It wasn’t long ago when hacking a point-of-sale system meant deploying a RAM scraper at a retailer, sitting back and watching the credit card numbers roll in. Now that POS has gone mobile with vendors such as Square, Intuit, Revel and others using hardware fobs connected to smartphones and tablets to process credit card transactions, hackers are sure to follow the money trail there.
At last week’s Black Hat conference, two recent Boston University computer engineering graduates revealed software and hardware hacks against the latest versions of the popular Square Reader that bypass device encryption, steal payment data and enable playback attacks.
Alexandrea Mellen and John Moore said they can turn the Square Reader into a card skimmer in fewer than 10 minutes, and added they believe the same vulnerabilities could be present in other mobile POS applications.
“One of the reasons we looked into [mobile POS] research is that in the POS market, we’ve seen new hardware and software coming out from lots of providers usually implementing their own solutions. These are cheap, compact and compatible,” Mellen said. “They also face the challenge of being secure. Lower hardware budgets and their ability to interface with cell phones that are used for other purposes is leaving customer card information vulnerable and making it harder to secure devices.”
Mellen and Moore said their hardware and software attacks are separate attacks. The hardware attack takes some practice to crack open the plastic Square Reader, which the researchers said got easier the more they did it. Once they were in, Mellen and Moore said they would create a jumper connection to exposed contacts that bypasses the crypto chip on the device.
“The attack is done with things you could pick up at Radio Shack, things that most people [at Black Hat] have in their garage: a screwdriver; wires; soldering iron, clips,” Mellen said. “The hardest thing is opening the soft plastic shell.”
On the software side, once a card is swiped in the Square Reader, the data is converted into an audio WAV file that passes through the headphone jack to the Square Register app, which then sends it to the Square where it’s decrypted and processed. The researchers built an app that grabs the audio file and data, converts it, and allows an attacker to replay the attack later on, over and over if they wish.
Square has responded by deprecating older versions of the Reader and they cannot be used with the Square Register app any longer. Mellen, however, points out that their attack bypasses the Register app.
“Our app takes the incoming signal from the hardware encryption bypass reader,” Mellen said. “We decode the WAV file from there, get the credit card information and send it back to our app.”
Mellen and Moore said they their attack takes advantage of a weakness with the Square Reader in that its transaction counter is not verified when decrypting data server side. Attackers can take advantage of this to swipe a card over and over and use that data days, weeks or months later if it’s not sent to Square’s servers.
“Any recordings of encrypted swipes that have not yet been used to initiate a transaction can later be played back in order to perform a new transaction for an arbitrary amount,” Moore wrote in a description of the vulnerability in his and Mellen’s submission to HackerOne; they received a $500 bounty. “The server will validate the played-back encrypted swipe even though Square has the necessary knowledge to decline the transaction based on a stale transaction counter.”
Square said in a statement the issue is with magnetic strip data and not its reader, nor app.
“Any card reader on the market can be deconstructed. The chip could be crushed and then reassembled by using the undamaged shell of the reader. At Square, we have processes in place to prevent malicious behavior on damaged readers,” Square said in a statement. “Our Square Register software contains a number of security precautions that protect cards that are swiped on unencrypted readers. If our encrypted readers are damaged, they will not work with Square.”