Categories: Cyber Security News

Flaws with PoS Terminals Let Attackers Execute Arbitrary Code

Researchers describe the intense vulnerabilities in the two biggest Point of Sales (PoS) vendors, Verifone, and Ingenico. The affected devices are Verifone VX520, Verifone MX series, and the Ingenico Telium 2 series.

“Through the use of default passwords, it was able to execute arbitrary code through binary vulnerabilities (e.g., stack overflows, and buffer overflows). These PoS terminal weaknesses enable an attacker to send arbitrary packets, clone cards, clone terminals, and install persistent malware”, said researchers with the Cyber R&D Lab team, in a new analysis of the flaws this week.

PoS terminals are devices that read payment cards such as credit or debit cards. Of note, the affected devices are PoS terminals, the device used to process the card as opposed to PoS systems, which include the cashier’s interaction with the terminal as well as the merchants’ inventory and accounting records.

Security Issues in PoS Terminals

Two main security issues have been disclosed in PoS terminals. The main issue is that they ship with default manufacturer passwords, which Google research can simply reveal.

Researchers said, “Those credentials provide access to special ‘service modes,’ where hardware configuration and other functions are available”.

While looking closer to the ‘service modes’, they contain ‘undeclared functions’  after tearing down the terminals and extracting their firmware. These functions enable execution of arbitrary code through binary vulnerabilities (e.g., stack overflows, and buffer overflows) in Ingenico and Verifone terminals, said the researchers.

Attackers could leverage these flaws to launch an array of attacks. For instance, the arbitrary code-execution issue could allow attackers to send and modify data transfers between the PoS terminal and its network.

Attackers could read the data, allowing them to copy people’s credit card information and ultimately run fraudulent transactions.

“Attackers can forge and alter transactions. They can attack the acquiring bank via server-side vulnerabilities, for example in the Terminal Management System (TMS). This invalidates the inherent trust given between the PoS terminal and its processor”, say the researchers.

Conclusion

Researchers reached out to both Verifone and Ingenico, and patches for the problems have since been issued. In Nov 2020 PCI has released an urgent update of Verifone terminals across the globe.

Scientists said it took practically two decades to accomplish Ingenico and receive a confirmation of that fix.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Also Read

ModPipe Malware Steals Sensitive Information from Oracle POS Software used by Hundreds of Thousands of Hotels

Undetectable ATM “Shimmers” Hacker’s Latest Tool for Steal your Chip Based Card Details from POS Terminal

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

CefSharp Enumeration Tool Identifies Critical Security Issues in .NET Desktop Applications

Cybersecurity researchers and red teamers, a newly released tool named CefEnum is shedding light on…

10 hours ago

Russian Hackers Exploit Oracle Cloud Infrastructure to Target Scaleway Object Storage

Russian threat actors have been leveraging trusted cloud infrastructure platforms like Oracle Cloud Infrastructure (OCI)…

10 hours ago

Critical Vulnerability in Netwrix Password Manager Enables Authenticated Remote Code Execution

A critical security vulnerability has been discovered in Netwrix Password Secure, a widely used enterprise…

11 hours ago

Cityworks Zero-Day Vulnerability Used by UAT-638 Hackers to Infect IIS Servers with Shell Malware

Cisco Talos has uncovered active exploitation of a zero-day remote-code-execution vulnerability, identified as CVE-2025-0994, in…

12 hours ago

Researchers Warn of ‘Smiao Network’ Cyber Threat Against Taiwan’s Federal Staff

The Foundation for Defense of Democracies (FDD) and cybersecurity firm TeamT5 has exposed an intricate…

12 hours ago

Vidar and StealC Malware Delivered Through Viral TikTok Videos by Hackers

A sophisticated social engineering campaign that leverages the viral power of TikTok to distribute dangerous…

12 hours ago