25 December 2019
TL;DR This article contains my experiences on testing amusem*nt arcade’s security.I found a DoS vulnerability on Intercard devices. An attacker can take down entirearcade machines by using this vulnerability.
Me and my girlfriend love to spend hours in local arcades. I always wanted to knowhow their network works and are they secure or not. But I couldn’t find a comprehensive articleabout it. I decided to test them by myself.
Learning The Fundamentals
In most of the arcades, you need to have their magnetic stripe card. You needto go to the cashier and say how much credit you want. After that, she gets a random card from the stack,swipes it at a machine, presses some buttons on the screen and gives the card.
To play a video game, you need to swipe your card at a machine looks like this:
After a swipe, it tells you how much credit you left and starts the game.
To understand how all these works, I had to look inside those cards and maybe rewritethem. When I was in DEF CON, I bought a magnetic stripe reader/writer andlots of empty magnetic cards from here
When I turned back to Istanbul, I went to the arcade and checked the devices. Theywere using Intercard machines. I bought 4 different cards.
- Card 1: Has 0 credits
- Card 2: Has 10 credits
- Card 3: Has 20 credits
- Card 4: Has 20 credits
Since I have no previous knowledge about these systems, these cards will answerall of the following questions:
1) Is credit information is written inside the cards as plaintext? If the answeris yes, I will see 0,10,20,20 values in cards.
2) Is credit information is written inside the cards as encoded. If the answer isyes, value of 3rd and 4th cards have to be same, the others will be different.
3) If each card has unique ID? If the answer is yes, all cards have to carry a differentvalue.
I checked the data inside the cards and all of them was different. They were carryinga fixed-size alphanumeric ID value. So there is a server-client architecture inside the arcade.Magnetic reader on the machine sends ID value to the server and server responds with a datawhich states if I can play or not and how much credit left.
We checked the devices but none of them has ethernet cables.So, they are connected via WiFi. It was a promising attack vector in our case. But, Idecided to test everything about magnetic cards before jumping to the Wi-Fi.
Testing For Race Condition
I cloned a card with it’s unique ID which has 20 credits in it. My goal was swipingtwo identical cards on different machines on the same time to catch a race conditionvulnerability. If it works, we can play the second game for free. We triedit in two machines which are both require 2 credits. We swipe the cards on the same time.
First trial: Both card worked. One card showed 18 credits left, second card showed16 credits left. (Probably we couldn’t swipe at the same time)
Second trial: One card worked, the other showed a generic error. The worked card showed14 credits left.
Third trial: One card worked, the other showed a generic error. The worked card showed12 credits left.
At this point, I decided that race condition isn’t possible (or practical) sincewe always get error on the other card when we swipe at the same time.
Bruteforcing Staff Card’s ID
To configure magnetic card readers, there is a staff card (root access).When staff swipes zher card, zhe can start the game without paying any credit. This card looks same with thecustomer card. Probably, server keeps the ID value of the staff card, and grants accessto the machines by checking that value. So, if I can identify staff card’s ID, I canclone this ID to unlimited amount of cards.
I tried lots of different ID’s such as 00000000 11111111 AAAAAAAA but no luck.If I had Samy Kamkar’s magnetic stripe spoofer I could brute forcelots of combinations in short amount of time.
Attempts For Infiltrating The Arcade Network
If we could infiltrate inside the arcade network, we could listen client-server trafficvia ARP poisoning. After then, we could search vulnerabilities on communication or inserver itself. If their communication isn’t encrypted, we could change “Insufficient credit”response with a positive one.
Capturing and -can’t- Cracking WiFi Handshake
My first plan was conducting deauthentication attack to arcade machines and capturea handshake when they try to reconnect. I used Alfa card with wifite2 tool and it worked.I got a handshake. However, I couldn’t crack it. I tried online websites, run my GTX 1070 graphic card for 5days but no luck. I’m not sure if Intercard provides router and defaultpassword to the stores. If this is the case, they provided a strong password indeed.
Evil Twin Attack
I’m not so good at WiFi hacking but I decided to try another attack that I know.It’s the evil twin attack. My plan wascreating fake access point with same SSID of their AP and sending deauthentication packets to arcade machines.After then, they should connect to my AP. If it would work, I could analyze their requests tothe main server.
Note : After few months later, I learnt something new about WiFi andrealized that this attack would never work. Since the target AP is protected with WPA2and I didn’t know the password, disconnected devices won’t connect to my fake AP sincethey won’t be able to do a handshake. Evil twin attack is useful for faking opennetworks or abusing human behaviour, not for automated machines.
I prepared my laptop and a tool that I can’t remember it’s name for this attack. I could not conduct this attack fromoutside of the store. I had to create a strong signal to make this work. Because of that,I started the tool, packed my backpack and went inside the store. I picked up medium-crowdedhour to not get any attention.
The Chaos
When I walked for 20 seconds inside the store, I was surprised. Most of the machineswasn’t working, people were swiping their cards over and over again. I went tothe broken machines and saw these:
At this moment, I was terrified. I realized that my evil twin attack broke thosemachines. I immediately run away from the store, opened up my laptop and stopped the attack.After 5 minutes, I turned back to the store again. Machines were still broken!Somehow, they couldn’t get IP address.
The DoS Vulnerability
To validate this vulnerability, I went to another store and targeted just onearcade machine with deauthentication packets. I stopped the attack, went insidethe store and started to look for a broken machine. I didn’t find any broken machine.After a while, I realized that they are not using Intercard brand but using Embed.
I visited another branch of the arcade which uses Intercard. Conducted an deauthenticationattack to a single machine and found a broken one. So this is definitely a vulnerabilityon Intercard’s side.
I decided not to publish this vulnerability since any attacker may take down anarcade amusem*nt with a laptop and an Alfa card for days, maybe weeks. I tweeted about this.But later on, I’m convinced that this is a problem that Intercard must fix to helptheir customers. It’s a basic attack, any medium-skilled attacker can find thisout.
I sent details to Intercard but couldn’t get any response back. That’s why, I postedthis publicly.
