Technology

NFC flaw allows researchers to hack into ATMs by waving their phones

[ad_1]

Over the years, safety Researchers and cybercriminals use all possible means to invade ATMs, from Open the front panel and insert the thumb drive into the USB port to Drill a hole to expose the internal wiringNow, a researcher has discovered a series of vulnerabilities that allow him to hack ATMs and various point-of-sale terminals in a new way: waving his mobile phone through a contactless credit card reader.

Josep Rodriguez, a researcher and consultant at security company IOActive, has been mining and reporting vulnerabilities in so-called near field communication reader chips used in millions of ATMs and point-of-sale systems around the world last year. The NFC system allows you to wave a credit card (rather than swiping or inserting it) on a card reader to make a payment or withdraw money from an ATM. You can find them on countless retail store and restaurant counters, vending machines, taxis and parking meters around the world.

Now Rodriguez has developed an Android application that allows his smartphone to imitate credit card radio communication and take advantage of flaws in the firmware of the NFC system.With just a flick of his phone, he can use various vulnerabilities to crash point-of-sale devices, hack them to collect and transmit credit card data, invisibly change the value of transactions, and even lock the device while displaying ransomware messages. Rodriguez said He can even force at least one brand’s ATM to dispense cash-despite that “Winning” hackers It can only be used in conjunction with other errors he said he found in the ATM software. Due to the confidentiality agreement with the ATM supplier, he refused to publicly explain or disclose these deficiencies.

“For example, you can modify the firmware and change the price to $1, even if the screen shows that you pay $50. You can make the device useless, or install some kind of ransomware. There are many possibilities here,” Rodriguez is talking about Said when he discovered the point of sale attack. “If you link the attack and send a special payload to the ATM’s computer, you can win a prize on the ATM—just like withdrawing money, just tap your phone.

Rodriguez said he notified the affected suppliers (including ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, Nexgo and unnamed ATM suppliers) of his findings seven months to a year ago. Even so, he warned that the sheer number of affected systems and the fact that many point-of-sale terminals and ATMs receive software updates irregularly — and in many cases require physical access to updates — mean that many of these devices may remain vulnerable. “It takes a lot of time to physically repair hundreds of thousands of ATMs,” Rodriguez said.

As a demonstration of these lingering vulnerabilities, Rodriguez shared a video with WIRED in which he waved his smartphone on the NFC reader of an ATM on the streets of Madrid where he lived, causing the machine to display an error news. The NFC card reader seems to have broken down and will no longer read his credit card the next time he touches the machine. (Rodriguez asked WIRED not to publish the video because he was afraid of legal responsibility. He also did not provide a video demonstration of the jackpot attack because, he said, he can only legally test it on a machine obtained as part of IOActive’s security consulting. Affected ATM suppliers, IOActive has signed a non-disclosure agreement with them.)

Karsten Nohl, the founder of security company SRLabs and a well-known firmware hacker, said the findings are “an excellent study of software vulnerabilities running on embedded devices,” and he reviewed Rodriguez’s work. But Nohl pointed out some shortcomings, these shortcomings reduce its usefulness for real-world thieves.The hacked NFC card reader can only steal magnetic stripe credit card data, not the victim’s PIN or data from EMV chipNohl said that the fact that ATM redemption techniques require additional, obvious vulnerabilities in the target ATM code is no small warning.

[ad_2]

Source link

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button