Security researcher sounds alarm over ATM NFC reader vulnerabilities
0Reported today on The Verge
For the full article visit: https://www.theverge.com/2021/6/28/22553646/atm-point-of-sale-nfc-readers-hack-security-vulnerability-jackpotting
Reported today in The Verge.
Security researcher sounds alarm over ATM NFC reader vulnerabilities
IOActive security researcher Josep Rodriquez has warned that the NFC readers used in many modern ATMs and point-of-sale systems are leaving them vulnerable to attacks, Wired reports. The flaws make them vulnerable to a range of problems, including being crashed by a nearby NFC device, locked down as part of a ransomware attack, or even hacked to extract certain credit card data.
Rodriquez even warns that the vulnerabilities could be used as part of a so-called "jackpotting" attack to trick a machine into spitting out cash. However, such an attack is only possible when paired with exploits of additional bugs, and Wired says it was not able to view a video of such an attack because of IOActive's confidentiality agreement with the affected ATM vendor.
By relying on vulnerabilities in the machines' NFC readers, Rodriquez's hacks are relatively easy to execute. While some previous attacks have relied on using devices like medical endoscopes to probe machines, Rodriquez' can simply wave an Android phone running his software in front of a machine's NFC reader to exploit any vulnerabilities it might have.
In one video shared with Wired, Rodriquez causes an ATM in Madrid to display an error message, simply by waving his smartphone over its NFC reader. The machine then became unresponsive to real credit cards held up to the reader.
The research highlights a couple of big problems with the systems. The first is that many of the NFC readers are vulnerable to relatively simple attacks, Wired reports. For example, in some cases the readers aren't verifying how much data they're receiving, which means Rodriquez was able to overwhelm the system with too much data and corrupt its memory