Payment terminals allow for remote PIN capture and card cloning

Plastic cards are an increasingly popular means of payment all over the world. Payment credentials come in different flavors ranging from credit cards of globally operating brands (Visa, Mastercard, AmEx), to national payment schemes (i.e., German EC cards) and store-issued gift cards. The underlying technologies range from magnetic stripes, to microprocessors (EMV, Chip&PIN) and virtual cards stored as software on smartphones (PayPass, payWave).

All card flavors and technologies have in common that they regularly interact with point-of-sale payment terminals, today’s Achilles Heel of cash-less payment.

Hacking Payment Terminals

An analysis of the most widely deployed payment terminal in Germany found serious weaknesses.

A. Remote exploitation

The device’s network stack contains buffer overflows that can be used to execute code at system level.

B. Local compromise

There are at least two interfaces over which the device can be exploited locally:

1. Serial. Some versions of the terminal software are vulnerable to a buffer overflow that gains code execution through the readily accessible serial interface.

2. JTAG. The JTAG interface of the application processor is accessible without opening the device. It allows full debugging control over the device.

These attacks target the terminal’s application processor. The security of the cryptographic module (HSM) has not yet been investigated as far as key extraction attacks are concerned. However, a design or implementation shortcoming in the HSM enables control over display and PIN pad from the application processor.

Abuse scenarios

Once exploited, the terminal under the control of an adversary can be used for fraud:

•Card cloning. Collect credit/EC card data and PIN numbers

•Alter transactions. Change transaction – including EMV transactions – in type (debit vs. credit), value, or other fields

•Fake transactions. Spoof transactions towards the payment back-end or the cash register (i.e., falsely signal a successful transaction)

Defenses

Software vulnerabilities demand software patches. Fortunately, the payment terminals are patchable, often remotely by their connected payment back-ends. This post will be updated with information on which software versions mitigate the software attacks described herein.

Hardware-level vulnerabilities are harder to mitigate. The device’s application processor, for instance, does not provide configuration settings for JTAG to be switched off. Deployed devices will likely stay vulnerable to local attacks, potentially undermining trust in cash-less payment considerably for a long time. Unfortunately, the world-wide payment infrastructure’s planned updates to EMV do not protect from compromised terminals adding one more bit of concern about the EMV standard that others have criticized for its protocol imperfections (PDF, PDF).

Questions? – eft [you know what to put here] srlabs.de