TL; DR
- A security researcher was able to hack ATMs and POS systems by simply waving his phone.
- He used a collection of errors to manipulate the machines and trigger a decades-old software vulnerability.
- His trick allowed him to crash the machines, collect credit card information from them, and even “jackpot” some ATMs.
Many people have probably dreamed of getting more money out of an ATM than they have in their bank accounts. Some have even successfully tried all sorts of methods of exploiting ATMs by physically tinkering with the machine’s hardware. But now a researcher has managed to hack ATMs and other cash machines by simply swiping his phone over a contactless card reader.
According to Wired, Joseph Rodriguez, a security advisor at IOActive, managed to exploit a flaw in the NFC system of ATMs and POS systems that are common in shopping malls, restaurants and retail stores. He used a phone with NFC and an Android app that he developed to infect the NFC reader chips of these machines with a variety of bugs, to crash them, to hack them, to collect credit card details, the value of transactions invisibly and even “jackpot” some ATMs to spit out cash. However, the last exploit also required the manipulation of existing vulnerabilities in the software of the ATMs.
“You can modify the firmware and change the price to something like a dollar even if the screen says you pay $ 50. They can render the device unusable or install some kind of ransomware. There are many options here, ”said Rodriguez Wired. “If you chain the attack and also send a special payload to an ATM computer, you can crack the ATM-like payout with just a tap of your phone,” he added.
Also read: The best security apps for Android
Rodriguez began his research on the possibility of hacking contactless card readers from ATMs by buying NFC readers and point-of-sale devices from eBay. He quickly discovered that many of them were not validating the size of the data packet sent from a credit card to the reader via NFC. Using a custom Android app, he sent a packet of data a hundred times larger than what the machine expected, triggering a “buffer overflow,” a decades-old software vulnerability that allows an attacker to freeze a device’s memory and execute its own code.
Rodriguez announced the vulnerability to affected brands and vendors about a year ago, but says the sheer number of devices that need to be physically patched is huge and will take a long time to complete. The fact that many POS terminals do not receive regular software updates makes this error even more dangerous.
The researcher kept most of his findings hidden for a year but is now trying to share technical details about them in order to get affected vendors to implement patches.