A security researcher has discovered a series of bugs that allow hacking ATMs and a wide range of POS terminals in a new way – by swiping the phone over a contactless bank card reader. To the start of the course Ethical hacker We share the translation of an article about the opportunities that open up when exploiting discovered vulnerabilities, what the author did to find them, and how ATM manufacturers reacted.
Josip Rodriguez, Researcher and Security Consultant at security firm IOActive, has spent the last year looking for vulnerabilities in so-called Near Field Communication (NFC) chips operating in millions of ATMs and POS terminals around the world. With NFC, you don’t need to insert a card to make a payment or withdraw money from an ATM – just swipe it over the reader. The technology works in countless retail stores and restaurants, vending machines, parking meters and taxis around the world.
Rodriguez wrote an Android app that allows a smartphone to mimic bank card radio communications and exploit the flaws in the NFC firmware. With one wave of his smartphone, he can disable sales terminals, hack them to collect and transfer bank card data, discreetly change the cost of transactions, and even block the device by displaying a message from the ransomware.
Rodriguez claims that he can even force ATMs of at least one brand to dispense cash, although such Jackpotting works only in conjunction with other bugs he says he found in the ATM software. Due to nondisclosure agreements with ATM vendors, Rodriguez declined to elaborate or disclose these errors.
“You can modify the firmware and change the price, for example by one dollar, while the screen displays a different price, disable the device or install some kind of ransomware – there are many options,” – says Rodriguez of the vulnerabilities he discovered.
“By building a chain of attacks, as well as sending a special payload to the ATM computer, you can withdraw money from the ATM like a jackpot by simply swiping your phone over an NFC reader.”
The researcher says that from June to December 2020, he warned of his findings to affected vendors, including ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, Nexgo, and an unnamed ATM vendor.
However, the researcher also warns that a huge number of systems are affected, as well as the fact that many terminals and ATMs update software irregularly, in many cases requiring physical access to update. This means that many devices are likely to remain vulnerable. “It will take a long time to physically fix so many hundreds of thousands of ATMs,” says Rodriguez.
As a demonstration of such vulnerabilities, Rodriguez shared a video with WIRED where he holds a smartphone over an NFC ATM reader on the street of his house, forcing the ATM to display an error message. The reader fails and no longer reads his card when the researcher puts it on the ATM.
He also did not provide a video demo of the jackpotting attack, as he said he could only legally test devices obtained through IOActive’s security consultations for an affected ATM vendor with whom IOActive had signed a nondisclosure agreement.
“The findings are an excellent exploration of the vulnerability of software running on embedded devices,” says Carsten Nol, founder of security firm SRLabs and a well-known firmware cracker who analyzed Rodriguez’s work.
However, Nohl points out several flaws that make the method impractical in real-life thefts. A jailbroken NFC reader can only steal magnetic stripe card data, but not PIN code victims or data from EMV chips. And the fact that the trick of withdrawing money from an ATM would require an additional vulnerability in the code of a particular ATM is an important caveat, says Nol.
However, security researchers such as the late IOActive hacker Barnaby Jack and the Red Balloon Security team have been uncovering ATM vulnerabilities for years and have even shown that hackers can remotely launch ATM jackpotting. Red Balloon CEO and Chief Scientist Ang Cui says he is impressed by Rodriguez’s findings and, while IOActive withheld some details of its attack, has no doubts that hacking an NFC reader could lead to cash dispensed at many modern ATM machines.
“I think it’s very plausible that once you get the ability to execute code on any of these devices, you can get to the main controller: it is full of vulnerabilities that have remained in the system for more than ten years,” says Kui. “From there,” he adds, “it is absolutely possible to control the cassette dispenser that stores and dispenses cash to users.”
Rodriguez, who spent years testing ATM security as a consultant, says he began investigating a year ago whether contactless ATM card readers, most commonly sold by payment technology company ID Tech, could serve as a way to hack them. He started buying NFC readers and sales terminals on eBay and soon found that many of them suffer from the same security flaw: they do not check the size of the data packet sent via NFC from the bank card to the reader, this packet is called the application protocol data packet. or APDU.
To send APDUs hundreds of times larger than usual and cause a buffer overflow, Rodriguez wrote Android apps with NFC. A buffer overflow vulnerability has been around for decades, allowing a hacker to corrupt the memory of a target device and run their code.
When WIRED contacted the affected companies, ID Tech, BBPOS and Nexgo did not respond to requests for comment, and the ATM Industry Association also declined to comment. Ingenico said in a statement that due to the security measures taken, Rodriguez’s buffer overflow could only disable its devices, but did not allow code to be executed on them. However, “considering the inconvenience and consequences for our customers,” the company released a fix anyway.
Rodriguez doubts Ingenico’s measures will actually prevent code execution, but he didn’t write a proof of concept to demonstrate.
Verifone, in turn, said it found and fixed the terminal vulnerabilities that Rodriguez drew attention to in 2018, long before he reported them. But Rodriguez argues that this only demonstrates the inconsistency of the fix in the company’s devices; he says he tested his NFC hacking methods on a Verifone device at a restaurant last year and found it still vulnerable.
Many of the researcher’s findings remained under wraps for a year, and Rodriguez plans to share the technical details of the vulnerabilities in a webinar in the coming weeks, in part to encourage clients from affected vendors to implement the released fixes.
In addition, Rodriguez wants to draw attention to the deplorable state of security in embedded devices in general. He was shocked to find that simple vulnerabilities such as a buffer overflow persisted in many widely used devices – those that handle cash and sensitive financial information.
“For many years, these vulnerabilities have been present in the firmware of devices that we encounter every day when working with bank cards, with our money,” he says. “They must be protected.”
From this material it becomes clear that even the systems that seem to the uninitiated person to be the most reliable can fail due to shortcomings that have been known for decades. If you are interested in discovering such flaws, researching applications, approaching them from the most unexpected sides, then you can pay attention to our course on legal hacking, and if you are interested in developing applications from scratch, then you can take a closer look at our course on Android programming or for a course about Fullstack development in Python.
find outhow to level up in other specialties or master them from scratch:
Other professions and courses