Presented at REcon 2015. We're all used to seeing the ubiquitous cash drawer - that steel box, usually under the point-of-sale terminal, which holds the money received from sales - without giving it a second thought. But in recent years, the cash drawer has imploded in complexity into a full-blown appliance: From USB and Bluetooth support to on-board accounting and verification firmware, this innocuous box has quietly turned itself into a central component of the POS. And unsurprisingly, the security of these devices has not improved in lockstep with their feature set. In this talk, we will take apart the design and features of a modern cash drawer, and show why these devices are the proverbial chink in the armour of a POS system. We will discuss how we reverse engineered the firmware and the proprietary protocols used by several cash drawer models, and provide the tools for other reversers interested in following up. Finally, we will demonstrate how, by exploiting several security and design vulnerabilities, we can cause cash to disappear without a trace from a targeted business.

1. gRN
thft
Rcon

2. IoT

8. Day 1: - PLAN
Day 2: - reverse
Day 3: - own

9. th pLn
day
oN

10. Name
LESTER CREST
Expertise
PLANNING
LESTER
Favorite porn star
STEFAN ESSER
1. FIND A TARGET
ASSIGNMENT
2. FIND AN ATTACK
ANGLE
3. FORM A CHAIN
OF ATTACK

11. LESTER
This is where all the
loaded people come to
have fun
the
heist
cafe anastasia

12. LESTER
Here’s a photo from the
inside. They store their
cash in that POS
POS
TERMINAL

13. LESTER
Time to refresh my
memory on how these
things are protected
POS
TERMINAL

14. POS: Ingredients

15. POS: Ingredients
•Terminal
No direct
access to
cash

16. POS: Ingredients
•Card reader
Heavily
protected

17. POS: Ingredients
•Cashier
Expensive
to bribe

18. LESTER
Is that it? Hit rewind, I’m
sure we missed
something.

19. LESTER
What’s that steel box
over there?

20. POS: Ingredients
•Cash drawer
Just a
dumb box
…or is it?

21. A Modern POS
…especially popular in
bars and restaurants

22. APG NetPRO 488
•Most popular wireless model
•Connects over WiFi…
•To the INTERNET OF THINGS

23. LESTER
Wait a minute… close up
on that part
POS
TERMINAL

24. LESTER
Gentlemen… I believe we
have a target
POS
TERMINAL

25. LESTER
Let’s get a device and
crack it open
APG 488

26. LESTER
Give me a close up of
those two chips
APG 488

27. Atmel
atmega
1284p
wiznet
WizFi210at over
serial
128k FLash
16k ram

28. Get the firmware - options
•No firmware online
•Play with UART?
•Extract from MCU?
(AKA Suicide)
•Ask the manufacturer… nah!

30. day
two
RveRe th fiRwaR

31. PAIGE
Name
PAIGE HARRIS
Expertise
Reverser
1. REVERSE THE
BINARY
ASSIGNMENT
2. FIND A BUG
Favorite film
HOW I MET YOUR
SKOCHINSKY

32. PAIGE
I heard that reversing
Atmel code is a mindfuck
because of these issues:
•Inconsistent register naming
•Creepy Harvard architecture
•Find xrefs to debug strings

33. PAIGE
Let’s deal with this sucker
first:
•Inconsistent register naming

34. PAIGE
$ rasm2 -d fw.bin
<..>
ldi r30, 0x15
ldi r31, 0xE
st r20, Z
<..>
ldi - load immediate into register
st - store register into byte at address

35. PAIGE
Dafuq did I just see?
What does Z stand for?
Zebra?
Zorg? Zimbabwe?

37. AVR Programmer Manual:
In order to enable 16-bit
addressing, the last six
registers are paired to form
registers X, Y and Z:
r26:27 - X
r28:29 - Y
r30:31 - Z

38. PAIGE
$ rasm2 -d fw.bin
<..>
ldi r30, 0x15
ldi r31, 0xE
// Z is now 0xE15
st r20, Z
<..>
ldi - load immediate into register
st - store register into byte at address

39. PAIGE
Nailed it! But where the
hell are the strings?
•Inconsistent register naming
•Creepy Harvard architecture
•Find xrefs to debug strings

40. PAIGE
I have a hunch that
solving the next
challenge will help:
•Creepy Harvard architecture

41. AVR Programmer Manual:
Program
Address
Space
CPUEEPROM Data
128K Flash
16K RAM4K
8-Bit

42. PAIGE
Got it! Now I know how
to find string refs.
•Inconsistent register naming
•Creepy Harvard architecture
•Find xrefs to debug strings

43. StrLen_PM:
<..>
adiw r30, 1
lpm r20, Z
tst r20
breq Return
<..>
adiw - add immediate to register pair
lpm - load byte from program memory
StrLen_RAM:
<..>
adiw r30, 1
ld r20, Z
tst r20
breq Return
<..>

44. r16:17 == 0xdae
Word addressing: 0x6d7

46. PAIGE
Now that I got the debug
strings, let’s look at the
attack surface
•Inconsistent register naming
•Creepy Harvard architecture
•Find xrefs to debug strings

47. AT
Command
Parser
WiFi Dispatcher
Open
Drawer
Send LogWipe Log
Set Log
Headers
Session
Token

48. The attack surface
is really tiny

49. pwn aL th thngs
day
thee

50. Name
TREVOR PHILIPS
Expertise
MAYHEM
1. Find a bug
ASSIGNMENT
2. Exploit it
TREVOR
Favorite tool
DIE3. Get gold

51. Mystery: Who wrote
their libc, and when?

52. TREVOR
strlen walks until a NULL
is reached

53. stRpy pRMtive
strcpy doesn’t add a
NULL byte to the end of
the string
TREVOR

54. wat

55. Using these two
primitives we can get
code execution
TREVOR

56. Where to write into?
TREVOR

57. Stack return address is stored
at beginning of RAM
TREVOR

58. Trigger
drawer
open
Build ROP
Chain
Overwrite
return
address
Trigger
write to
stack
Overwrite
pointer
memcpy
with value
of strlen
Log header
buffer
Three stage pwn
Flags (set
to non-0)
strlen
returns
wrong val
1 2 3

59. LESTER
Um, I think you’ve missed
something

60. The Money Function
$ $ $

61. They forgot
to check
credentials!

62. th
hist

63. LESTER
Ready for the job of a
lifetime? Here’s the target
cafe
Anastasia

64. LESTER
We have one gun on the
spot to trigger the open
cafe
Anastasia

65. LESTER
And another gun to grab
the cash when it’s open
cafe
Anastasia

66. LESTER
…THIS IS IT! Go for it
DeM

68. QestioN?