NFC Flaws Let Researchers Hack an ATM By Waving a Phone (arstechnica.com) 19
An anonymous reader quotes a report from Ars Technica: For years, security researchers and cybercriminals have hacked ATMs by using all possible avenues to their innards, from opening a front panel and sticking a thumb drive into a USB port to drilling a hole that exposes internal wiring. Now, one researcher has found a collection of bugs that allow him to hack ATMs -- along with a wide variety of point-of-sale terminals -- in a new way: with a wave of his phone over a contactless credit card reader. Josep Rodriguez, a researcher and consultant at security firm IOActive, has spent the last year digging up and reporting vulnerabilities in the so-called near-field communications reader chips used in millions of ATMs and point-of-sale systems worldwide. NFC systems are what let you wave a credit card over a reader -- rather than swipe or insert it -- to make a payment or extract money from a cash machine. You can find them on countless retail store and restaurant counters, vending machines, taxis, and parking meters around the globe.
Now Rodriguez has built an Android app that allows his smartphone to mimic those credit card radio communications and exploit flaws in the NFC systems' firmware. With a wave of his phone, he can exploit a variety of bugs to crash point-of-sale devices, hack them to collect and transmit credit card data, invisibly change the value of transactions, and even lock the devices while displaying a ransomware message. Rodriguez says he can even force at least one brand of ATMs to dispense cash -- though that "jackpotting" hack only works in combination with additional bugs he says he has found in the ATMs' software. He declined to specify or disclose those flaws publicly due to nondisclosure agreements with the ATM vendors. "You can modify the firmware and change the price to one dollar, for instance, even when the screen shows that you're paying 50 dollars. You can make the device useless, or install a kind of ransomware. There are a lot of possibilities here," says Rodriguez of the point-of-sale attacks he discovered. "If you chain the attack and also send a special payload to an ATM's computer, you can jackpot the ATM -- like cash out, just by tapping your phone."
Rodriguez says he alerted the affected vendors -- which include ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, Nexgo, and the unnamed ATM vendor -- to his findings between seven months and a year ago. Even so, he warns that the sheer number of affected systems and the fact that many point-of-sale terminals and ATMs don't regularly receive software updates -- and in many cases require physical access to update -- mean that many of those devices likely remain vulnerable. "Patching so many hundreds of thousands of ATMs physically, it's something that would require a lot of time," Rodriguez says.
Now Rodriguez has built an Android app that allows his smartphone to mimic those credit card radio communications and exploit flaws in the NFC systems' firmware. With a wave of his phone, he can exploit a variety of bugs to crash point-of-sale devices, hack them to collect and transmit credit card data, invisibly change the value of transactions, and even lock the devices while displaying a ransomware message. Rodriguez says he can even force at least one brand of ATMs to dispense cash -- though that "jackpotting" hack only works in combination with additional bugs he says he has found in the ATMs' software. He declined to specify or disclose those flaws publicly due to nondisclosure agreements with the ATM vendors. "You can modify the firmware and change the price to one dollar, for instance, even when the screen shows that you're paying 50 dollars. You can make the device useless, or install a kind of ransomware. There are a lot of possibilities here," says Rodriguez of the point-of-sale attacks he discovered. "If you chain the attack and also send a special payload to an ATM's computer, you can jackpot the ATM -- like cash out, just by tapping your phone."
Rodriguez says he alerted the affected vendors -- which include ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, Nexgo, and the unnamed ATM vendor -- to his findings between seven months and a year ago. Even so, he warns that the sheer number of affected systems and the fact that many point-of-sale terminals and ATMs don't regularly receive software updates -- and in many cases require physical access to update -- mean that many of those devices likely remain vulnerable. "Patching so many hundreds of thousands of ATMs physically, it's something that would require a lot of time," Rodriguez says.
"Patching so many hundreds of thousands (Score:5, Insightful)
Re: (Score:2)
Re: (Score:3)
Most payment devices, rather than try to even attempt security of software updates simply mandate that the update be done manually. After all, software updates can be hard - first, an ATM might not actually be on an always-on connection. Machines in more rural areas that get little use may simply employ dialup - they dial in when the user presents a card, hangup when it's done and such.
So thos
My how the tables have turned. (Score:4, Funny)
"...or install a kind of ransomware."
After watching banks get obscenely rich off ATM fees and banking transaction charges, along with that whole banking crisis in 2008, I can't be the only one here who finds this absolutely fucking hilarious.
Holding up a bank ATM, with ransomware. Damn that's rich.
Re: (Score:3)
Not sure about hilarious, kind of concerning that so many ATM vendors attached these (essentially) user input devices that you could potentially transmit anything to, and failed to vet them properly.
Re: (Score:3)
Not sure about hilarious, kind of concerning that so many ATM vendors attached these (essentially) user input devices that you could potentially transmit anything to, and failed to vet them properly.
"The “Voting Village” at DEFCON in July 2017 was not intended to be something to entertain hackers. It was intended to make clear how vulnerable we are. The report describes clearly why we must act with a sense of urgency to secure our voting systems." - Former US Ambassador to NATO
Note the year in the statement above, and realize they weren't talking about the 2020 election. Not that it mattered; we haven't done jack shit to secure that part of our democracy in the last fou
Re: (Score:2)
Another butthurt Trummper. Your tears are delicious.
There's a legal limit on the amount of manure allowed in a confined space for health reasons, so please stop talking. I could give a flying fuck about Trump the not-relevant-ex-President, and there's nothing more to say about Joe Dementia or his laughing hyena sidekick other than remember who voted for this shit. You'll be drowning in your own tears soon enough.
Re: (Score:2)
2017? Hell, a letter was sent signed by over 100 of the leading computer researchers in the country to the leadership of both parties and the FEC in the mid-1990s laying out the risks of computerizing the vote and strongly recommending against it. Not only did both parties ignore it but they accelerated the adoption of computerized voting with tons of funding, and after the fiasco of the 2004 vote adopted a window-dressing "certification" process that they knew from the beginning was worse than useless.
POS systems = juicy targets (Score:2)
The millions of little stores and businesses who don't update squat will be easy targets.
Re: (Score:2)
not really for POS system, would have to do that to device as clerk watches.
on the other hand, the ATM's aren't owned by store, big banking corporations will have to take the hit and no one really cares what a person is doing to ATM with their phone, might look like latest way to access to passer-by.
IT"S NOT THE WAVE, child. (Score:3, Insightful)
Saying you do something with a wave of his hand is like saying a soldier kills with a jerk of his finger.
NO. The hand waving does nothing, nor does the finger. It is the very complex machine that was designed to do the job that actually does the job.
How you activate that machine is irrelevant and only a child thinks it is the act of waving the hand or pulling your finger that does the work. Anyone could, if they choose, change the activation method with minimal work. I could add a voice activation to the phone and no hand wave needed. Same with a trigger.
Surprised to see Verifone on the list (Score:5, Interesting)
Go low tech ... (Score:3)
For years, security researchers and cybercriminals have hacked ATMs by using all possible avenues to their innards, from opening a front panel and sticking a thumb drive into a USB port to drilling a hole that exposes internal wiring.
Or simply use a truck and chain Thieves rip door off ATM using stolen truck [okcfox.com] -- I imagine there are other similar examples ..
Two masked suspects used a stolen Ford F350 to rip off the door of an ATM and steal the contents inside at a Stride Bank in Enid. According to Enid Police, officers responded to the bank around 3:00 a.m. Sunday, May 16th [2021] for an ATM alarm.
When they arrived the front door of the ATM was ripped off and laying in the parking lot. Surveillance video showed the suspects pull up beside the ATM, hook a chain to the door, and rip the door off.
Easy, peasy ...
Re: (Score:2)
The thieves weren't thinking ahead. They should have waited til a lookout or cell phone saw police pulling up to the broken ATM, then repeated their crime at another ATM a couple of miles away.
Repeat as circumstances allow.
Profit!
all good backdoors are masked as "oopsies" (Score:3)
"...app that allows his smartphone to mimic those credit card radio communications and exploit flaws in the NFC systems' firmware. "
Have you ever wondered why banks control their cash transactions so thoroughly and when it comes to your safety, all you've got for all these years was a stupid magnetic strip on plastic card ? Even chips that are used nowadays are mostly a joke.
Not to mention underlying system, which is designed to essentially spy on you.
Re: (Score:2)
Is he trying to say that NFC from a phone can be used in place of NFC from a card, then he can use his library of hacks for ATMs...
Seems like a insider is having trouble claiming his bonus... not an exploit in the wild.