Researchers describe the intense vulnerabilities in the two biggest Point of Sales (PoS) vendors, Verifone, and Ingenico. The affected devices are Verifone VX520, Verifone MX series, and the Ingenico Telium 2 series.
“Through the use of default passwords, it was able to execute arbitrary code through binary vulnerabilities (e.g., stack overflows, and buffer overflows). These PoS terminal weaknesses enable an attacker to send arbitrary packets, clone cards, clone terminals, and install persistent malware”, said researchers with the Cyber R&D Lab team, in a new analysis of the flaws this week.
PoS terminals are devices that read payment cards such as credit or debit cards. Of note, the affected devices are PoS terminals, the device used to process the card as opposed to PoS systems, which include the cashier’s interaction with the terminal as well as the merchants’ inventory and accounting records.
Security Issues in PoS Terminals
Two main security issues have been disclosed in PoS terminals. The main issue is that they ship with default manufacturer passwords, which Google research can simply reveal.
Researchers said, “Those credentials provide access to special ‘service modes,’ where hardware configuration and other functions are available”.
While looking closer to the ‘service modes’, they contain ‘undeclared functions’ after tearing down the terminals and extracting their firmware. These functions enable execution of arbitrary code through binary vulnerabilities (e.g., stack overflows, and buffer overflows) in Ingenico and Verifone terminals, said the researchers.
Attackers could leverage these flaws to launch an array of attacks. For instance, the arbitrary code-execution issue could allow attackers to send and modify data transfers between the PoS terminal and its network.
Attackers could read the data, allowing them to copy people’s credit card information and ultimately run fraudulent transactions.
“Attackers can forge and alter transactions. They can attack the acquiring bank via server-side vulnerabilities, for example in the Terminal Management System (TMS). This invalidates the inherent trust given between the PoS terminal and its processor”, say the researchers.
Researchers reached out to both Verifone and Ingenico, and patches for the problems have since been issued. In Nov 2020 PCI has released an urgent update of Verifone terminals across the globe.
Scientists said it took practically two decades to accomplish Ingenico and receive a confirmation of that fix.