Intro

BlueSpoof is a magnetic stripe information spoofer that transmit data wirelessly. In hardware perspective, BlueSpoof is different to the Samy Kamkar’s MagSpoof tool. One of the main differences is that this tool implements a modified Bluetooth speaker board unlike Samy’s MagSpoof ATtiny85 micro-controller. The main modification in the Bluetooth speaker is the output channels where I added a special coil to “interpret” the magstripe info audio. Adding that it is a cross-platform spoofer.

The Samy’s MagSpoof was not designed originally to make brute force attacks. It is true that I wanted to adapt it because the necessity of one of my researches.

This slideshow requires JavaScript.

Why BlueSpoof?

Even when the Samy’s MagSpoof is an excellent tool, it had some limitations for my necessities. It implements a micro-controller(ATtiny85) that end users have to upload and compile its code after every change: like a credit card number or any special change in the code. Also, the end user has to have a special hardware to reprogram the ATtiny85: Arduino/reprogrammer or AVR dependencies. But the main limitation is the compilation uploading speed. If a researcher wants to upload credit cards constantly, it takes more than 12 seconds to do it because the restriction of the ATtiny85 uploading process.

So, I decided to make two projects thinking about these limitations working together with Electronic Cats: the first project was the proof of concept MagSpoofPI library which has support to the Raspberry Pi to use its GPIO as reprogrammer, and lately the SamyKam. It has the same MagSpoofPI characteristics but also supporting a special OLED to have a better control and view of the processes running on the tool. Even with all these improvements, some limitations were still there. It was time to think out of the box.

20170227_172101

The idea

After watching one of the videos of Hak5 where they were talking about a cross-platform attack using their USB Rubber Ducky product, I decided to design something similar but with MagSpoof: without noticing, BlueSpoof was born.

BlueSpoof runs exactly like a Bluetooth speaker. The end user can connect to the Bluetooth tool like a normal speaker and play audiospoof files to transmit magnetic stripe information implementing any type of device with Bluetooth support:

  1. iPhone
  2. Samsung
  3. Laptop
  4. Tablet
  5. etc…

20170626_084732

The only adjustment between platforms is the volume when you play the audiospoof files implementing media players.

Hardware list

  • Bluetooth Speaker > any 4W
  • Coil > around 20 wire turns in a range of 2 inches of diameter

Software list

  • AudioSpoof generator
  • Audio Media player

With these simple elements, we can make a cross-platform magnetic stripe spoofer. To generate the spoofed wav files: I designed some different tools from my github, one is the audiospoof that I mentioned in one of my posts. The second, the Major Malfunction collection that I integrated in just one script. After you generate the wav files, you should move them to the device that is going to be connected to the BlueSpoof tool. [For better results, use the repeat option in the media player and adjust the volume]

The last and the best option is to use the ViolentMag project which is an online service to generate, play, transmit or design AudioSpoof files directly from the web browser.

Here is how BlueSpoof works with different devices, same tool:

Please, enjoy it!