A security researcher has discovered a number of bugs that allow ATMs and a wide range of point-of-sale terminals to be hacked in a new way - by waving the phone over a contactless bank card reader. To mark the start of the Ethical Hacker course , we are sharing a translation of an article about the opportunities that open up when exploiting discovered vulnerabilities, what the author did to discover them, and how ATM manufacturers responded.
Josip Rodriguez, a researcher and security consultant at security firm IOActive, has spent the last year searching for vulnerabilities in the so-called near-field communications (NFC) chips running in millions of ATMs and point-of-sale terminals around the world. With NFC, you don’t need to insert a card to make a payment or withdraw money from an ATM—just swipe it over the reader. The technology powers countless retail stores and restaurants, vending machines, parking meters and taxis around the world.
Rodriguez wrote an application for Android that allows a smartphone to imitate the radio communication of bank cards and exploit flaws in the firmware of NFC systems. With one swipe of a smartphone, it can disable sales terminals, hack them to collect and transmit bank card data, quietly change the cost of transactions, and even block the device by displaying a ransomware message.
Rodriguez claims he can even force ATMs of at least one brand to dispense cash, although such jackpotting only works in conjunction with other bugs he says he has found in ATM software. Due to non-disclosure agreements with ATM vendors, Rodriguez declined to clarify or disclose these errors.
“You can modify the firmware and change the price, for example, by one dollar while the screen shows a different price, disable the device, or install some kind of ransomware - there are many options,” Rodriguez says of the vulnerabilities he discovered.
The researcher says that from June to December 2020, he alerted affected vendors about his findings, including ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, Nexgo, and an unnamed ATM vendor.
However, the researcher also warns that there are a huge number of systems affected, as well as the fact that many terminals and ATMs do not update software regularly, in many cases requiring physical access to update. This means that many devices will likely remain vulnerable. “Physically fixing so many hundreds of thousands of ATMs will take a long time,” Rodriguez says.
As a demonstration of these vulnerabilities, Rodriguez shared a video with WIRED where he swipes his smartphone over the NFC reader of an ATM on his street, causing the ATM to display an error message. The reader malfunctions and no longer reads his card when the researcher touches it to the ATM.
He also did not provide a video demonstration of the jackpotting attack because he said he could only legally test devices obtained as part of IOActive's security consultations for the affected ATM vendor, with whom IOActive had signed a non-disclosure agreement.
“The findings are an excellent study of the vulnerabilities of software running on embedded devices,” says Carsten Nohl, founder of security firm SRLabs and a renowned firmware hacker who analyzed Rodriguez's work.
However, Nol points out several shortcomings that make the method impractical in real-life thefts. A hacked NFC reader can only steal magnetic stripe card data, but not the victim's PIN or data from EMV chips. And the fact that the ATM cash-out trick would require an additional vulnerability in the specific ATM's code is an important caveat, Nol argues.
However, security researchers such as the late IOActive hacker Barnaby Jack and the team at Red Balloon Security have been exposing ATM vulnerabilities for years and have even shown that hackers can remotely trigger ATM jackpotting. Red Balloon CEO and chief scientist Ang Kui says he is impressed by Rodriguez's findings and, although IOActive has kept some details of its attack private, has no doubt that hacking the NFC reader could lead to cash dispensing at many modern ATMs.
“I think it's very plausible that once you get code execution on any of these devices, you can get to the main controller: it's full of vulnerabilities that remain in the system for over a decade,” says Cui. “From there,” he adds, “it is absolutely possible to control the cassette dispenser that stores and dispenses cash to users.”
Rodriguez, who has spent years testing ATM security as a consultant, says he began researching a year ago whether contactless ATM card readers—most commonly sold by payment technology company ID Tech—could be used as a means of hacking. He started buying NFC readers and point-of-sale terminals on eBay and soon discovered that many of them suffered from the same security flaw: they did not check the size of the data packet sent via NFC from the bank card to the reader, this packet is called the application protocol data packet or APDU.
To send APDUs hundreds of times larger than normal and cause a buffer overflow, Rodriguez wrote Android apps with NFC. The buffer overflow vulnerability has been around for decades, allowing an attacker to corrupt the target device's memory and run their code.
When WIRED contacted the affected companies, ID Tech, BBPOS and Nexgo did not respond to requests for comment, and the ATM Industry Association also declined to comment. Ingenico said in a statement that due to its security measures, Rodriguez's buffer overflow method could only disable its devices, but would not allow code to be executed on them. However, “given the inconvenience and impact on our customers,” the company released a fix anyway.
Verifone, in turn, said it had found and fixed the terminal vulnerabilities that Rodriguez drew attention to in 2018, long before he reported them. But Rodriguez argues that this only demonstrates the inconsistent patching in the company's devices; he says he tested his NFC hacking techniques on a Verifone device at a restaurant last year and found it was still vulnerable.
While many of the researcher's findings have been kept under wraps for a year, Rodriguez plans to share technical details of the vulnerabilities in a webinar in the coming weeks, in part to encourage customers of the affected vendors to implement the released patches.
Additionally, Rodriguez wants to draw attention to the dismal state of embedded device security in general. He was shocked to discover that vulnerabilities as simple as buffer overflows persisted in many commonly used devices - those that handle cash and sensitive financial information.
From this material it becomes clear that even systems that seem the most reliable to an uninitiated person can fail due to shortcomings that have been known for decades.
Josip Rodriguez, a researcher and security consultant at security firm IOActive, has spent the last year searching for vulnerabilities in the so-called near-field communications (NFC) chips running in millions of ATMs and point-of-sale terminals around the world. With NFC, you don’t need to insert a card to make a payment or withdraw money from an ATM—just swipe it over the reader. The technology powers countless retail stores and restaurants, vending machines, parking meters and taxis around the world.
Rodriguez wrote an application for Android that allows a smartphone to imitate the radio communication of bank cards and exploit flaws in the firmware of NFC systems. With one swipe of a smartphone, it can disable sales terminals, hack them to collect and transmit bank card data, quietly change the cost of transactions, and even block the device by displaying a ransomware message.
Rodriguez claims he can even force ATMs of at least one brand to dispense cash, although such jackpotting only works in conjunction with other bugs he says he has found in ATM software. Due to non-disclosure agreements with ATM vendors, Rodriguez declined to clarify or disclose these errors.
“You can modify the firmware and change the price, for example, by one dollar while the screen shows a different price, disable the device, or install some kind of ransomware - there are many options,” Rodriguez says of the vulnerabilities he discovered.
The researcher says that from June to December 2020, he alerted affected vendors about his findings, including ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, Nexgo, and an unnamed ATM vendor.
However, the researcher also warns that there are a huge number of systems affected, as well as the fact that many terminals and ATMs do not update software regularly, in many cases requiring physical access to update. This means that many devices will likely remain vulnerable. “Physically fixing so many hundreds of thousands of ATMs will take a long time,” Rodriguez says.
As a demonstration of these vulnerabilities, Rodriguez shared a video with WIRED where he swipes his smartphone over the NFC reader of an ATM on his street, causing the ATM to display an error message. The reader malfunctions and no longer reads his card when the researcher touches it to the ATM.
He also did not provide a video demonstration of the jackpotting attack because he said he could only legally test devices obtained as part of IOActive's security consultations for the affected ATM vendor, with whom IOActive had signed a non-disclosure agreement.
“The findings are an excellent study of the vulnerabilities of software running on embedded devices,” says Carsten Nohl, founder of security firm SRLabs and a renowned firmware hacker who analyzed Rodriguez's work.
However, Nol points out several shortcomings that make the method impractical in real-life thefts. A hacked NFC reader can only steal magnetic stripe card data, but not the victim's PIN or data from EMV chips. And the fact that the ATM cash-out trick would require an additional vulnerability in the specific ATM's code is an important caveat, Nol argues.
However, security researchers such as the late IOActive hacker Barnaby Jack and the team at Red Balloon Security have been exposing ATM vulnerabilities for years and have even shown that hackers can remotely trigger ATM jackpotting. Red Balloon CEO and chief scientist Ang Kui says he is impressed by Rodriguez's findings and, although IOActive has kept some details of its attack private, has no doubt that hacking the NFC reader could lead to cash dispensing at many modern ATMs.
“I think it's very plausible that once you get code execution on any of these devices, you can get to the main controller: it's full of vulnerabilities that remain in the system for over a decade,” says Cui. “From there,” he adds, “it is absolutely possible to control the cassette dispenser that stores and dispenses cash to users.”
Rodriguez, who has spent years testing ATM security as a consultant, says he began researching a year ago whether contactless ATM card readers—most commonly sold by payment technology company ID Tech—could be used as a means of hacking. He started buying NFC readers and point-of-sale terminals on eBay and soon discovered that many of them suffered from the same security flaw: they did not check the size of the data packet sent via NFC from the bank card to the reader, this packet is called the application protocol data packet or APDU.
To send APDUs hundreds of times larger than normal and cause a buffer overflow, Rodriguez wrote Android apps with NFC. The buffer overflow vulnerability has been around for decades, allowing an attacker to corrupt the target device's memory and run their code.
When WIRED contacted the affected companies, ID Tech, BBPOS and Nexgo did not respond to requests for comment, and the ATM Industry Association also declined to comment. Ingenico said in a statement that due to its security measures, Rodriguez's buffer overflow method could only disable its devices, but would not allow code to be executed on them. However, “given the inconvenience and impact on our customers,” the company released a fix anyway.
Verifone, in turn, said it had found and fixed the terminal vulnerabilities that Rodriguez drew attention to in 2018, long before he reported them. But Rodriguez argues that this only demonstrates the inconsistent patching in the company's devices; he says he tested his NFC hacking techniques on a Verifone device at a restaurant last year and found it was still vulnerable.
While many of the researcher's findings have been kept under wraps for a year, Rodriguez plans to share technical details of the vulnerabilities in a webinar in the coming weeks, in part to encourage customers of the affected vendors to implement the released patches.
Additionally, Rodriguez wants to draw attention to the dismal state of embedded device security in general. He was shocked to discover that vulnerabilities as simple as buffer overflows persisted in many commonly used devices - those that handle cash and sensitive financial information.
From this material it becomes clear that even systems that seem the most reliable to an uninitiated person can fail due to shortcomings that have been known for decades.
