this is a project i did for my cs308s computer security course at university of texas. the goal was to explore the security of the square credit card reader. i believe the project was a success because i found a few different attack vectors, one of which seemed particularly relevant. the attack vectors and implementation details are available in the report.
as far as i can tell, there's nothing stopping another app from listening to a credit card swipe in the background. that means you could process a payment in the square app, and a malicious app could be skimming your credit card number in the background with no visible indication.
is it possible for this to happen in the wild? certainly. likely? probably not. the important thing is that it doesn't look like there are easy means of preventing the exploit. it would be extremely difficult to produce an unpowered encrypted card reader, so square would have to hope for an update to the ios api.
the biggest shortcoming of the project is that i did not have an apple developer account, so all of my results are based on the ios simulator. i would love to hear about others' experiences reproducing these results on actual hardware.
another significant shortcoming of the project is the error handling. like most school projects, the focus was not on writing robust software, so ymmv with the analog-to-digital conversion code.
the project has several non-insignificant requirements:
- xcode 4
- python 2.7 (though 2.6 may work…)
- scipy
- a square credit card reader (free from the website)
- an audio adapter if, like me, you're too cheap to get the apple developer account
once your system has the pre-requisites, you can decode card numbers yourself by connecting the card reader to your laptop via the adapter, firing up the server from the project directory by running:
$ ./server.py
and then compiling and running the 'Crooked' ios app in xcode. it's pretty rough, but if you start recording, swipe the card, and then stop recording, it sends the audio to the server, and recieves and displays the decoded number.
the report title is a nod to some fascinating work by Hovav Shacham, which gets its title from a bob dylan tune.