Concern is raised about the security of NFC readers used in many ATMs and POS systems around the world to enable contactless experiences – security researcher found Josep Rodriquez di IOActive in fact there would be some “congenital” defects that make them vulnerable to a variety of problems, among which the possibility of being blocked by other nearby or compromised NFC devices to extract information from debit and payment cards. Not only that: the vulnerabilities could also be exploited to hack an ATM so as to induce it to dispense money uncontrollably in an attack called in jargon “jackpotting“.
The vulnerabilities would be quite simple to exploit and the researcher showed that it was enough to bring a simple Android smartphone (which runs an app developed for this purpose) to an NFC reader to block it and prevent it from carrying out normal operations with the credit cards used. later. In a video shared with Wired but which has not been made public due to confidentiality agreements, Rodriquez shows an ATM in Madrid showing an error message after bringing the smartphone close to the NFC reader.
Rodriquez pointed out how these systems lack a strong security foundation, thus making them vulnerable to relatively simple attacks. For example, in many cases these readers do not verify the amount of data they are receiving and easily exposes them to “buffer overflow” attacks, where the memory of the device is compromised because it is literally “flooded” with too much data.
Then there is a second problem: even once a possible vulnerability has been identified, it may not be so immediate to apply a corrective patch. Often it is necessary to physically operate on a terminal to apply an update, and in general, many of the POS devices and non-discounted ATMs receive regular security updates that manufacturers issue.
Unfortunately, jackpotting attacks are possible by exploiting other bugs that Rodriquez claims he found in some ATM software and that he cannot disclose publicly due to confidentiality agreements with the terminal manufacturers.
Rodriguez’s findings are the result of research and analysis conducted last year and which the researcher initially shared in respect of the principles of responsible disclosure only with interested producers, avoiding talking about it publicly for a whole year. The researcher intends to present the technical details of the vulnerabilities he discovered in a webinar which will be organized in the coming weeks, both to push the customers of device manufacturers to a more incisive update action using the patches issued by the manufacturers themselves and to raise awareness of the general public about the real safety conditions of devices that are daily used by billions of people around the world to transact.