Examination of Blue...
 
Notifications
Clear all

Examination of Bluetooth credit card skimmer  

  RSS
tbehling
(@tbehling)
New Member

Good Morning,

Ive been tasked with obtaining any possible data from a credit card skimmer that was recovered from a gas pump at a local gas station.

I've identified part of the skimmer as a HC05 or HC06 bluetooth module.

https://www.amazon.com/Pass-Through-Communication-Compatible-Atomic-Market/dp/B00TNOO438

There are no physical charging/data ports located on this device.

I cannot figure out how I would be able to power this unit in order to put it in "pairing" mode to connect via bluetooth from a device.

Has anyone been able to successfully examine a similar device?

https://www.dropbox.com/s/mr8wotal4p4vjfh/IMG_0384.JPG
https://www.dropbox.com/s/5b6kalkhggzuhp3/IMG_0385.JPG
https://www.dropbox.com/s/5fag25v2fuvuvfi/IMG_0386.JPG
https://www.dropbox.com/s/8bl309r84wyhpap/IMG_0387.JPG

Quote
Posted : 08/08/2017 9:28 pm
jaclaz
(@jaclaz)
Community Legend

Have you already checked ?
https://krebsonsecurity.com/all-about-skimmers/

?

Anyway it is not the model on the link on Amazon you posted, in your IMG_0384.JPG it is readable the website of the manufacturer
http//www.hc01.com/

Good luck with Google translate (and possibly the Wayback Machine)

But that is just the Bluetooth module or "daughterboard", either HC-05 or HC-06 that is then soldered to a "mother board" see here
https://translate.google.it/translate?hl=en&sl=zh-CN&tl=en&u=https%3A%2F%2Fswf.com.tw%2F%3Fp%3D693

jaclaz

ReplyQuote
Posted : 08/08/2017 11:55 pm
tbehling
(@tbehling)
New Member

thank you for your reply.

I did visit www.hc01.com and tried to navigate the site as much as possible with the use of google translate, but wasnt able to obtain any usable information.

I did check https://krebsonsecurity.com/all-about-skimmers/ but i didnt find what I was looking for.

I guess my questions is this, would there be any other way to acquire the stored data on this device other than bluetooth?

I think my option for connecting via bluetooth are very limited at this point unless I had access to a gas pump to re-connect the skimmer to power it.

any ideas?

ReplyQuote
Posted : 09/08/2017 2:46 am
jaclaz
(@jaclaz)
Community Legend

I guess my questions is this, would there be any other way to acquire the stored data on this device other than bluetooth?

I think my option for connecting via bluetooth are very limited at this point unless I had access to a gas pump to re-connect the skimmer to power it.

any ideas?

I am not sure to understand.

It is just a matter of checking how it was connected, it is not like - I believe - a gas pump has a sophisticated multi-filtered narrow specs power adapter, very likely all it can provide is some 5 V line and the more common "motherboards" seems to have been developed for 3.6-6 V input.
And anyway the pinout of the "daugherboard" (HC05 or HC06 or whatever module) are documented, so it shouldn't be that difficult to trace the right pins on the motherboard.
And from the pinout of the "motherboard" to the one of the other components (the skimmer/reader)-
And data (if any) is unlikely to be on the radio module, AFAICU that module is just a (bluetooth) radio sporting a serial (TTL) interface.
So the data (if any) is more likely to be *somewhere else* and transmitted via serial to the bluetooth radio. ?

jaclaz

ReplyQuote
Posted : 09/08/2017 4:44 pm
JDCoulthard
(@jdcoulthard)
Member

The Bluetooth module might contain the Bluetooth MAC address of the Most Recently used Authenticated Device.

You would need to identify the relevant pins and connect a USB-Serial cable to the board and identify the correct version of the Bluetooth module in use. Once done, you should be able to communicate with the device using HyperTerminal or equivalent and issue the correct AT command to get data from the device.

E.g. for the HC-03/HC-05 module, using the command AT+MRAD? will get you these details.

I cannot make out what the microcontroller is on the underside of the board to determine if it contains any non-volatile memory. Lookup the datasheet for that part and it should give you a clue if there is anything else on there.

ReplyQuote
Posted : 09/08/2017 6:29 pm
tbehling
(@tbehling)
New Member

The Bluetooth module might contain the Bluetooth MAC address of the Most Recently used Authenticated Device.

You would need to identify the relevant pins and connect a USB-Serial cable to the board and identify the correct version of the Bluetooth module in use. Once done, you should be able to communicate with the device using HyperTerminal or equivalent and issue the correct AT command to get data from the device.

E.g. for the HC-03/HC-05 module, using the command AT+MRAD? will get you these details.

I cannot make out what the microcontroller is on the underside of the board to determine if it contains any non-volatile memory. Lookup the datasheet for that part and it should give you a clue if there is anything else on there.

First off, thank you for all of the replies.

I have examined the other side of the PCB and located the PIC18F4550 microprocessor as well as a 25P16VP flash memory component. I have located a datasheet for the 25P16VP.

http//www.datasheetcafe.com/25p16vp-datasheet/

This is kind of where I'm stuck, I do not have a background in electronics and fail to understand a lot of what the datasheet contains.

At this point this examination is more for learning and research than anything so if anyone has and input or suggestions feel free to make suggestions

ReplyQuote
Posted : 09/08/2017 7:51 pm
JDCoulthard
(@jdcoulthard)
Member

Might be worth sourcing some of the flash chips to play with.

I did a quick look around and it might be possible to read the contents of the chip using an Arduino.

ReplyQuote
Posted : 09/08/2017 8:20 pm
jaclaz
(@jaclaz)
Community Legend

There is a new article (very detailed) on Sparkfun,com

https://learn.sparkfun.com/tutorials/gas-pump-skimmers

Definitely worth a read,

jaclaz

ReplyQuote
Posted : 19/09/2017 5:27 pm
Share: