NFC loopholes allow researchers to hack ATM machine by waving phone

For years, security researchers and cybercriminals have hacked ATMs using every avenue possible to gain access to their innards, from open a front panel and insert a USB flash drive into a USB port at drill a hole that exposes the internal wiring. Today, a researcher has discovered a collection of bugs that allow him to hack ATMs – as well as a wide variety of point-of-sale terminals – in a new way: by hovering his phone over a contactless credit card reader.

Josep Rodriguez, researcher and consultant for security firm IOActive, has spent the last year unearthing and reporting vulnerabilities in near-field communications reader chips used in millions of ATMs and point-of-sale systems in the world. NFC systems allow you to swipe a credit card over a reader, rather than swiping or inserting it, to make a payment or withdraw money from an ATM. You can find them on countless retail and restaurant counters, vending machines, taxis, and parking meters around the world.

Rodriguez has now created an Android app that allows his smartphone to mimic these credit card radio communications and exploit firmware loopholes in NFC systems. With a flick of his phone, he can exploit various bugs to crash point-of-sale devices, hack them to collect and transmit credit card data, invisibly change the value of transactions, and even lock devices all the way. by displaying a ransomware message. . Rodriguez says he can even force at least one brand of ATMs to dispense cash, though that “jackpotting” hack only works in combination with additional bugs it says it found in ATM software. It has refused to specify or publicly disclose these flaws due to nondisclosure agreements with ATM providers.

“You can tweak the firmware and change the price to a dollar, for example, even when the screen says you’re paying $ 50. You can make the device unusable or install some kind of ransomware. There are a lot of possibilities here. Rodriguez explains of the point-of-sale attacks he discovered. “If you chain the attack and also send a special payload to an ATM’s computer, you can jackpot the ATM, like a withdrawal, just by tapping your phone. “

Rodriguez says he alerted affected vendors, including ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, Nexgo and the anonymous ATM provider, to his findings seven months to a year ago. Despite this, he cautions that the large number of affected systems and the fact that many point-of-sale terminals and ATMs do not regularly receive software updates – and in many cases require physical access to update. – mean that many of these devices are likely to remain vulnerable. “Physically repairing hundreds of thousands of ATMs is something that would take a long time,” Rodriguez said.

To demonstrate these persistent vulnerabilities, Rodriguez shared a video with WIRED in which he waves a smartphone over the NFC reader of an ATM on the street in Madrid, where he lives, and has an error message displayed by the machine. The NFC reader seems to crash and no longer reads his credit card when he then touches it on the machine. (Rodriguez asked WIRED not to post the video for fear of legal liability. Nor did he provide a video demonstration of a jackpot attack because, he said, he could only legally test it. on machines obtained as part of IOActive’s security advice to the relevant ATM vendor, with whom IOActive has signed an NDA.)

The results are “excellent research into the vulnerability of software running on embedded devices,” says Karsten Nohl, founder of security company SRLabs and well-known hacker, who reviewed Rodriguez’s work. But Nohl points out a few drawbacks that reduce its practicality for real-world thieves. Hacked NFC Reader Could Only Steal Magnetic Stripe Credit Card Data, Not Victim’s PIN or EMV chip data. And the fact that the ATM withdrawal trick would require an additional and distinct vulnerability in the code of a target ATM is no small warning, Nohl says.

But security researchers like the late IOActive hacker Barnaby Jack and the Red Balloon Security team have been able to uncover these ATM vulnerabilities for years and have even shown that hackers can trigger the ATM jackpot remotely. Red Balloon CEO and Chief Scientist Ang Cui says he’s impressed with Rodriguez’s findings and has little doubt that hacking the NFC reader could lead to cash dispensing at many modern ATMs, though IOActive retains some details of its attack. “I think it’s very plausible that once you run code on one of these devices, you can go directly to the main controller, because this thing is full of vulnerabilities that haven’t been patched since. over a decade, “Cui said. “From there,” he adds, “you can absolutely control the cassette dispenser” which holds and distributes money to users.

Rodriguez, who has spent years testing ATM security as a consultant, says he began exploring a year ago whether ATM contactless card readers, most commonly sold by the company ID Tech payment technology, could be used as a means of hacking them. . He started buying NFC readers and point-of-sale devices on eBay and quickly found that many of them suffered from the same security flaw: they did not validate the size of the data packet sent via NFC from a credit card reader, known as an application protocol data unit or APDU.

By using a custom app to send a carefully crafted APDU from his NFC-enabled Android phone that’s hundreds of times the size of the reader expected, Rodriguez was able to trigger a “buffer overflow,” a Decades-old type of software vulnerability that allows a hacker to corrupt the memory of a target device and execute its own code.

When WIRED contacted the affected companies, ID Tech, BBPOS, and Nexgo did not respond to requests for comment, and the ATM Industry Association declined to comment. Ingenico responded in a statement that due to its security mitigation measures, Rodriguez’s buffer overflow technique could only crash his devices, not get code executed on them, but that, ” considering the inconvenience and the impact on our customers, “he released a fix anyway. . (Rodriguez retorts that he doubts Ingenico’s mitigation measures actually prevent code execution, but he hasn’t actually created a proof of concept to demonstrate it.)

Verifone, for its part, said it found and fixed the point-of-sale vulnerabilities Rodriguez highlighted in 2018 long before he reported them. But Rodriguez argues that this only demonstrates the lack of consistent fixes in the company’s devices; he says he tested his NFC techniques on a Verifone device at a restaurant last year and found that he remained vulnerable.

After keeping many of his findings secret for a full year, Rodriguez plans to share technical details of the vulnerabilities in a webinar in the coming weeks, in part to push customers of affected vendors to implement fixes that companies have made available. . But he also wishes to draw attention to the catastrophic state of the security of on-board devices more generally. He was shocked to find that vulnerabilities as simple as buffer overflows have persisted in so many commonly used devices, those that handle cash and sensitive financial information, nothing less.

“These vulnerabilities have been present in firmware for years, and we use these devices daily to manage our credit cards, our money,” he says. “They have to be secure.”

This story originally appeared on wired.com.