A security researcher has found several serious vulnerabilities in a widely deployed point-of-sale system that enables an attacker to change transactions, steal card data and take other malicious actions. The attacks could be executed remotely under certain circumstances or done through a local interface.
The research, done by Karsten Nohl of Security Research Labs in Germany, shows that some PoS terminals made by VeriFone Systems have a series of weaknesses that give attackers some pathways into the system. The vulnerable system is called Artema Hybrid, and it is the most popular PoS system in Germany.
The most serious problem with the devices, Nohl found, is that the network stack for the system contains multiple buffer overflow vulnerabilities. Those flaws can be used by attackers to compromise the systems remotely. There also are two local interfaces through which an attacker could gain entry to a vulnerable system: the serial interface and the JTAG debugging interface.
“Some versions of the terminal software are vulnerable to a buffer overflow that gains code execution through the readily accessible serial interface,” a description of the flaws on the SR Labs site says.
“The JTAG interface of the application processor is accessible without opening the device. It allows full debugging control over the device. These attacks target the terminal’s application processor. The security of the cryptographic module (HSM) has not yet been investigated.”
The bugs themselves are worrisome, but the real issue is what the attacker would be able to do once he’s on the system. The most serious attack scenario would allow the attacker not only to steal the data from a payment card, but also to alter the transaction itself, changing the amount charged to the card.
Officials at VeriFone acknowledged that they had been notified by SR Labs of the vulnerabilities and attacks, but said that they had not been able to replicate the bugs or attacks using a third-party security lab.
“The reported attack scenario concerns exclusively the Artema Hybrid Terminal, which has a security module as well as a processor for applications. At no point was the security module or encrypted PIN compromised in this reported attack scenario; neither was the integrity of the EMV transaction violated. As the security module is not affected by the attack scenario, it is not possible using an amended application program to modify the security module’s PIN processing of a successful card payment transaction,” Dave Faoro, vice president and chief payment officer at VeriFone, said in a statement. “The security firm claims and was able to demonstrate an attack scenario to manipulate the terminal via the LAN interface in order to load a foreign application. The security firm also claimed to be able to do so via the serial interface but was not able to demonstrate that to us.
“Since the first indication, we have been working closely with an approved DK lab to investigate the reported breach scenario but have not been able to replicate the attack scenario. Subsequently, VeriFone retained additional independent expert penetration testing firms with expertise in payment security compliance, to assess the breach scenarios and potential ramifications.”
Point-of-sales systems have been the target of a long list of attacks in the last few years, perhaps most famously in the TJX hack. But many of those attacks have been against stock systems and have taken advantage of simple weaknesses or flaws elsewhere in the network to gain access to the PoS terminals.
Faoro said that VeriFone is continuing the look at the problems to determine the appropriate countermeasures.
“We reiterate that the Artema Hybrid devices were designed and tested to meet the DK security requirements. We take security very seriously and you have our assurances that VeriFone will continue to fully investigate this situation, communicate with local authorities, and report back to you on our findings,” he said.