy Harvard architecture
•Find xrefs to debug strings
40. PAIGE
I have a hunch that
solving the next
challenge will help:
•Creepy Harvard architecture
46. PAIGE
Now that I got the debug
strings, let’s look at the
attack surface
•Inconsistent register naming
•Creepy Harvard architecture
•Find xrefs to debug strings