LAS VEGAS Payment terminals are ubiquitous in modern society, enabling us to pay for anything we want with a credit card. At the Black Hat security conference here, a pair of security researchers demonstrated in front of a live audience that those payment terminals are not as secure as they should be.
In a talk titled Pinpadpwn, security researcher Rafael Dominguez Vega and the legendary hacker known only as Nils, explained that the attack surface for payment terminals has grown as usage has gone up. Nils is perhaps best known as the man that walked into the Pwn2own hacking challenge in 2009 and deftly hacked all three major Web browsers.
In setting the groundwork for their exploitation, Vega noted that payment terminals are essentially small computers, and as is the case with any other machine that takes in data, there are vulnerabilities. The two researchers were able to acquire multiple payment machines from eBay. Vega commented that it’s now easy and cheap to buy payment terminals online as the current economic slowdown has forced a lot of businesses to close and sell their assets.
During their research, Nils said that they found vulnerabilities with all the payment card terminal vendors. That said, Nils stressed that in his presentation, there would be no naming and shaming of the affected vendors. He added that the two researchers also responsibly disclosed the vulnerabilities to vendors, as well.
Among the exploits that Nils was able to demonstrate in front of the lively Black Hat audience, was how he could insert a malicious payment card into a payment card unit and get the system to do what he wanted. In the first demonstration, Nils got the payment card terminal to load his own custom codemuch to the audience’s delightand began to play a simple arcade game. Then to prove he had full control of the device, Nils printed out the game score with the payment terminal printer.
“We have code execution in the context of the payment application,” said Nils, adding that the systems vendor is now working on a fix.
In another demo, Nils put in a malicious payment card with a picture of the Disney Tinkerbell character.
“Tinkerbell will put the pixie dust on the machine for us,” said Nils.
The pixie dust is in fact some malicious code that sits on the payment terminal. An attacker would attempt to use the card, get an invalid card error and then just walk away. What actually happened on the payment card terminal is that Nils’ code is running and collecting all future inputted credit card information.
Nils then pulled out a payment card with a picture of Winnie the Pooh on it.
“Winnie the Pooh is now retrieving the honey from the terminal,” said Nils. “The honey being the money and credit card information.”
With the Tinkerbell and Pooh attack, Nils said he reported the vulnerability to the vendor at the beginning of July and a patch has already been issued. That said, he noted that it will likely take some time before all the affected terminals are updated.
“There is a lot of trust in the use of payment terminals,” said Nils. “While there is a lot of effort put into the physical security of the devices, we would like to see similar effort put into the software security, too.”