Researchers who discovered vulnerabilities in mobile point-of-sale devices (mPOS), which could allow malicious code execution on targeted payment systems, demonstrated their findings at Black Hat 2014 in Las Vegas.
Jon Butler, the head of research at UK-based MWR Labs, along with a colleague at the company, calling himself only “Nils” at the conference, redacted the names of the popular mPOS devices as many users may still be impacted the issues. All of the tested terminals looked “roughly the same,” according to Butler, who explained that the devices ran Linux platforms to carry out payment transactions.
In a Thursday session called, “Mission mPOSsible,” the hackers demonstrated exploits leveraging various input vectors on the devices, such as Bluetooth and USB.
One hack that received a round of applause from Black Hat attendees, showed how a stack-based buffer overflow bug in a device's EMV parsing library could lead to device takeover. Butler and Nils gained root access to the device, and were able to manipulate information displayed on the mPOS screen.
During the session, the two swiped a "malicious" card (created specifically for the hack), which allowed them simulate their own version of the Flappy Bird game on the payment terminal screen. The hack was meant to show that malicious attackers, exploiting the same bug, could use such access to manipulate messages on devices and even monitor keypad input, in order to collect financial information, like PIN numbers and credit card data.
The two worked with the mPOS vendor, which was impacted by the EMV bug, and the company released a fix for the issue in April 2014, the researchers said. Still, the duo suggested that many devices may still be vulnerable to the vulnerability if third-party vendors hadn't implemented the patch.
Bulter warned that small businesses were particularly vulnerable to mPOS flaws they discussed, as the devices typically appeal to merchants seeking inexpensive payment devices carrying low transaction fees.