Security researchers and cyberattackers have hacked ATMs using all kinds of methods, from sticking a thumb drive into a USB port to drilling a hole to reveal internal wiring. Recently, a research discovered a collection of bugs allowing him to hack ATMs and even point-of-sale terminals in a novel way with only a wave of his phone over a contactless credit card reader.
Josep Rodriguez, researcher and consultant at IOActive, a security firm spent year 2020 finding and reporting susceptibilities in the field of communications reader chips using in ATMs and point-of-sale systems globally. NFC systems allows a wave of a credit card over a reader to make a payment or withdraw money from a cash machine. They can be found in the regular retail store, restaurant counter, vending machine and parking meters.
Rodriguez created a smartphone app allowing his phone to imitate those credit card radio communications and take advantage of flaws in the firmware of the NFC systems. With a wave of his phone, he can manipulate multiple bugs to collapse point-of-sale devices, hack them to collect or transfer credit card data, change the value of transactions without notice or even lock the devices. According to Rodriguez, he can also force a brand of ATMs to dispense cash though the ‘jackspotting’ hack is only effective in combination with supplementary bugs found in ATMs’ software. He however did not elucidate on the flaws publicly as a result of his nondisclosure agreements with the vendors of the ATM.
‘You can modify the firmware and change the price to one dollar, for instance, even when the screen shows that you’re paying 50 dollars. You can make the device useless, or install a kind of ransomware. There are a lot of possibilities here’, Rodriguez says about the point-of-sale attacks he found. ‘If you chain the attack and also send a special payload to an ATM’s computer, you can jackpot the ATM— like cash out, just by tapping your phone.’
According to Rodriguez, he informed the affected vendors— some of which include ID Tech, Ingenico, Verifone, Crane Payment Innovations among others and the undisclosed ATM vendor— of his discovery between 7 months and a year ago. He cautioned that the large amount of affected systems and the fact that most point-of-sale terminals and ATMs do not get their software updated regularly implies that the devices would remain vulnerable. ‘Patching so many hundreds of thousands of ATMs physically, it’s something that would require a lot of time,’ he says.
To illustrate some of the lingering loopholes, Rodriguez shared a video where he waves a smartphone over an ATM’s NFC reader on a street in Madrid and causes the machine to show an error message. The NFC appeared to collapse and could no longer read his credit card when he inserts it into the machine.
The discovery are ‘excellent research into the vulnerability of software running on embedded devices,’ says Karsten Nohl, well-known firmware hacker and founder of security firm SRLabs. Nohl however gives a reality check as to its practicability for real-world thieves. A hacked NFC reader would only be able to steal mag-stripe credit card details, and not the PIN or data from EMV chips. The ATM cashout hack also requires an extra, distinct vulnerability in a target ATM’s code is no small feat.
However, security researchers such as the late IOActive hacker Barnaby Jack and the Red Balloon Security team have been discovering ATM vulnerabilities for years and have even proven that hackers can remotely trigger ATM jackpotting. CEO and Chief Scientist of Red Balloon Ang Cui says that he was impressed by Rodriguez’s discovery, but has little doubt that hacking an NFC reader could make most modern ATMs dispense cash. ‘I think it’s very plausible that once you have execution on any of these devices, you should be able to get right to the main controller, because that thing is full of vulnerabilities that haven’t been fixed for over a decade,’ Cui says. ‘From there, you can absolutely control the cassette dispenser’ that releases cash to users.
Rodriguez spent years testing ATM security as a consultant. He says he began researching years ago if ATMs’ contactless card readers could serve as a route to hacking them. He bought NFC readers and point-of-sale devices from eBay and discovered that most of them had the same security flaw. There was no validation of the data packet’s size sent through NFC from a credit card to the reader, known as an Application Protocol Data Unit or APDU.
Using a custom app to send a carefully drafter APDU from his NFC-enabled phone that’s bigger than one may expect, Rodriguez triggered a ‘buffer overflow’, an old software vulnerability which allows a hacker to corrupt a device’s memory and run their own code.
Ingenico said in a statement that as a result of its security mitigations, Rodriguez could only succeed in crashing the devices, and cannot gain code execution on them, but that ‘considering the inconvenience and the impact for our customers’, it issued an update to fix it immediately.
On Verifone’s part, they said they had found and fixed the point-of-sale loopholes Rodriguez spoke about in 2018. Rodriguez however argues that this only shows inadequate patching in the company’s devices. He tested the NFC techniques on a Verifone device last year and still found the vulnerability.
After concealing his findings, Rodriguez plans to share the intimate details of the vulnerabilities in a webinar coming soon, to push customers of the affected vendors for the implementation of the patches that the companies have. He also wants to attract attention to the horrible state of embedded device security more widely. He was dismayed to find that vulnerabilities as simple as buffer overflows were still present in popularly used devices handling sensitive information.
‘These vulnerabilities have been present in firmware for years and we’re using these devices daily to handle our credit cards, our money. They need to be secured’, he says.
By Marvellous Iwendi.