The CSI is one of my favorite crime drama television series: not because it reflects the true reality, but because it is fun watching how they always find new ways how to investigate a crime scene with ‘close to reality’ tools. Real CSI is different: you only do a small part of the investigation chain. As for myself, I’m engaged in a research project at the university to develop hardware and software for crime scene investigation :-).
One area of that research project is to retrieve and data from credit card (ATM) skimming devices: these are devices are attached or inserted into credit or debit card machines and ‘skim’ the card information and the PIN code used. With that information, it is possible to clone a credit card for credit card fraud. Such devices are a big problem, and newer devices are very hard to spot. Simply ‘google’ for pictures for “skimming device” and you will get an idea of the diversity and madness of such devices :-(.
My job in the project is to retrieve the data from the devices. As the newer ones are highly integrated and getting smaller and smaller, usually an inspection with a microscope is a first step.
Depending on the complexity, we can use 3D microscopic scanning machines which are used at the university usually for material inspection.
One real device was inserted *inside* the card slot. Earlier devices where attached in front of the card slot. So these new ones are really hard to detect:
Usually it is possible to identify the devices used, but not always, as for this case:
There devices have the identification removed. Notice the lower device where the surface has been scrubbed up down to the bonding wires! Incredible!
Do you think that removing the identification on the chips has been made to make the work of the investigation forces harder? Not really. They slimed down the PC and the devices on it to fit it into the credit card slot.
Again the microscope is a big help here, and thinking for myself how I would (theoretically!!!) build such a device, and given the components on the PC gives hints what was engineered here:
Again, the main goal was to retrieve the data collected to decide which cards have been skimmed. That I2C EEPROM memory is of special interest, and a way to get the data out is to spy it out with another board.
The problem is now: without knowing what I2C device is used, that might get a difficult task to reverse engineer the protocol. Luckily, most external I2C EEPROM devices use a similar protocol. Still, I need to find out the device address, and probe the device.
In some cases it is possible to watch the device activity on the bus:
But this might not be always possible or successful, so probing with software is needed.
I2CSpy Processor Expert Component
To simplify the task, I have developed a shell enabled Processor Expert component which is used to spy out the I2C devices on the bus.
Using the component properties, it features Shell support:
The component offers a command line interface to probe and inspect the I2C bus:
Using the ‘scan’ command it will try all possible 7bit I2C addresses on the bus:
Then the ‘device’ command can be used to select an I2C address, and the dump or read command to read from the device:
💡 The number of address bytes (1, 2, 3 or 4) can be set using the ‘addrSize’ command.
The number of bytes per line is configurable at runtime using the ‘bytesPerLine’ command:
The I2CSpy component is not only useful to spy out skimming devices. It can be used for pretty much any I2C device on the bus. Actually it is getting a standard component for my projects as it allows easily to read/write to I2C devices and to do advanced debugging. With this, that I2CSpy component has broader usage :-).
And yes: things are different from the original CSI television series. But still a lot of fun :razz:.
- Articles about skimming devices: http://krebsonsecurity.com/category/all-about-skimmers/
- Google email list about physical mobile forensics: http://groups.google.com/group/physical-mobile-forensics?hl=en
- Research project Competence Center for Complex Digital Forensics, Gebert Rüf Foundation: http://www.grstiftung.ch/de/portfolio/projekte/alle/y_2011/GRS-060-11.html
Happy Spying 🙂