Skip to content

Hacking the Square

January 4, 2012

For Christmas, I received a cool little device called the square from Ed Park. You plug this device into the audio mini jack on your smartphone and you can swipe credit cards right on your phone. It’s perfect for people doing business on the go. Or… next time your buddy owes you money, the “I don’t have any cash on me right now” excuse won’t work.

The first strange thing I noticed was that the data was being inputed via the audio jack rather than the data port (located at the bottom of the iphone). There are 3 types of audio mini jacks: Mono, stereo, stereo/microphone. Since the iphone audio jack accepts corded hands-free earpieces as well as earphones for music, it has to be the combo jack (stereo/microphone).

If you look at the tip, you’ll notice there are four sections separated by insulated plastic rings.

This type of plug is known as the “TRRS”. T-R-R-S stands for Tip-Ring-Ring-Sleeve. The tip is for Left-channel audio out. The first ring is for Right-channel audio out. The second ring is Ground. The sleeve is for Microphone in.
What I would like to know is how the square transmits your credit card number into the software through the audio port.
Now, before wiring each terminal up to an arduino and outputting data to serial, since input is only possible through the sleeve (microphone terminal), maybe we can find out if the data is actually audible! By simply plugging it into a computer mic in port or firing the voice recorder app on the iphone, we can find out what our credit cards sound like.

Interesting. So if I just recorded the swipe of each of my credit cards, I can technically store credit card numbers as wav files and play them directly into the square software. I was inspecting each of my credit card wav files and tried to notice some kind of pattern that matched the pattern of my credit card numbers. I didn’t think that was going to be successful, but it was worth a shot.



I then decided to rig the square swiper up to my arduino and display output to serial.
Here is the arduino code:


const int mic = A5;
int counter = 0;
void setup()
{
  Serial.begin( 9600 );
}

void loop()
{
  counter++;
  Serial.print(analogRead(mic));
  Serial.print(" ");
  delay(50);
  if(counter>=40){
    counter=0;
    Serial.print("\n");
  }
}

I chose an analog input because that audio minijack is analog. I know what each section in the TRRS specs do, but does it need power? Do I need to connect the ground? Do I need to power it through both left and right channels? I wasn’t sure, so I decided to simply try different combinations.



When I connect the ground, I get a bunch of ‘O’s. When I swipe the credit card, I get a few numbers… but not nearly enough to carry the data I’m assuming the stripe holds. When I disconnect ground I notice something interesting.

Now I’m still not sure if I’m on the right track because I expected a bunch of 1’s and 0’s…. but I noticed a pattern in the numbers. The numbers are grouped in 4’s. Every four numbers, the pattern repeats itself.

It makes perfect sense. I’m going to assume the credit card stripe MUST be carrying 4 rows of data… thus 4 different reads from the swiper. So I tried swiping my credit card to investigate the reads. (I’m not posting the output from my credit card here…. but I’ll post the output from when I swiped my Disneyland Annual Passport!)

I’m gonna go ahead and assume the data isn’t encrypted (at this level at least. I’m pretty certain it’s encrypted at the software level)… so it’s just a matter of deobfuscating it. Unfortunately for me, I was staring closely at the output and I started getting sleepy. Hmmm. I’m not sure if I’m on the right track or not… so feel free to chime in if you have any ideas. I shall come back to this later.

About these ads

From → Hacks

18 Comments
  1. paul permalink

    apparently the square simply transmits the data through the audio jack unencrypted, and then decoded via software? dood, that is some seriously flawed design in terms of security. that means any malicious app can turn the Square into a skimmer with no hacking or modding necessary. there is no way in hell anybody in their right mind would actually pay anybody using on of these things, not me at least. not unless you come up with some anti-skimming tin foil card protection. that would be awesome.

    • Eh, it’s not up to them to make sure that you use your credit card at a reputable place that uses these. They read the data and encrypt it where they need to.

      Just remember to not give your credit card to just anybody.

    • andrew permalink

      Look up an android app called squareless. I can wave my phone near someone’s pay wave credit card and get the full number. Much easier than having to swype a card

  2. paul permalink

    found some handy info that you may already be familiar with or found on your own…

    http://krebsonsecurity.com/2010/11/crooks-rock-audio-based-atm-skimmers/

    • that’s a great article. Thanks Paul. You’re absolutely right about being able to use the square to skim cards.

  3. This is completely off topic but thought it was cool since you’re trying to build your own robot

    • dude that’s awesome. That’s a great idea to utilize the Kinect’s engine to control a robot.

  4. Willy permalink

    Very interesting post. What rings on the square did you determine should be connected to which pins on the arduino?

    • Hi Willy. Since the square treats the read like analog audio, I would connect the mic out portion of the jack ( the sleeve – terminal closest to the plastic) to any analog in pin on the arduino.

  5. Awesome blog!

    What did the .wav sound like when you played it? Check out the frequency spectrum in Sonic Visualiser (sonicvisualiser.org). I bet you’ll see a pattern. Maybe it’s simple like DTMF?

    Also, when connecting the Square’s sleeve to your Arduino, you’re definitely going to want to connect a common ground (2nd ring) – otherwise you’re just reading noise. The Arduino’s analog input is a 10-bit ADC, so it will give you a value between 0 – 1023. That value is proportional to the voltage on the sleeve at the time of sampling.

    Your code samples the voltage of the Square’s output every 50ms (20Hz). To have a shot at programming your Arduino to decode the output you’re need a sample rate of at least 8KHz. I’d stick to your box’s sound card.

    • Thank you Josh! What you said makes total sense. While rigging this up, I added the 50ms delay temporarily during analysis. But you are right. Even with 0 delay, it wouldn’t even suffice for an 8KHz sample rate.
      Looking at the .wav file after checking out the phrack article on credit card skimmers, it all makes sense!
      http://krebsonsecurity.com/2010/11/crooks-rock-audio-based-atm-skimmers/
      It all interprets into binary data based on the kind of wave! I have not revisited this, but I certainly would like to at some point.

  6. Oh ya, look at that.. A bit is a single cycle, where a 1 bit is double the frequency of a 0 bit.

    To decode reference here:
    http://www.cyberd.co.uk/support/technotes/isocards.htm

    Check the .wav to get an idea of bit times for a swipe. I bet they’re long enough that you could decode it on the Arduino. I’d try using an opamp wired up as a zero crossing detector and sample that on a digital input pin.

    Portable cc reader I guess?

    • Thank you for that info! Now I want to experiment with the square some more. An arduino + lcd screen as a portable cc reader would be pretty cool.

  7. I would bet that the output is just the raw magnetic flux from the head. This will represent the north-south coding of the magnetic flux transitions on the swipe. To test the hypothesis – it’s quite simple – you should get a shorter data “burst” on the audio if you swipe the card faster. In fact, if you sample at a high enough sample rate, and you swipe fast enough, the data should be “above” DC so much that you should get a good “square wave” representation in an audio editor as opposed to a sloping square wave (due to the limitations of the filter capacitor preventing the DC portion of the signal from passing in your sound card).

    With that, if you “slice” the signal around the mid-point, you can probably use the durations in between mid-point crossings to get your data.

  8. audio decode permalink

    decoded audio dumps, audio tracks from skimmer

    decoded tracks, dumps atm skimmer with audio mp3, wav, avi, etc.
    tracks1 track 2 or track2
    decoded audio file from skimmer

    decrypt audio tracks atm skimmer

    I also sell the good software to decode the audio tracks
    the software comes with user manual in Englis explanatory

    for more information contact:

    Email: audiotrack@hush.com

    Icq: 673778948

  9. carter permalink

    I offer my service

    decode sound files Square and ATM skimmer

    decoded waw, mp3, etc.

    decode tracks
    decoded any skimmer

    contact: audio_decode@hotmail.com

    ICQ: 673778948

  10. Carter permalink

    Hello carders!
    Offer my services to decode wav file in track2
    low price!!!

    CONTACT:

    Email: audiotrack@hush.com
    ICQ: 673778948

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 1,436 other followers

%d bloggers like this: