PoS Attacking the Traveling Salesman

DEF CON 22

Presented by: Tsagkarakis Nikolaos, Alex Zacharis
Date: Friday August 08, 2014
Time: 13:00 - 13:50
Location: Track 2

Our work presents a re-vamped Point-of-Sales (POS) attack targeting the transportation sector and focusing mainly on the international aviation industry. Through a real-life attack and while exposing serious security issues at an International Airport, we are re-introducing the popular PoS attack, focusing on the compromise of sensitive personal data such as travelers' identities and trip information. We will disclose all the technical details and proof-of-concepts of the attack we have performed on a real, widely used system: the WiFi time purchase kiosks located inside an International Airport. We will analyze the repercussions of the attack, focusing on the exposure of sensitive traveler information, along with the ability to perform privileged actions such as cashing out money from the kiosks. Our experience with contacting the airport's security will also be discussed.

Utilizing this attack, our team seized the opportunity to recreate the environment on which it took place in order to test a proof-of-concept malware targeting such PoS infrastucture. A step by step guide of the way our malware, named the "Travelers' Spy", exploits the available kiosk modules will be provided. The web camera and the barcode scanner are some of the modules exploited in a combination with memory scrapping to create a unique targeted malware that attacks travelers. Furthermore, a unique command channel for our malware will be introduced through specially crafted Aztec Code images posing as e-tickets. We will also release a newly developed barcode cloning and fuzzing mobile app for Android devices (the "Aztec Revenge" tool).

The tool implements a number of attacks, from simply cloning stolen e-tickets to issuing commands to our malware. "Aztec Revenge" can also be used by security researchers and penetration testers in order to fuzz barcode scanners and the web services behind them to expose security bugs. Finally, a combined attack using both the "Travelers' Spy" malware and the "Aztec Revenge" tool will be presented.

Alex Zacharis

Alexandros Zaharis (BSc, MSc) currently works as a Security Officer for an NREN, dealing daily with security compliance, development & maintenance. He also holds a position as a CERT representative in the Greek National Academic & Research Security Incident Response Team, working on attack trends, penetration testing, corporate forensics, malware analysis, incident handling / response, etc. He has published a number of research papers on anti-forensics, steganalysis and user authentication architectures. In collaboration with the CENSUS Penetration team, Alex has exposed a number of critical vulnerabilities on widely used enterprise software platforms.

Tsagkarakis Nikolaos

Tsagkarakis Nikolaos is the leader of the Census - http://www.census-labs.com - security testing services, focused on network and system attacks. Additionally there is a passion on using physical means to overcome security measures and gain access to each targeted asset. Specialized on Windows Internals Exploitation, Fuzzing on IR devices + other means, and network penetration testing.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats