Researchers describe the intense vulnerabilities in the two biggest Point of Sales (PoS) vendors, Verifone, and Ingenico. The affected devices are Verifone VX520, Verifone MX series, and the Ingenico Telium 2 series.
“Through the use of default passwords, it was able to execute arbitrary code through binary vulnerabilities (e.g., stack overflows, and buffer overflows). These PoS terminal weaknesses enable an attacker to send arbitrary packets, clone cards, clone terminals, and install persistent malware”, said researchers with the Cyber R&D Lab team, in a new analysis of the flaws this week.
PoS terminals are devices that read payment cards such as credit or debit cards. Of note, the affected devices are PoS terminals, the device used to process the card as opposed to PoS systems, which include the cashier’s interaction with the terminal as well as the merchants’ inventory and accounting records.
Two main security issues have been disclosed in PoS terminals. The main issue is that they ship with default manufacturer passwords, which Google research can simply reveal.
Researchers said, “Those credentials provide access to special ‘service modes,’ where hardware configuration and other functions are available”.
While looking closer to the ‘service modes’, they contain ‘undeclared functions’ after tearing down the terminals and extracting their firmware. These functions enable execution of arbitrary code through binary vulnerabilities (e.g., stack overflows, and buffer overflows) in Ingenico and Verifone terminals, said the researchers.
Attackers could leverage these flaws to launch an array of attacks. For instance, the arbitrary code-execution issue could allow attackers to send and modify data transfers between the PoS terminal and its network.
Attackers could read the data, allowing them to copy people’s credit card information and ultimately run fraudulent transactions.
“Attackers can forge and alter transactions. They can attack the acquiring bank via server-side vulnerabilities, for example in the Terminal Management System (TMS). This invalidates the inherent trust given between the PoS terminal and its processor”, say the researchers.
Researchers reached out to both Verifone and Ingenico, and patches for the problems have since been issued. In Nov 2020 PCI has released an urgent update of Verifone terminals across the globe.
Scientists said it took practically two decades to accomplish Ingenico and receive a confirmation of that fix.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.
Also Read
Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…
Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…
The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…
Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…
Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection…
Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…