Josep Rodriguez, security expert at Spanish company IOActive, has waited a year to reveal a series of vulnerabilities in NFC technology that allow a person to hack ATMs and payment terminals simply by waving a smartphone in front of a contactless card reader. Their findings were published by Wired magazine last Thursday, the 24th.
As a proof of concept, the expert has created an Android app with which his smartphone can simulate credit card radio communications and exploit vulnerabilities in the firmware of NFC-enabled systems. By simply shaking his phone, Rodriguez said he can exploit the flaws and cause denial of service to POS terminals, hack them, collect and transfer credit card data, as well as change the value of transactions and even lock the device, displaying a ransom notification on your screen.
The researcher said it is even possible to force the ATM of at least one manufacturer to dispense cash, although this method only works in conjunction with exploiting other vulnerabilities it has found in the ATM firmware.
Studying NFC and payment terminals, Rodriguez found that they are all subject to the same vulnerability – the devices do not check the size of the data packet sent by the NFC from the credit card to the reader (application data protocol unit, APDU).
APDU is a communication format between a card and a terminal. The terminal sends a Command APDU (C-APDU) and the card returns a Response APDU (R-APDU).
Using the application he created, the researcher sent a specially formed APDU request from the smartphone to the reader and caused an ATM buffer overflow (buffer overflow).
“You can modify the firmware and change the price, for example, by a dollar, even if the screen shows that you are paying fifty dollars. You can make the device useless or install some ransomware. There are many possibilities. If you carry out an attack and send a special charge to the ATM’s computer, you can withdraw it just by touching the smartphone screen,” Rodriguez said in the Wired interview.
Several months ago the expert reported the issue to vulnerable device makers including ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS and Nexgo. Representatives at card terminal maker Ingenico said the vulnerabilities described by Rodriguez could only cause the device to fail, but not code execution. However, the company has already released a fix for the problem.
With international news agencies
See the original post at: https://www.cisoadvisor.com.br/falha-em-nfc-permite-hackear-caixas-eletronicos/?rand=59039