A point of sale (POS) system from SAP is wide open—allowing anyone to go in and steal payment card data or, in a new cybercrime wrinkle, change prices on merchandise.
According to ERPScan—which used the example of hacking in to change the price of a MacBook to $1—the SAP POS Xpress Server does not perform any authentication checks for critical functionality that requires user identity. As a result, administrative and other privileged functions can be accessed without any authentication procedure.
And that means that anyone who gets into the network can change prices or set discounts—among other things.
“It’s no secret that POS systems are plagued by vulnerabilities and numerous incidents occurred because of their security drawbacks came under the spotlight,” said Alexander Polyakov, CTO at ERPScan. “Unlike the majority of such malware designed to steal customers’ data, this one provides cyber-attackers with an unfettered control over the whole POS system. Multiple missing authorization checks on the server side of SAP POS allowed a hacker to use a legitimate software functionality (which must have restricted access), meaning that malicious actions are difficult to detect.”
He added, “The major part of other POS malware is a one-trick pony as it allows nothing but compromised data. Of course, it’s a costly risk, but the vulnerabilities we found go much further. Stealing credit-card numbers, setting up prices and special discounts, remote starting and stopping a POS terminal—all of these options are on the hacker’s menu.”
SAP POS is a part of the SAP for Retail solution portfolio, which serves 80% of the retailers in the Forbes Global 2,000.
"Enterprises struggle with managing risk from third-party unmanaged assets on their network that are vulnerable, such as PoS systems,” said Gaurav Banga, founder and CEO, Balbix, via email. “These devices are a part of critical business processes and have a significant breach impact. What is needed is complete visibility of third-party and unmanaged assets on the network along with automatic calculation of business impact to identify threats such as vulnerable POS systems—before they get breached."
The vulnerabilities have been patched—and administrators should apply the patches as soon as possible.