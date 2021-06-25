



Chalongrat Chuvaree | Getty Images

For years, security researchers and cybercriminals have used all possible means of getting inside, from opening the front panel and plugging a thumb drive into a USB port to drilling holes to expose internal wiring. I’ve been hacking ATMs. Currently, one researcher has discovered a collection of bugs that can hack ATMsalong and various POS terminals in new ways. Calling a contactless credit card reader.

Last year, Josep Rodriguez, a researcher and consultant at security firm IOActive, investigated and reported vulnerabilities in so-called short-range wireless reader chips used in millions of ATM and point-of-sale systems around the world. The NFC system is a system that allows you to swipe or insert your credit card to make payments or to give your credit card to a reader instead of withdrawing money from an automated teller machine. They can be found at countless retail and restaurant counters, vending machines, taxis and parking meters around the world.

Rodriguez has now built an Android app that allows smartphones to mimic the wireless communications of these credit cards and exploit flaws in the NFC system’s firmware. In the phone wave, he exploited various bugs to crash POS devices, hack them to collect and send credit card data, invisibly change the value of transactions, and ransomware messages. You can even lock your device while viewing. .. Rodriguez says it is possible to force at least one brand of ATM to pay cash, but “jack potting” hacking only works in combination with additional bugs found in ATM software. .. He refused to publicly identify or disclose these deficiencies due to a non-disclosure agreement with the ATM vendor.

“For example, if your screen says you’re paying $ 50, you can change the firmware to change the price to $ 1. You can make your device useless or install some kind of ransomware. There is a possibility, “here Rodriguez says of the POS attack he discovered. “By chaining attacks and sending a special payload to an ATM computer, you can jackpot an ATM-like cashout with the tap of a phone.”

Rodriguez said he warned affected vendors, including ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, Nexgo, and unnamed ATM vendors, from seven months to a year ago. Still, the fact that the number of affected systems is so large that many point-of-sale terminals and ATMs do not receive software updates on a regular basis and often require physical access to the updates is these. Warns that it means that many of your devices remain vulnerable. “Physically patching so many hundreds of thousands of ATMs can be time consuming,” Rodriguez says.

As a demonstration of these protracted vulnerabilities, Rodriguez shared a video with WIRED. There, he swings his smartphone to an ATM NFC reader on the streets of Madrid, where he lives, and causes the machine to display an error message. The NFC reader seemed to crash and I couldn’t read my credit card the next time I touched the machine. (Rodriguez asked WIRED not to publish the video for fear of legal liability, and a video demo of the Jackpotting attack as it could only be legally tested on a machine obtained as part of IOActive’s security consulting. Also did not provide. Affected ATM vendors that IOActive signed NDA.)

The findings are “a good study of software vulnerabilities running on embedded devices,” said Karsten Nohl, a well-known firmware hacker and founder of security firm SR Labs, who reviewed Rodriguez’s work. I will. However, Knoll points out some drawbacks that make it less practical for real-world thieves. A hacked NFC reader can only steal magnetic stripe credit card data, not data from the victim’s PIN or EMV chip. Also, the fact that ATM cashout tricks require additional explicit vulnerabilities in the target ATM’s code is not a small warning, says Nohl.

However, security researchers such as the late IOActive hacker Barnaby Jack and the Red Balloon Security team have been able to discover these ATM vulnerabilities over the years, even showing that hackers can remotely trigger ATM jackpotting. I am. Red Balloon CEO and Chief Scientist Ang Cui is impressed with Rodriguez’s findings that hacking an NFC reader can distribute cash at many modern ATMs, even though IOActive has withheld details of the attack. There is no doubt about it. “I think it’s very likely that running code on any of these devices will give you direct access to the main controller, as there are many vulnerabilities that haven’t been fixed for more than a decade,” Cui said. I am. Is called. “From there, you have full control over the cassette dispenser that holds and releases cash to the user,” he adds.

Rodriguez, who has spent years testing ATM security as a consultant, said a year ago whether the ATM contactless card readers most often sold by payment tech firm IDTech would help the hack. He says he has begun investigating. He began buying NFC readers and point-of-sale devices from eBay and soon discovered that many of them suffered from the same security flaws. We did not verify the size of the data packet sent from the credit card to the reader via NFC. Known as the application protocol data unit or APDU.

Rodriguez was able to cause a “buffer overflow” by sending a carefully crafted APDU that was hundreds of times larger than the reader expected from an NFC-enabled Android smartphone using a custom app. .. This is a software vulnerability of the type decades ago. A hacker that destroys the memory of the target device and executes its own code.

When WIRED contacted the affected companies, ID Tech, BBPOS, and Nexgo did not respond to the request for comment, and the ATM Trade Association declined to comment. Ingenico said that due to security mitigation, Rodriguez’s buffer overflow technology could only crash the device and not execute the code, but issued a fix “in consideration of customer inconvenience and impact” anyway. I responded with a statement. .. (Rodriguez suspects that Ingenico’s mitigation might actually prevent code execution, but hasn’t actually created a proof of concept to demonstrate this.)

As part of that, VeriFone said it discovered and fixed a point-of-sale vulnerability highlighted in 2018 long before Rodriguez reported it. However, Rodriguez argues that this only indicates that the company’s devices are not consistently patched. He said he tested NFC technology on a restaurant’s Verifone device last year and found it to remain vulnerable.

After covering much of the findings for a year, Rodriguez will share technical details of the vulnerability in a webinar in the coming weeks to encourage customers of affected vendors to implement patches provided by the company. It’s a schedule. .. But he also wants to pay more attention to the worst of embedded device security. He was shocked that simple vulnerabilities such as buffer overflows remained on so many commonly used devices that process cash and sensitive financial information.

“These vulnerabilities have been in the firmware for years and used these devices daily to process credit cards and money,” he says. “They need to be safe.”

This story originally appeared on wired.com.

