Major Flaws in Payment Terminals

Another reason to pay cash: the same Berlin researchers behind the
access control intro link have found some serious flaws in common payment terminals.

Not only can the gadgets that read your card and ask for your PIN be remotely exploited, but they have local exploits too.

They expose the JTAG interface (which would give an attacker full debugging control without opening the device) and may have buffer overflows in their serial terminal software.

( While there’s no clear indication of a connection, I find it noteworthy that Canadian cops were arresting fraudsters using hacked payment terminals starting all the way back in February. http://www.thestar.com/news/crime/article/1203949
Somewhat amusingly, my only experience with a JTAG interface was in Canada, long ago — with a satellite TV receiver.)

https://srlabs.de/eft-vulns/

“An analysis of the most widely deployed payment terminal in Germany found serious weaknesses.

A. Remote exploitation. The device’s network stack contains buffer overflows that can be used to execute code at system level.

B. Local compromise. There are at least two interfaces over which the device can be exploited locally:

Serial. Some versions of the terminal software are vulnerable to a buffer overflow that gains code execution through the readily accessible serial interface.
JTAG. The JTAG interface of the application processor is accessible without opening the device. It allows full debugging control over the device.
These attacks target the terminal’s application processor. The security of the cryptographic module (HSM) has not yet been investigated.

Abuse scenarios

Once exploited, the terminal under the control of an adversary can be used for fraud:

Card cloning. Collect credit/EC card data and PIN numbers
Alter transactions. Change transaction – including EMV transactions – in type (debit vs. credit), value, or other fields
Fake transactions. Spoof transactions towards the payment back-end or the cash register (i.e., falsely signal a successful transaction)”

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: