Contactless Overflow: Code execution in payment terminals and ATM’s over NFC

Presented at DEF CON 31 (2023), Aug. 12, 2023, 2:30 p.m. (45 minutes)

We conducted a research to assess the current security of NFC payment readers that are present in most of the major ATM brands, portable point of sales, gas stations, vending machines, transportation and other kind of point of sales in the US, Europe and worldwide. In particular, we found code execution vulnerabilities exploitable through NFC when handling a special application protocol data unit (APDU) that affect most NFC payment vendors. The vulnerabilities affect baremetal firmware devices and Android/Linux devices as well. After waiting more than 1 year and a half once we disclosed it to all the affected vendors, we are ready to disclose all the technical details to the public. This research was covered in the media by wired.com but without the technical details that we can share now https://www.wired.com/story/atm-hack-nfc-bugs-point-of-sale/ Some of the affected vendors are: IDtech - https://idtechproducts.com/ Ingenico - https://www.ingenico.com/ Verifone - https://www.verifone.com/ CPI - https://www.cranepi.com/ BBPOS - https://www.bbpos.com/ Wiseasy - https://www.wiseasy.com/ Nexgo - https://www.nexgoglobal.com/ In this presentation we will describe the vulnerabilities and also demo how the readers can be compromised, using a special Android app we created, by just tapping an Android phone to the reader. We will discuss the consequences such as financial impact in reader’s users/owners and card data stealing once the firmware is compromised. Also, we will show how to compromise the host that is connected to the reader through USB by manipulating the reader’s firmware, chaining stack buffer overflow vulnerabilities in the SDK provided by the vendor that is running in the host machine. Finally, since one of the affected vendors (IDtech) is present in most ATM brands in the world, the talk will cover different scenarios of how possible can be jackpotting ATMs just tapping a smartphone into the reader of the ATM. We have many years of experience jackpotting all brands of ATMs in multiple different ways and we will show how this is technically possible.

Presenters:

• Josep Pi Rodriguez - Principal Security Consultant at IOActive
  Josep Pi Rodriguez is experienced in network penetration and web application testing, reverse engineering, industrial control systems, transportation, RF, embedded systems, AMI, vulnerability research, exploit development, and malware analysis. As a principal consultant at IOActive, Mr. Pi Rodriguez performs penetration testing, identifies system vulnerabilities, and researches cutting-edge technologies. Mr. Pi Rodriguez has performed security services and penetration tests for numerous global organizations and a wide range of financial, technical, and educational institutions. He has presented at international conferences including Defcon, Immunity infiltrate, Hack in Paris, Japan CCDS and Confidence Conference.

Links:

• https://forum.defcon.org/node/245740

Similar Presentations:

• DEF CON 31 (2023) / Legend of Zelda: Use After Free (TASBot glitches the future into OoT)
• DEF CON 29 (2021) / The Agricultural Data Arms Race: Exploiting a Tractor Load of Vulnerabilities In The Global Food Supply Chain.
• DEF CON 29 (2021) / No Key? No PIN? No Combo? No Problem! P0wning ATMs For Fun and Profit