Serial Number Cracking for Fun and Profit

by MrGhostValley

Like any student of social engineering, I'm fascinated by speculative bubbles.  That hype alone could cause people to act in ways they would themselves otherwise consider irrational is remarkable.  Greed and fear can drive humans to do some pretty wild things - and generally, somebody stands to profit.  And while, like many of you, I channel most of this fascination towards cryptocurrencies, I've been keeping a keen eye on something with even better returns.  In these strange times, elite marijuana seeds have come to fetch absurd sums in private online auctions - up to $2,500 for a small packet of ten seeds.

There are huge sums of money involved, but the nature of the product is such that the buyer can't possibly know the contents.  First, all cannabis seeds are virtually identical.  Second - and more importantly - the buyer has no way of knowing if the seeds were what he paid for until he (and it seems in this high dollar crowd , it's nearly always a he) has grown them out for at least two and a half months.  On top of that, the packaging is generally impromptu - a heat sealed Mylar envelope , or paper packet.  And because the auctioneers are entirely used to offering products from private collectors, there's a serious vulnerability to unscrupulous actors auctioning off counterfeits.

Enter a third-party with a pretty good idea.  We'll call them CannProve [not their actual name].  For ten cents apiece, they'll sell the original producers a specialized tamperproof label to place over their otherwise easy-to-knockoff packaging.  One end of the label has a holographic CannProve logo, while the other end has a unique serial number and a QR code.  If anyone wants to verify the authenticity of a pack of seeds using a CannProve seal, they confirm that the seal hasn't been broken, and simply scan the QR code to be brought to a webpage that lists information about the individual package.  It's a neat mechanism that introduces a basic level of trust.  Unfortunately, that trust mechanism is all too basic, because it can be exploited.  A motivated attacker would size the challenge up against the payday - counterfeiting a mere six packs could yield enough money to buy a car.  And, unlike trying to profit off a counterfeit Visa card or Coach bag, this whole transaction operates without visibility to authorities.  A motivated attacker, in other words, would be within reason to apply some time and effort to this problem.

First, some Open-Source Intelligence (OSINT).  A quick Instagram search of the producers fetching top dollar at auction would reveal a photo of a strip of CannProve labels before they've been applied to packages - just a friendly assurance to potential consumers that the products are verifiable.  Our attacker would pull it up on a laptop to zoom in for some clues.  First, the attacker would learn the format of the serial number: a six-digit number, followed by two alphabetic characters - for example, 102015JG.  After looking at a second, the attacker would notice the numeric portion is sequential, but the alphabetic is pseudo-random: after 102015JG comes 102016CS.  Looking at the five labels present in the photo, the attacker wouldn't be able to discern the hashing or algorithm to produce the two alphabetic characters from given numbers, but then there's the last clue.  The attacker would scan a QR code and be brought to the verification page located at https://cannprove.com/prove/102016CS.

The attacker would realize instantly that the serial numbers are all available in the public facing URLs being served by CannProve.

Armed with only the valid serials, the attacker could generate QR codes and counterfeit labels that would scan and verify.  CannProve could have prevented this - or at least made it quite a lot more difficult - by using non-sequential pseudo -random serial numbers and hashing them for their URLs.  But they did not.

First, the attacker would have to pull a list of valid serial numbers. He could do this by sequentially iterating through URLs in https://cannprove.com/prove/ and checking the contents for a phrase that appears only on valid pages (such as "CannProven!"), and write the pages that meet this criteria to a file.

He could do this very quickly and easily with a simple bash script, like this:

#!/bin/bash START=${START:-2000} END=${END:-4999} # call like this to adjust defaults # START=2000 END=2001 bash hunter-gatherer.sh echo -e "Good Serialz:\n" > good_serialz.txt save_if_good() { local this_serial="${1}" curl -sL "https://www.cannprove.com/prove/${this_serial}" | grep -q 'CannProven!' && echo ${this_serial} >> good_serialz.txt } wait_for_jobs_to_complete() { for job in `jobs -p`; do wait $job done } for num in `seq ${START} ${END}`; do time=$(date +"%T") echo "$time: Downloading Set 10$num" for a in {A..Z}; do for b in {A..Z}; do this_serial="10${num}${a}${b}" save_if_good "${this_serial}" & done wait_for_jobs_to_complete done # remove for more parallelism # (probably blow up your system file handle limits) wait_for_jobs_to_complete done wait_for_jobs_to_compete cat good_serialz.txt

The motivated attacker would order the basic packaging components from Amazon, use further Instagram or Google image searches to capture detailed images of the labeling, and print the front stickers for the packaging at a local copy shop.

Now with only the seal to spoof, the motivated attacker would be left with a few possible options.  First, given the value of a successful counterfeit, the motivated attacker could spend less than $5,000 to order genuine holograms with all of the related security features of the original.  While this might typically be difficult to discover, Instagram once again provides high quality close-up photos of enough samples to derive the full set of security features in the hologram.  This approach would be ideal and virtually impossible to detect and, although the cost could be prohibitive, the return on investment could still be massive.

In the case of limited funds, a DIY attacker would have to get creative.  First, examining the photos available under the #CannProve hashtag on Instagram, the attacker would notice the QR code labels in various photos with objects that can be used to determine scale and size.  The proper sized round-edge square metallic labels could be purchased from Amazon and then be printed with the derived serial numbers and associated QR codes.  This still leaves the attacker with the hologram to defeat.  Thankfully, Instagram saves again.  A little research shows that the producer fetching the highest auction bids places the QR code portion of the label to the front and actually places a white mailing label with text over the hologram.

The challenge is simplified for the attacker: nearly any hologram sticker cut to size will do because it will be mostly obscured with a white label.  Few people take the time to inspect holographic seals, and a proper inspection is impossible in online photos.  Perfect?  Not by any means.  But the photo posted to the auction will have a working QR code that will validate as the correct item.

The motivated attacker could perform the DIY attack in just a couple of days and the more impervious attack in about six weeks given the lead time on the holographic labels.  By placing all of their trust in a single security label, the producers, auctioneers, and consumers leave themselves vulnerable to a savvy attacker who could be long gone with six figures before anyone could verify the authenticity of the merchandise by growing it.

Security Lessons

First: Use randomness to make things hard to guess.

One major weakness of this trust mechanism is the sequential nature of the serial numbers.  If they were longer randomized identifiers, such a brute force collection method as the Bash script would become completely impractical.  You should consider this anytime you need to secure something in a way that could be either patterned or random: patterns are easier to observe, easier to guess, easier to remember, and easier to process computationally.

Second: Protect and obfuscate identifying information - dividing it into pieces makes total compromise less likely.

In this case, the QR codes should be pointed to URLs based on hashes of the serial numbers, not of the serial numbers themselves.  This would completely prevent any possibility of connecting the hash derived from the URL with a valid serial number.  As is, if an attacker gets one, he or she has both.  In your personal life, this means everything from taking precautions like removing the labels from old shipping packages before recycling them to using two-factor authentication so your password isn't a single point of failure.

Third: Social media is a public record.  Think befor you share.

If you post a picture of anything that you rely on for security to social media, that genie is out of the bottle.  Here, the images of the packaging and the labels are what give an attacker the basic information to craft the ploy.  The detailed photos of holograms showing off their neato security features are exactly what make them susceptible to mass duplication.  The same goes for your ID badges, notes with passwords, even photos of your keys.

Fourth: Security features can at least slow and potentially stop even a motivated attacker, but not if you disable them.

A producer who covers the security features on his or her label, a business that doesn't arm its alarm, a motorist who doesn't lock his car doors when he parks at night - these are easy prey and will eventually be taken, especially if the target is valuable enough.

Code: hunter_gatherer.sh