NFC flaws allow researchers to hack into ATMs by waving their phones


Over the years, safety Researchers and cybercriminals use all possible means to invade ATMs, from Open the front panel and insert the thumb drive into the USB port to Drill a hole to expose the internal wiringNow, a researcher has discovered a series of vulnerabilities that allow him to hack ATMs and various point-of-sale terminals in a new way: waving his mobile phone through a contactless credit card reader.

Josep Rodriguez, a researcher and consultant at security company IOActive, has been mining and reporting vulnerabilities in so-called near field communication reader chips used in millions of ATMs and point-of-sale systems around the world last year. The NFC system allows you to wave a credit card (rather than swiping or inserting it) on a card reader to pay or withdraw money from an ATM. You can find them on countless retail store and restaurant counters, vending machines, taxis and parking meters around the world.

Now Rodriguez has developed an Android application that allows his smartphone to imitate credit card radio communications and take advantage of flaws in the NFC system firmware.With a single swipe of his phone, he can use various vulnerabilities to crash point-of-sale devices, hack them to collect and transmit credit card data, invisibly change the value of transactions, and even lock the device while displaying ransomware messages. Rodriguez Si says he can even force at least one brand’s ATM to dispense cash – despite that “Winning” hackers It can only be used in conjunction with other errors he said he found in the ATM software. Due to the confidentiality agreement with the ATM supplier, he refused to publicly explain or disclose these deficiencies.

“For example, you can modify the firmware and change the price to $1, even if the screen shows that you pay $50. You can make the device useless, or install some kind of ransomware. There are many possibilities here,” Rodriguez is talking about Said when he discovered the point of sale attack. “If you link the attack and send a special payload to the ATM’s computer, you can win a prize on the ATM—just like withdrawing money, just tap your phone.”

Rodriguez said he notified the affected suppliers (including ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, Nexgo, and unnamed ATM suppliers) of his findings 7 months to a year ago. Even so, he warned that the sheer number of affected systems and the fact that many point-of-sale terminals and ATMs receive software updates irregularly — and in many cases require physical access to updates — mean that many of these devices may remain vulnerable. “It takes a lot of time to physically repair hundreds of thousands of ATMs,” Rodriguez said.

To demonstrate these lingering vulnerabilities, Rodriguez shared a video with WIRED. In the video, he waved his smartphone on the NFC reader of an ATM on the streets of Madrid where he lived, causing the machine to display an error message. . The NFC card reader seems to have crashed and will no longer read his credit card the next time he touches the machine. (Rodriguez asked WIRED not to publish the video because he was afraid of legal responsibility. He also did not provide a video demonstration of the jackpot attack because, he said, he can only legally test it on a machine obtained as part of IOActive’s security consulting. The affected ATM suppliers, IOActive has signed a confidentiality agreement with them.)

Karsten Nohl, the founder of security company SRLabs and a well-known firmware hacker, said the findings are “an excellent study of software vulnerabilities running on embedded devices,” and he reviewed Rodriguez’s work. But Nohl pointed out some shortcomings, these shortcomings reduce its usefulness for real-world thieves.The hacked NFC card reader can only steal magnetic stripe credit card data, not the victim’s PIN or data from EMV chipNohl said that the fact that ATM redemption techniques require additional, obvious vulnerabilities in the target ATM code is no small warning.

.

Leave a Reply

Your email address will not be published. Required fields are marked *