Wednesday, February 28, 2018

Revenge of the script-kiddies

This week, I was happy to discover that Digikey has a blog (Maker.io).  Which -- even as an aggregator -- is still a good place to visit every night before I put the tablet to bed.  Except for the rare occasion when the content is engrossing but still kinda nightmare-fuel.  Like the gas pump credit card skimmer "autopsies" cross-posted from Sparkfun's website.

Don't get me wrong:  All hacking post-mortems -- and boy howdy, is this a hack -- are like candy to me.  (For good or ill, I tend to think more like a builder than a breaker.  It's one of those "see how the other half lives" things.)  And a few of fascinating, albeit disturbing, things jumped out at me:
  1. Credit card reading software transmits in clear-text...WHYYYYYY????
  2. The circuit board is being mass-produced.  Granted, etching your own circuit onto a board is fairly low-tech.  (For grinsies, I intend to give that a go myself, 'smatter'a'fact.)  But this is not a homebrew board.  Someone had access to professional production facilities.  Multiple times.
  3. The software was widely available, even before Sparkfun published the .HEX file.  That's evident from the fact that three different PCBs were using the same bytecode.
  4. Based on the small footprint of the compiled code, it's probably safe to assume that the software was written by a seasoned professional...possibly in possession of optimiser software.  (Newbie/Hobby programmers tend to write inefficient code.  And they don't pony up for optimiser add-ons to their IDEs.) 
  5. The head-scratcher is why skinny code was installed on a (comparatively) fat chip.  Did someone port legacy code?  Was someone planning for forward-compatibility?  There are other possible explanations of course, but those I mentioned don't bode well either way.
  6. The person who assembled the final product couldn't be arsed to change the default settings on the Bluetooth module.  Which means that anyone with the inclination (and the software) could roll up to the pump and download your credit card info.  Swell.
  7. At least one of these digital yobs is a crap solderer too ignorant and/or lazy to learn elementary circuitry.
Sadly (though doubtless unsurprising to my Gentle Reader), it's that last part that brasses me off like nothing else.  And that despite having my credit card info. stolen in the last fortnight.  Grrrrrrr.  (Not via a gas pump -- of that I'm certain.  Cold comfort, that.)  Why?  Because these lamers are the hardware equivalent of script kiddies.  [spits]  For tinkerers with enough savvy to know the difference between an HC-05 and and HC-06*, it's frankly embarrassing to know that these hacks (in more than one sense of the term) are running amok. 

Normally I try to be grateful for the incompetent criminals.  But in the case the same lack of will/skill to configure the Bluetooth module for stealth mode allows data to be stolen multiple times.  Senator Warren (D-MA) excepted, the political will to hold even the most egregious negligence to account just doesn't exist in Washington.  The fact that fewer than half of American adults have checked their credit reports in the wake of the Equifax breach demonstrates why.  (Not unlike the folks who won't patch their software, amirite?)

And given the knuckle-dragging, lead-paint-chip-eating, mouth-breathing stupidity to come out of the GOP "leadership" after every mass-murder, you can darned well bet that the completely obvious, logical solution -- a.k.a. mandatory encryption in gas pump credit card readers -- is beyond hope.  Why, that's the kind of red tape that will kill jobs; let the free market sort it out; government shouldn't be picking winners and losers; something-something-something, freedom, apple pie, USA! USA!  [eyeroll]

The worst part is, what with the #cybergrandpas (@Viss's delicious term) currently running the show, I almost hope that there's no interest in the problem.  Because like as not, the "solution" would be to ban the Bluetooth modules.  Seriously, I would not be at all surprised.  See, #cybergrandpas think they understand guns.  They might have even held one at a sportsmans' club photo-op once!  But they know they don't understand electronics.  Which makes geeks who can tell Schottky from Shinola infinitely more terrifying than angry white men mowing down someone else's children by the dozen.

- - - - -

* The Sparkfun article at one point talks about the skimmers using the (older) HC-05, but then talks about the HC-06 (and, at one point, the HC-01, which I'm not convinced is even a real thing).  Psssst!  Hey, Sparkfun:  If you're looking to hire a technical editor who works remotely, call me.  I know a gal.  More than one gal, in fact.  What I'm saying is, you have options here.