reverse engineering a mass transit ticketing system who
play

Reverse Engineering a Mass Transit Ticketing System Who are we? - PowerPoint PPT Presentation

Oct 27, 2022 •379 likes •898 views

D115548684868449885511111111111CD5BCCF7CF83999DDD Reverse Engineering a Mass Transit Ticketing System Who are we? Damon Stacey, Dougall Johnson, Karla Burnett, Theo Julienne University students who do security research on the side Disclaimer

  1. D115548684868449885511111111111CD5BCCF7CF83999DDD Reverse Engineering a Mass Transit Ticketing System

  2. Who are we? Damon Stacey, Dougall Johnson, Karla Burnett, Theo Julienne University students who do security research on the side

  3. Disclaimer Research exercise Travelling without a valid ticket is illegal The views expressed here are entirely our own Data and algorithm have been modified

  4. Reverse Engineering Figuring out how something was designed Hacking stuff that isn't open source

  5. White Box Reverse Engineering Can look at the implementation Closed source software, malware Always possible Dynamic Analysis (debuggers) Static Analysis (disassemblers, decompilers) Tons of cool research Not the topic of this talk

  6. Black Box Reverse Engineering Can use the implementation File formats, network protocols, magnetic stripes Not necessarily possible System analysis Data analysis The topic of this talk

  7. Contrived Example 100000d61: mov %rsp,%rbp 100000d64: sub $0x40,%rsp 100000d68: mov %edi,-0x4(%rbp) 100000d6b: mov %rsi,-0x10(%rbp) $ ./mystery 100000d6f: mov -0x4(%rbp),%eax 100000d72: cmp $0x2,%eax Not enough arguments. 100000d75: jg 100000d92 100000d77: lea 0x162(%rip),%rax # 100000ee0 100000d7e: mov %rax,%rdi $ ./mystery 1 100000d81: callq 100000e8e <_puts$stub> 100000d86: movl $0x1,-0x1c(%rbp) 100000d8d: jmpq 100000e5b Not enough arguments. 100000d92: mov -0x4(%rbp),%eax 100000d95: cmp $0x3,%eax $ ./mystery 1 2 100000d98: jle 100000db5 100000d9a: lea 0x155(%rip),%rax # 100000ef6 100000da1: mov %rax,%rdi Saved to out.txt 100000da4: callq 100000e8e <_puts$stub> 100000da9: movl $0x1,-0x1c(%rbp) $ ./mystery 1 2 3 100000db0: jmpq 100000e5b ... 100000e5b: mov -0x1c(%rbp),%eax Too many arguments. 100000e5e: mov %eax,-0x18(%rbp) 100000e61: mov -0x18(%rbp),%eax 100000e64: mov %eax,-0x14(%rbp) 100000e67: mov -0x14(%rbp),%eax 100000e6a: add $0x40,%rsp 100000e6e: pop %rbp 100000e6f: retq 100000ee0: 4e6f7420 656e6f75 67682061 7267756d Not enough argum 100000ef0: 656e7473 2e00546f 6f206d61 6e792061 ents..Too many a 100000f00: 7267756d 656e7473 2e006f75 742e7478 rguments..out.tx

  8. Case Study Mass Transit Ticketing System Magnetic stripe tickets

  9. c a s e s t u Which Tickets d y Need to figure out how they work How much data do we need? Which data do we need? Large dataset for analysis Specially-purchased data to answer specific questions

  10. Data Analysis What do you know about the data? Look for correlations Look at common stuff first How would you encode the data?

  11. Entropy - Random

  12. Entropy - AES

  13. c a s e s t u Entropy - Case Study d y

  14. Encryption Modern cryptography looks like random data Patterns indicate weaker cryptography Frequency analysis Entropy and compressibility

  15. c a s e s t u General Observations d y Must encode validity dates, origin, destination, etc. Physical ticket ID encodes station and machine ID

  16. c a s e s t u Finding Patterns d y Specially purchased, sequential tickets are significantly different D115548684868449885511111111111CD5BCCF7CF83999DDD - 17:57:56 D667730B030B0334007766666666666157C11DF10D39998AD - 17:57:59 DBBAAED6DED6DEE9DDAABBBBBBBBBBBC8A1CC02C94A0001ED - 17:58:02

  17. c a s e s t u Finding Patterns d y Clearly not random D115548684868449885511111111111CD5BCCF7CF83999DDD - 17:57:56 D667730B030B0334007766666666666157C11DF10D39998AD - 17:57:59 DBBAAED6DED6DEE9DDAABBBBBBBBBBBC8A1CC02C94A0001ED - 17:58:02

  18. c a s e s t u Finding Patterns d y XOR each nibble with ‘1’ D115548684868449885511111111111CD5BCCF7CF83999DDD - 17:57:56 C004459795979558994400000000000DC4ADDE6DE92888CCC

  19. c a s e s t u Finding Patterns d y Data after XOR D115548684868449885511111111111CD5BCCF7CF83999DDD - 17:57:56 D667730B030B0334007766666666666157C11DF10D39998AD - 17:57:59 DBBAAED6DED6DEE9DDAABBBBBBBBBBBC8A1CC02C94A0001ED - 17:58:02 C004459795979558994400000000000DC4ADDE6DE92888CCC B001156D656D6552661100000000000731A77B976B5FFFECB 6001156D656D6552661100000000000731A77B972F1BBBA56

  20. c a s e s t u Finding Patterns d y 0100 0101 1001 0111 0001 0101 0110 1101 C004459795979558994400000000000DC4ADDE6DE92888CCC B001156D656D6552661100000000000731A77B976B5FFFECB

  21. c a s e s t u Finding Patterns d y Left rotation of each nibble by 2 ( (nibble << 2) | (nibble >> 2) ) & 0xF 0100 0101 1001 0111 ROL 0001 0101 0110 1101 C004459795979558994400000000000DC4ADDE6DE92888CCC B001156D656D6552661100000000000731A77B976B5FFFECB

  22. c a s e s t u Finding Patterns d y First ticket with bits ROLed C004459795979558994400000000000DC4ADDE6DE92888CCC 3001156D656D6552661100000000000731A77B97B68222333

  23. c a s e s t u Finding Patterns d y Data after XOR (with first ticket ROLed) D115548684868449885511111111111CD5BCCF7CF83999DDD - 17:57:56 D667730B030B0334007766666666666157C11DF10D39998AD - 17:57:59 DBBAAED6DED6DEE9DDAABBBBBBBBBBBC8A1CC02C94A0001ED - 17:58:02 3001156D656D6552661100000000000731A77B97B68222333 B001156D656D6552661100000000000731A77B976B5FFFECB 6001156D656D6552661100000000000731A77B972F1BBBA56

  24. c a s e s t u Finding More Patterns d y Worked on those 3 tickets Failed on all other tickets Try other nibbles for XOR: 4, 8, 15, 23 then 42

  25. Small vs Large Data Sets Small known data has little variation Same values, more correlations Great for making data look the same Large dataset will have much more variation More values, less correlations Need to move to a larger data set

  26. c a s e s t u Data Gathering d y Magnetic stripe tickets Ticket vending machines Cost a lot of money to get a good sample Once used, they're basically free

  27. c a s e s t u Ticket Database d y About a thousand tickets Efficient data digitisation Need magnetic stripe data and printed data Took an afternoon

  28. y d u t s e s a c LEGO DEMO

  29. Automation Don’t go through massive datasets by hand Automated search for correlations Automated search for possible encodings of known data

  30. c a s e s t u Search Scripts d y Group full data set into known field values Origin station from physical ticket Easy with decrypted data Our data only partially decoded Weak encryption Brute force

  31. c a s e s t u Finding the Origin d y Find all nibbles that are the same between all tickets with same origin Iterate through all nibbles as the XOR key Output in a visual way

  32. c a s e s t u Analyse Results d y 11 PALL MALL _________________________________________________ 11 OXFORD ST _____0___________________________________________ 11 KINGS CROSS _________________________________________________ 11 PICCADILLY B________________________________________________ 11 FLEET ST _________________________________________________ 11 BOND ST B_________44F2246AA8A____________________________ ... 12 PALL MALL ___________0E6___________________________________ 12 OXFORD ST _____0_____0744__________________________________ 12 KINGS CROSS ___________061___________________________________ 12 PICCADILLY B__________0755__________________________________ 12 FLEET ST ___________19A___________________________________ 12 BOND ST B__________0B6602EECE____________________________ ... 13 PALL MALL ____________E6___________________________________ 13 OXFORD ST _____0______744__________________________________ 13 KINGS CROSS ____________61___________________________________ 13 PICCADILLY B___________755__________________________________ 13 FLEET ST ____________8B___________________________________ 13 BOND ST B___________B6602EECE____________________________

  33. c a s e s t u Finding More Fields d y Can now decode the ticket origin and destination stations Origin and destination codes different ROLing some nibbles corrects this Data is still not decrypted completely Next want to find date and time

  34. c a s e s t u Date Field Location d y Origin Station vs Date Downside: Less tickets with same date values Analyse data from any date with > 2 samples Find common nibbles with 95% accuracy

  35. c a s e s t u Date Field Location d y ... 8 2011-06-16 _________322F____________________________________ 8 2011-06-28 _________326A5___________________________________ 8 2011-06-29 B________3269____________________________________ 8 2011-06-30 _________3268____________________________________ 8 2011-07-01 _________326F2___________________________________ 8 2011-07-02 _________326E____________________________________ 8 2011-07-03 _________326D738AC8______________________________ ...

  36. c a s e s t u Date Field Encoding d y Origin Station vs Date Upside: Better guess at encoding Probably field incrementing each day Pick a start date, SQL server uses 1900-01-01 Use all samples this time Correlate and visualise

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mobile Ticketing for All Transit Agencies By Sam Daly Founder, Token Transit Presentation

Mobile Ticketing for All Transit Agencies By Sam Daly Founder, Token Transit Presentation

Mobile Ticketing for All Transit Agencies By Sam Daly Founder, Token Transit Presentation Overview 1- Why mobile ticketing 2- Mobile ticketing launch learnings 3- Case Studies from Reno, Humboldt County and Lincoln, NE Dispel a few questions

435 views • 30 slides
History of Phuket Mass Transit System Phase 1 March 22 and October 20, 2012 : Thai cabinet

History of Phuket Mass Transit System Phase 1 March 22 and October 20, 2012 : Thai cabinet

Phuket Mass Transit System Phase 1 : Phuket International Airport Chalong Section Project Overview Presented by 7, 11 Jan 2019 History of Phuket Mass Transit System Phase 1 March 22 and October 20, 2012 : Thai cabinet assigned

764 views • 62 slides
Pahoa Transit Hub County of Hawaii Mass Transit Agency Mass Transit and Multimodal Master Plan

Pahoa Transit Hub County of Hawaii Mass Transit Agency Mass Transit and Multimodal Master Plan

Pahoa Transit Hub County of Hawaii Mass Transit Agency Mass Transit and Multimodal Master Plan Transition to Hub and Spoke operating model Route #40 will have fewer stops to stops being a more direct route to Hilo while feeder routes

270 views • 11 slides
Transit Mobile Ticketing and Fare Card Interoperability Bid V1380512P1 Company Confidential

Transit Mobile Ticketing and Fare Card Interoperability Bid V1380512P1 Company Confidential

Transit Mobile Ticketing and Fare Card Interoperability Bid V1380512P1 Company Confidential April 15, 2016 Introductions Roy Purnell Director of Sales, Southeastern Region Robert Antonio Program Manager Joining via teleconference: Kim Green

548 views • 21 slides
BRT ETT FLEXIBELT VERKTYG I STADSPLANERINGEN What is Bus Rapid Transit (BRT)?* Special

BRT ETT FLEXIBELT VERKTYG I STADSPLANERINGEN What is Bus Rapid Transit (BRT)?* Special

BRT ETT FLEXIBELT VERKTYG I STADSPLANERINGEN What is Bus Rapid Transit (BRT)?* Special Vehicles Dedicated Lanes Special Stops System Support - Pre-board ticketing - Passenger info system - Traffic management central

257 views • 12 slides
Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work with: Li J W Li, J. Wang, Pongsajapan, Tan, Tang, M. Wang P j T T M W Outline Background Layering as optimization decomposition L

932 views • 47 slides
Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
CS 166: Information Security Reverse Engineering &amp; Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering &amp; Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering &amp; Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

1.04k views • 80 slides
Urban Mass Transit 1 Dr. Randa Oqab Mujalli Most Recent Urban Public Transport Systems 2 Bus

Urban Mass Transit 1 Dr. Randa Oqab Mujalli Most Recent Urban Public Transport Systems 2 Bus

Urban Mass Transit 1 Dr. Randa Oqab Mujalli Most Recent Urban Public Transport Systems 2 Bus Rapid Transit (BRT) 1 Articulated Bus 4 Metro 3 Light Rail Transit (LRT) Dr. Randa Oqab Mujalli 2 Advantages of mass Transit: 1.

451 views • 28 slides
Connecting E-Hailing to Mass Transit Platform Marco Nie 1 1 Department of Civil and Environmental

Connecting E-Hailing to Mass Transit Platform Marco Nie 1 1 Department of Civil and Environmental

Introduction CREDIT Hybrid design Results Conclusions Connecting E-Hailing to Mass Transit Platform Marco Nie 1 1 Department of Civil and Environmental Engineering, Northwestern University Transportation Center Seminar Series, Northwestern

1.14k views • 95 slides
Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The Chinese University of Hong Kong Joint work with J.-W. Lee, A. Tang, M. Chiang and A. R. Canderbank J. Huang (CUHK) Reverse Engineering MAC Nov.

605 views • 38 slides
Rooting the MikroTik routers A journey into reverse engineering parts of MikroTik system to gain

Rooting the MikroTik routers A journey into reverse engineering parts of MikroTik system to gain

Rooting the MikroTik routers A journey into reverse engineering parts of MikroTik system to gain access to hardware features and the shell behind the RouterOS that has no ls Who? Me? Who am I? https://twitter.com/KirilsSolovjovs

753 views • 43 slides
Reverse Engineering In-System-Configuration Controllers Jessy Diamond Exum (diamondman) Initial

Reverse Engineering In-System-Configuration Controllers Jessy Diamond Exum (diamondman) Initial

Reverse Engineering In-System-Configuration Controllers Jessy Diamond Exum (diamondman) Initial Project 3-4 year in the making 7400 logic based processor Agenda 1. An attempt to build a Processor (and how it ended in flames) 2. A

802 views • 48 slides
More Connectivity Status Quo: Congestion Riders are abandoning mass transit, due to the

More Connectivity Status Quo: Congestion Riders are abandoning mass transit, due to the

More Connectivity Status Quo: Congestion Riders are abandoning mass transit, due to the experience. Those who can a f ord are moving to the road, causing congestion. We need a better value solution. More people onto transit /

163 views • 13 slides
Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at the last 20 years of RE and looking ahead at the next few SSTIC 2018 -- Thomas Dullien (Halvar Flake) Progress in Reverse Engineering 2010

941 views • 64 slides
Two-dimensional atomic Fermi gases Michael Khl University of Bonn Two-dimensional

Two-dimensional atomic Fermi gases Michael Khl University of Bonn Two-dimensional

Two-dimensional atomic Fermi gases Michael Khl University of Bonn Two-dimensional Fermi gases Two- dimensional gases: the grand challenge of condensed matter physics High-T c superconductors: After 25 years of research still

497 views • 27 slides
Cooking Academy Holistic Food Preparation Cooking Academy Holistic Food Preparation Module #1

Cooking Academy Holistic Food Preparation Cooking Academy Holistic Food Preparation Module #1

Cooking Academy Holistic Food Preparation Cooking Academy Holistic Food Preparation Module #1 Getting Good in the Kitchen Our Agenda for Today Introduction What this section of Academy will do for you What we will cover The Modules This

734 views • 52 slides
Managing Hepatitis C: a Case-based Approach December 9, 2016 Bryn A Boslett, MD Outline Case 1

Managing Hepatitis C: a Case-based Approach December 9, 2016 Bryn A Boslett, MD Outline Case 1

12/9/16 Disclosures None Managing Hepatitis C: a Case-based Approach December 9, 2016 Bryn A Boslett, MD Outline Case 1 36M with well-controlled HIV, chronic HCV, and intermittent IV Pre-treatment evaluation heroin abuse. His HCV

374 views • 13 slides
Two-dimensional Fermi gases Two dimensional Fermi gases Michael Khl BEC-BCS crossover What

Two-dimensional Fermi gases Two dimensional Fermi gases Michael Khl BEC-BCS crossover What

Two-dimensional Fermi gases Two dimensional Fermi gases Michael Khl BEC-BCS crossover What happens in reduced dimensions? S Sa de Melo, Physics Today (2008) d M l Ph i T d (2008) A very short theory overview for 2D ( E F / h

558 views • 26 slides
Who Are Those Ancestors? Friendly Ghosts From the Past Haunting the Present Names Shanny

Who Are Those Ancestors? Friendly Ghosts From the Past Haunting the Present Names Shanny

Who Are Those Ancestors? Friendly Ghosts From the Past Haunting the Present Names Shanny Lyndon brothers Nanee Aunt Clyde &amp; Uncle Rufus Granny Bo Robertsons McCartneys Shorts, Hollidays, Floods, Maclin

1.08k views • 62 slides
THE SIMULATOR DEFINITIONS In the requirements I have stated that your simulator will be a:

THE SIMULATOR DEFINITIONS In the requirements I have stated that your simulator will be a:

THE SIMULATOR DEFINITIONS In the requirements I have stated that your simulator will be a: stochastic, discrete event, discrete time simulator. Let's see what each of these terms means. STOCHASTICITY A stochastic process is one whose state

298 views • 29 slides
Overview Object-Oriented Perl Mechanics mod_perl Method Handlers Extending Core

Overview Object-Oriented Perl Mechanics mod_perl Method Handlers Extending Core

Object-Oriented mod_perl ) Geoffrey Young geoff@modperlcookbook.org 1 http://www.modperlcookbook.org/ Overview Object-Oriented Perl Mechanics mod_perl Method Handlers Extending Core mod_perl Classes 2

1.1k views • 87 slides
Working across the food environment: How can local authorities actively influence the types of

Working across the food environment: How can local authorities actively influence the types of

Working across the food environment: How can local authorities actively influence the types of food available in their locality? Whole Systems Obesity National Conference 18th October 2016, Leeds Town Hall Jenny Morris (CIEH) Sue Bagwell

448 views • 17 slides

More recommend