Security researchers have identified a vulnerability in the Xpress server of the SAP point of sale terminal that allows a small computer, such as a Raspberry Pi not only to steal credit card data but also to change prices.
According to a blog post by researchers at ERPScan, several vulnerabilities in point of sale systems developed by SAP and Oracle were found that allowed hackers to not only to compromise customers' data but gain unfettered control over the POS server.
SAP POS, a client-server point-of-sale system, is a part of the SAP for Retail solution portfolio, which serves 80 percent of the retailers in the Forbes Global 2000.
According to researchers, the system failed to make a several authorisation checks. To demonstrate the idea of attack vectors, researchers made a video of a proof-of-concept attack. The video demonstrates that using a £20 Raspberry Pi, a hacker can access the network where the POS terminal is located and install a malware designed to set a significant discount.
“Once you are in, you have unlimited control over the backend and front-end of the POS system, as the tool can upload a malicious configuration file on the SAP POS Xpress Server without any authentication procedure,” said the researchers.
“New parameters are limited by hackers' imagination: they can set special price or discount, the time the discount is valid, the conditions under which it works – for example, when purchasing a specific product. In our case, we set up an incredible discount to a MacBook.”
Dmitry Chastuhin, one of the researchers who identified the vulnerabilities, said that broadly speaking, it's not a problem of SAP.
“Many POS systems have similar architecture and thus same vulnerabilities. POS terminals used to be plagued with vulnerabilities as myriads of them were found and, unfortunately, exploited, so their security posture has improved significantly,” he said.
“On the other hand, banks must adhere to different compliance standards. So, the connections between POS workstation and the store server turn out to be the weakest link. They lack the basics of cyber-security - authorisation procedures and encryption, and nobody cares about it. So, once an attacker is in the network, he or she gains full control of the system."
The vulnerabilities were reported to the vendor back in April 2017. SAP released the first patch in July according to its release schedule. However, when researchers looked at the fix, they found out that the newly implemented authorisation check could be bypassed by using another vulnerability.
Researchers notified the software maker about the failed patch on 15 August. Taking into account the criticality of the issues, SAP issued a patch in less than a week, on 18 August.
Mark James, security specialist at ESET, told SC media UK that once inside the network and authenticated, you have complete control.
“That control is exactly the same as the support people who fix it for you or the administrator that sets the rules has - you can in theory do anything you want,” he said.
“Of course, certain things will flag alarms or concerns but to be honest if you were conservative with your changes or modifications its quite possible you could change various options without notice. With very sophisticated and powerful computing devices available these days for a fraction of the cost, you would expect all it takes is a little know=how- combine those two and you have all you need to find, compromise and take over any systems not patched.”
Josh Mayfield, platform specialist, Immediate Insight at FireMon, told SC Media UK that first, organisations need to keep all POS systems up-to-date with any software patches and updates that can curtail any adversary ambition. Second, organisations can use strong authentication to prevent compromised credentials from being exploited.
“With these in place, organisations can have greater confidence that the appropriate user is accessing their POS. Uncovering a malicious insider is another matter,” he said.
“The insider can use their access to change the prices and discounts within the POS directly. This, however, is much easier to detect, because changes are logged and tracked. Real-time log analysis is critical. Without a thorough discipline of analysing logs, changes in the POS may be hidden long enough for theft to take place.”
