Don't get me wrong: All hacking post-mortems -- and boy howdy, is this a hack -- are like candy to me. (For good or ill, I tend to think more like a builder than a breaker. It's one of those "see how the other half lives" things.) And a few of fascinating, albeit disturbing, things jumped out at me:
- Credit card reading software transmits in clear-text...WHYYYYYY????
- The circuit board is being mass-produced. Granted, etching your own circuit onto a board is fairly low-tech. (For grinsies, I intend to give that a go myself, 'smatter'a'fact.) But this is not a homebrew board. Someone had access to professional production facilities. Multiple times.
- The software was widely available, even before Sparkfun published the .HEX file. That's evident from the fact that three different PCBs were using the same bytecode.
- Based on the small footprint of the compiled code, it's probably safe to assume that the software was written by a seasoned professional...possibly in possession of optimiser software. (Newbie/Hobby programmers tend to write inefficient code. And they don't pony up for optimiser add-ons to their IDEs.)
- The head-scratcher is why skinny code was installed on a (comparatively) fat chip. Did someone port legacy code? Was someone planning for forward-compatibility? There are other possible explanations of course, but those I mentioned don't bode well either way.
- The person who assembled the final product couldn't be arsed to change the default settings on the Bluetooth module. Which means that anyone with the inclination (and the software) could roll up to the pump and download your credit card info. Swell.
- At least one of these digital yobs is a crap solderer too ignorant and/or lazy to learn elementary circuitry.
Normally I try to be grateful for the incompetent criminals. But in the case the same lack of will/skill to configure the Bluetooth module for stealth mode allows data to be stolen multiple times. Senator Warren (D-MA) excepted, the political will to hold even the most egregious negligence to account just doesn't exist in Washington. The fact that fewer than half of American adults have checked their credit reports in the wake of the Equifax breach demonstrates why. (Not unlike the folks who won't patch their software, amirite?)
And given the knuckle-dragging, lead-paint-chip-eating, mouth-breathing stupidity to come out of the GOP "leadership" after every mass-murder, you can darned well bet that the completely obvious, logical solution -- a.k.a. mandatory encryption in gas pump credit card readers -- is beyond hope. Why, that's the kind of red tape that will kill jobs; let the free market sort it out; government shouldn't be picking winners and losers; something-something-something, freedom, apple pie, USA! USA! [eyeroll]
The worst part is, what with the #cybergrandpas (@Viss's delicious term) currently running the show, I almost hope that there's no interest in the problem. Because like as not, the "solution" would be to ban the Bluetooth modules. Seriously, I would not be at all surprised. See, #cybergrandpas think they understand guns. They might have even held one at a sportsmans' club photo-op once! But they know they don't understand electronics. Which makes geeks who can tell Schottky from Shinola infinitely more terrifying than angry white men mowing down someone else's children by the dozen.
- - - - -
* The Sparkfun article at one point talks about the skimmers using the (older) HC-05, but then talks about the HC-06 (and, at one point, the HC-01, which I'm not convinced is even a real thing). Psssst! Hey, Sparkfun: If you're looking to hire a technical editor who works remotely, call me. I know a gal. More than one gal, in fact. What I'm saying is, you have options here.
