Jon Butler, head of research at MWR InfoSecurity, and a researcher named Nils, studied six of the most popular mPoS devices which accept chip-and-pin cards and found several vulnerabilities, according to their presentation at the annual Black Hat security conference on Thursday. A patch has been available since April but hasn't been widely applied, leaving many devices vulnerable.
They uncovered vulnerabilities in the device's firmware update process. The researchers were able to look at the USB interface and gain access to the device's command line to execute commands. A stack-based buffer overflow bug in the EMV parsing library also opened up the devices to be fully compromised and under the attacker's control. The researchers found hints that mPoS could also be compromised via a smartphone infected with malware.
These vulnerabilities would not allow attackers to clone the chip on EMV cards. Attackers can take the available information and the captured PIN to create a cloned card that could be used where EMV is not as widely deployed, such as the United States.
The researchers successfully used a maliciously crafted EMV (chip and pin) card to install and run a Flappy Bird-like game on the device. A real world version of this attack would likely involve the attacker using a rogue card to modify the mPoS to stealthily copy card details and PINs of every payment card it processes. The attacker could later return with another card to extract the harvested information.
Chip cards should not be considered trusted, Butler said. Every card has not been freshly issued by a bank, he warned.
These mPoS devices have a small screen, a card reader, and an input pad to accept PINs. Even though they may look entirely different, Butler said 75 percent of the devices actually are the same when considering the underlying software and tools available. These devices generally run Linux, or a variant of, and communicate via Bluetooth with smartphones.
The platform vendor was cooperative when Butler and Nils reported the vulnerability and released the patch for the EMV library in April. There was some delay in releasing the patch because the modified library had to be re-certified again. Legal standards actually make it difficult for manufacturers to release security patches in a timely manner. Some of the mobile device vendors have not yet released the firmware update containing the new EMV library, Nils said.
Unlike many embedded devices, mPoS can potentially be updated easily, as the firmware can be pushed over Bluetooth by the mobile app.
Even with the uncovered flaws, mPoS devices are potentially more secure than traditional PoS devices, Butler said. They are simple enough that so long as implementation follows security best practices, there's not much that can go wrong, he said.