Number: IRCNE2014082284
Date: 2014-08-09
According to “computerworld”, Security researchers demonstrated Thursday flaws that can allow hackers to take over mobile point-of-sale (mPOS) devices from different manufacturers by inserting rogue cards into them.
Despite a patch being available since April, some devices remain vulnerable.
Jon Butler, the head of research at MWR InfoSecurity and one of his colleagues who prefers to be known only as Nils, have investigated six of the most popular mPOS devices available on the market that support the EMV (Chip-and-PIN) standard, they said at the Black Hat security conference in Las Vegas.
These devices have a small screen, a smart card reader and a PIN input pad. They run a Linux-based OS and communicate via Bluetooth with mobile payment apps installed on smart phones.
The MWR researchers found that despite looking different on the outside, 75 percent of the devices they tested were based on the same underlying platform.
In some devices they found vulnerabilities in the firmware update mechanism that allowed them to execute commands as root. They also found a stack-based buffer overflow vulnerability in the certified EMV parsing library that allowed them to take complete control over all devices using a specially programmed smart card.
To demonstrate that they can gain complete control over the screen and input pad of such a device, the researchers used a rogue card to install and run a game similar to Flappy Bird on one of them.
In a practical attack scenario, a fraudster could go into a store that uses such devices, claim to buy something, input his rogue card into a device and compromise it with code that would capture the card details and PINs of customers who later use it, the researchers said.
Despite most of the affected devices having remote firmware update capabilities, some vendors have not yet released updates containing the patched EMV library.
The researchers have not yet fully investigated all attack vectors, but they believe it could also be possible to compromise mPOS devices from a smart phone infected with malware.
Despite the issues found, Butler thinks that mobile POS devices like the ones his team tested have the potential to be more secure than traditional POS devices.
- 2