Tech News

NFC bugs allow researchers to hack ATMs by shaking their phone

[ad_1]

It’s been years, security investigators and cybercriminals hack ATMs using all possible means inside them open the front panel and insert the small drive into a USB port ra making a hole that reveals the internal cables. Now, a researcher has found a collection of bugs that allow you to hack ATMs — along with multi-point point-of-sale terminals — in a new way: on the phone card reader without contact with the wave of the phone.

Josep Rodriguez, a researcher and consultant at the security company IOActive, has spent the past year weakening and denouncing vulnerabilities in the near-field communications readers used in ATMs and point-of-sale systems around the world. NFC systems are those that allow you to shake a credit card through a reader — instead of slipping or inserting it — to make a payment or withdraw money from an ATM. You can find them in retail stores and restaurants around the world, vending machines, taxis and parking meters.

Now Rodriguez has built an Android app on his phone to mimic those credit card radio communications and exploit NFC systems firmware flaws. With the phone wave, it can take advantage of many errors to crash point-of-sale devices, hack them to collect and transmit credit card data, invisibly change the value of transactions, and even lock devices while displaying a ransomware message. . Rodriguez says he can at least force a brand of ATMs to donate money – that’s it. “jackpotting” hack it only works in combination with additional defects found in ATM software. He refused to publicly identify or disclose these errors due to disagreements with ATM vendors.

“You can change the firmware and change the price to a dollar, for example, even when the screen shows that it pays $ 50. You can make the device useless or install some sort of ransomware. There are a lot of options here,” says Rodriguez of the point-of-sale attacks he found. “If you chain the attack and send a special charge to the ATM computer, you can charge the ATM, such as withdrawing money, just by tapping the phone.”

Rodriguez says the affected vendors – ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, Nexgo and an unnamed ATM seller – reported the findings 7 months and a year ago. However, he cautioned that the sheer number of damaged systems and point-of-sale terminals and ATMs do not receive regular software updates — and in many cases require physical access to update — means many of these devices are likely to remain vulnerable. “Connecting so many hundreds of thousands of ATMs physically is something that would take a lot of time,” Rodriguez says.

Demonstrating these persistent vulnerabilities, Rodriguez shared a video with WIRED in which he shakes a phone at the NFC reader of an ATM on the street in Madrid where he lives, causing the machine to display an error message. The NFC reader seems to fail, and no longer reads its credit card the next time it touches the machine. (Rodriguez asked WIRED not to publish the video for fear of legal liability. He also did not provide video evidence of a jackpotting attack. du.)

The findings are “an excellent investigation into the vulnerability of software running on embedded devices,” says Karsten Nohl, founder of security firm SRLabs and well-known firmware hacker, who reviewed Rodriguez’s work. Nohl has pointed out some drawbacks that reduce the practicality of real-world thieves. A hacked NFC reader could only steal credit card data from magic bands, not the victim’s PIN or EMV chip data. The trick to charging ATMs would require extra and different vulnerability in the ATM code, not a small note, Nohl says.

[ad_2]

Source link

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button