Exploit Archaeology First in the series of talks on excavating and exploiting retro hardware. I promise the talk will get technical. Who am I? • Penetration Tester • Geek Dad • Amateur Phone Phreak • @savant42 on the twitters Who I'm not • Leet. • A programmer. • A reverse engineer-er. • A speller. Why this talk? From 501b Weight to Stealth Attack Platform Methodology > Results First Traveling with a Payphone is a giant pain in the ass. Dff... I" Anyway. Nowadays they're like this If you see a payphone in your neighborhood today, you laugh. If you see someone using a payphone? You lock your car doors and roll up the windows. Even Indy is over it Ever since I was a kid One day, I got one as a gift. (Thanks Tiffany & Gene Erik) Still popular in correctional facilities This one came from a prison. No joke. (Yes, I cleaned the ever loving shit out of it) BOCOT vs. COCOT • BOCOT = Bell Owned Coin Operated Telephone (Telco Owned) • COCOT = Customer Owned Coin Operated Telephone (Private) Bell Owned BOCOTS could be "Red Boxed" (utilize inband ACTS tones to signal coin insertion) It's probably still possible in certain regions of the US but most RBOCs have outsourced to private companies. COCOT Payphones can not be Red Boxed without Operator Intervention (as far as *l know) because they don't use ACTS With "Smart Payphones" all of the call regulation, coin counting and management, etc, is done inside the payphone. Telco payphones do all the magic at the Central Office. Telling the difference? Most (All?) BOCOT Payphones use the General Electric style housing Coin Return is on the Left and the armored cable connects to the front of the housing. COCOTS often use the GTE style housing with the coin return slot on the right and the armored cable connects on the side. This is definitely not always the case, though. This Payphone Elcotel Series 5 Line-Powered Payphone Internal Battery, trickle charges from voltage on the telephone line "Smart" Phone, Programming/Rates are handled internal to the Payphone Elcotel used to be prolific with the private coin phone market Now they're all but gone from most places Now that I have one Prot No keys. No battery. No documentation. Phone was from different area code. em? How to do? Get the phone open Replace the battery Reprogram for free calls. Opening the phone Preserving the tomb. No destructive entry, wanted to keep the phone as intact as possible. Three types Upper Housing Lower housing (coin vault) T wrench for torque. You need all three. Upper Housing Lock 3 pins, no security Pins. Easy enough to pick in a short period of time. Anti-impressioning divots. Note:These locks tend to only rotate a quarter of a turn or less. Check, you may have already picked it. Coin Vault Lock? Not so much. 4 Pins, several spool pins. Medeco Locks, though not biaxial At that time, I was unable to pick it. Except Dude picked this lock in 1 seconds, by accident. Fuuuuuuuuuuu. one guy. Opening Didn't have aT wrench, time to hack harder. e housing Opening the housing VyrusOO I and I were able to hack something together. Badge clip, wrench, faith. Opening the housing Dead battery. Payphone.com u mad bro? Now that it is alive How the @#%#% do I use it? How to do? Different area code means local (to me) calls were $$$$$$$ Unacceptable. GOALS: The goals: • Zero out the rates tables to make free calls • Find vulnerabilities in payphone software • • • • Profit? First Hack Payphone -> ATA -> Asterisk -> 9 1 I Payphones are legally required to make 91 I a free call. Dial plan magic allowed me to get a usable dial tone if I first dialed 911. Neat hack, but sloppy. Documentation? Nearly non-existent. Archive.org was helpful, to an extent. I learned how to reset phone to default, but that's pretty much it. Elcotel? Incomplete Part 2 was useful, but I still didn't have the software to reprogram it. 3 Ways to Program • I . Software based reprogramming • 2. Local telemetry • 3. Remote Telemetry Software Ideal solution, but requires the software and a license from a dead company. Local Telemetry • Open the Phone (which WILL set off alarms and call the phone owner if you try this in the field) • Default the Phone • Listen to voice prompts and dial to set values. Remote Telemetry Can allegedly reprogram remotely? (More on this later) Software based programming Eventually I was able to acquire a demo through "alternative means/' Time to try and crack the software. Cracking 10 year old software is actually pretty hard. 1 6-bit Windows "NE" Binary Even IDA Pro was aN"WTF Mate?" I had a lot of help And by "help", I mean that someone did it for me. Eventually able to hook the installer, jump the serial number check, uncompress the installer archives. Thanks to VyrusOO I , int0x80, Frank A 2 Phone has onboard modem called a "PCM" (Payphone Control Module) Need to be able to dial it though. Ironically, I don't have a landline. Voice over IP Unlocked Linksys Analog Telephone Adapter (ATA) r USB Modem 1 i ■ ■ Voip Settings • Dial up modem over VoIP is a pain in the ass. • Ulaw or Alaw, accept no substitions. • Disable Noise Cancellation + Echo suppression • Really slow, ~ 9600 baud A HUGE Thanks! to theTelephreak guys (Hi Beave!) and the Oldskoolphreak.com guys for helping me get this sorted out. Default the phone Press and hold the button inside the phone. Flash the hook. Listen to onboard prompts no * Hill M Local Telemetry Press the button, flash the hook, enter the code, follow the voice prompts. Super easy, but requires you to physically open the phone. If the phone is not yours, this is dubious. Now we can connect File Activate Help LEC7LD Rates Call Type Taw Rates Unassigned Unassigned Poll List... Cmd List... Delete Upper 000000000G Lower 0000000000 Cancel Once you are able to connect, the rest is pretty easy. But this talk is also about hacks, not using software. Elcotel Engineers? Not total idiots. Anti-fraud Mechanisms: • Secondary Dialtone Detection • Red box detection • Chassis Alarms • Brute Force Protection Need to build a harness to fuzz the phone. Intercept modem audio? • Easy enough with SIP, but then what? FSK Demodulation is crazy hard Blackbox RE of Protocol If I could intercept and analyze how the software does it, I can do it myself. How do I hook a USB Modem? Advanced Serial Port Monitor Pro • http://www.aggsoft.com/serial-port- monitor.htm • Able to treat USB Modem as virtual serial port • "Spy Mode" allows you to pass through and watch • Displays output in either Hex or ASCII Password? Default password for software re programming is 99999999 Default password for local and remote telemetry is 88888888 Performing actions using the PNM Plus Elcotel application enabled me to see what actions look like in Hexadecimal From there I was able to make *some* sense of how the handshake worked Phone ID is usually the last 4 digits of the phone number. Passwords are almost never changed from defaults. EEEEHB Phone Selected: |(408) 111-1111 |Unassigned Site-Dgsk Model: R94-5 f Select Commands"' Jpload Remote Stati Upload SMDR Upload RAM image Upload Diagnostic Block DnLd Program File DnLd Operational Files DnLd Voice Brand File Clear Call Counters Burn RAM Image toEEPROM Reload Phone RAM Run Program from ROM Set Date & Time Set Totalizer Amount Clear Alarms "You may select more than one command from this list. Simply click on all the commands you wish to send. Then, click the button below. Dial Phone & nmands |~~ Stay Online After Commands Are Sent Results Phone Reports CashboK $ Totalizer $ Last Collected $ Date/Time: Zone: Serial No. Software Version: ROM Chip Version: Results Opening Comm Port... (OK) Waking Up Modem.. .(OK) Initializing Modem.. .(OK) Testing Modem.. .(OK) Dialing Phone... ...Payphone On-Line. Initializing Connection... Sending ID. ..(OK) | Sending Password Msg... Modem Settings | nbori- Call Status [Attempting logon.. P n 10:00:01 i Line: Sending Password Msg.. UkU^U 0h830 0h840 0h850 0h860 0h870 0h880 0h890 OkSAO 0h890 OkSAO 44 'A2 bC 4E •AU ^b 43" UD UD UA 4F 4J=! UD UA II m\\\mc\}. . .ok. .p urge the serial port: KXCLEAK AT E0V1S0=0.ATE0V1S 0=0 . . .OK. .Purge the serial port : RXCLEAK ATDT111 1111 . . . CONNECT 1 200 . .Purge the s llli: . .UJUNECT"! 200 . . Purge the s 45 30 56 31 53 30 3D 30 0D 30 3D 30 0D 0D OA 4F 4B 0D II II II II II 41 54 41 54 45 30 56 31 53 OA || || || || || || 31 31 31 31 0D 0D OA 43 4F 32 30 30 0D OA || || || || 31 31 31 31 UD UD UA 43 if 32 30 30 0D OA || || || || 41 54 44 54 31 31 31 4E 4E 45 43 54 20 31 4E 4E 4b 43 b4 ZU 31 Demo Oh dear $deity please work. Auth Protocol Breakdown I Dialing Phone ATDT1111111 Initialising Connection 02 09090989 03 (-=STX>TAB TAB TAB TAB ) Sending ID 029003 Sending Password Message Sending password | Header 1 |M| |H| Ak|D|M| Y|^| PIN 1|2-?-| i Cance L , NuL L , Stx 8 18000101010101010101 55 1306200112FB 636363636363E363 1854 # password is 99999989 18000101010101010101 55 1206200112FB 63636363636363E7 1C5B # password is 99999990 18000101010101010101 49 1306200112FB 6363636363636367 9B4F # password is 99999991 18000101010101010101 42 1306200112FB 63636363636363E6 1B47 # password is 99999992 18000101010101010101 40 1306200112FB 6363636363636366 9A44 # password is 99999993 18000101010101010101 37 1306200112FB 63636363636363E5 1A3A # password is 99999994 18000101010101010101 35 1306200112FB 6363636363636365 9937 # password is 99999995 | 18000101010101010101 41 1206200112FB 63636363636363E4 1941 # password is 99999996 18000101010101010101 34 1206200112FB 6363636363636364 9833 # password is 99999997 18000101010101010101 18 1206200112FB 63636363636363E3 1816 # password is 99999998 18000101010101010101 21 1206200112FB 6363636363636363 971E # password is 99999999 <— valid password Success vs. Fail • When authentication fails, the Phone sends a hexadecimal NAK (Negative Acknowledgement) • 0x15 • When authentication is successful, Phone sends hexadecimal ACK (Acknowledge) • 0x06 Problem After 3 invalid attempts, the phone drops the call. However, the PNM software is responsible for interpreting the "disconnect" message. If we use our own code we can ignore that and keep trying until we get the right PIN. Pseudo Code PIN = 0000 send $PIN while ($auth_response != 0x06) $PIN++ send $PIN if $auth_response = 0x06, print "GREAT SUCCESS!" Python has a good serial interaction library, but I don't code because I'm an idiot. So Gene Erik jumped in Man I love having smart friends. https://github.com/savantdc949/ Code will be online some time after Defcon hangover clears. • User ID? Check. • Pin? Check. • • • • Proft? Enter: Remote Telemetry • Call payphone from any landline phone • Wait 30 seconds for Modem to stop screaming at you • Have 1 seconds to enter telemetry password • Listen to voice prompts Reprogramming using DTMF (Remote Telemetry) • Registers = Strings • Options = On or Off • Reg. 42 1 -434 = Antifraud. Set to to disable. • Reg. 333-336, 4 1 2, and 414 = Disable alarms More registers • 404 = Phone number • 402 = Phone ID# • 403 = PNM Plus Password • 400 = Telemetry Password • 116 = Disable battery (DoS) • 338 = Number for service desk Service Desk • Sudo/Operator status for Payphones • If you divert this number to yourself, you can do cool stuff. • Apply credit • Issue refunds • Force phone to dial number for free • Dump the coin escrow ($$$$) We can set the "coin escrow" to $5. As people use the phone, up to $5 in coins collect in the escrow hopper. Service desk can cause hopper to empty into coin return slot. Demo? Now what? How can we use this information in a novel way? ProjectMF Blue Box simulation of Inband signalling over TDM trunks. www.projectmf.or Red Boxing • Use sox and Asterisk EAGI to record and analyze inbound audio. • Filter out all frequencies that are not 1 700 Hz and 2200 Hz tones together • If not null, incremend $coin_value • If $coin value >= $.25, make call Now what? • Unlocked Linksys PAP2 ATA + PwnPlug + Alfa Wireless USB wireless = PayPwn! • Asterisk system() command lets us pass OS calls from DTMF • Macro the most popular pentesting tools • Cepstral/Festival TTS to receive responses Nmap by Phone Demo! • PwnPlug has built in support for slimmed down Asterisk. • Use Alfa to hook into a wireless network • DTMF to initiate scans, cracking, etc etc There *are* easier ways to do this, but what the hell? This is fun. Be honest with me. If you saw a Payphone, would you expect it to be a covert adventurer/badass? Call Interception Using the Asterisk ChanSpy() application we can monitor *all* voice traffic that goes through PBX. Roll payphone into a Casino. Wait for people to use the phone. Listen. Magic. Demo. Volunteer? In summary Using this information we can utilize Remote Telemetry to own any Elcotel Payphone Like any archaeological dig, we can learn a lot about the way developers used to think We can then apply this logic to other legacy systems still in the field (SCADA, etc) PayPwn = Only limited by your imagination If I have my way, they will live forever. More information • http://tinyurl.com/netwerked (Hack Canada Elcotel Archive) • http://www.payphones.50megs.com/page7.html (some Elcotel docs) • https://github.com/innismir/asterisk-scripts (nmap by phone) • https://github.com/savantdc949/ • Payphone.com (thieving bastards) Questions? [savant42 httD://dc949.or Thanks! • Defcon • Tiffany and Gene Erik (for the payphone and code) • docwho76 for the title image • Hack Canada for the docs • DC949 • Innismir, BlackRatchet, DaBeave, Strom Carlson, Binrev.com hackers, oldskoolphreak.com • You!