DEF CON 31 - Contactless Overflow Code Execution in Payment Terminals & ATMs

DEF CON 31 - Contactless Overflow Code Execution in Payment Terminals & ATMs - Josep Rodriguez

7 місяців тому

We conducted a research to assess the current security of NFC payment readers that are present in most of the major ATM brands, portable point of sales, gas stations, vending machines, transportation and other kind of point of sales in the US, Europe and worldwide. In particular, we found code execution vulnerabilities exploitable through NFC when handling a special application protocol data unit (APDU) that affect most NFC payment vendors. The vulnerabilities affect baremetal firmware devices and Android/Linux devices as well.
After waiting more than 1 year and a half once we disclosed it to all the affected vendors, we are ready to disclose all the technical details to the public. This research was covered in the media by wired.com but without the technical details that we can share now www.wired.com/story/atm-hack-...
Some of the affected vendors are: IDtech - idtechproducts.com/ Ingenico - www.ingenico.com/ Verifone - www.verifone.com/ CPI - www.cranepi.com/ BBPOS - www.bbpos.com/ Wiseasy - www.wiseasy.com/ Nexgo - www.nexgoglobal.com/
In this presentation we will describe the vulnerabilities and also demo how the readers can be compromised, using a special Android app we created, by just tapping an Android phone to the reader. We will discuss the consequences such as financial impact in reader’s users/owners and card data stealing once the firmware is compromised. Also, we will show how to compromise the host that is connected to the reader through USB by manipulating the reader’s firmware, chaining stack buffer overflow vulnerabilities in the SDK provided by the vendor that is running in the host machine.
Finally, since one of the affected vendors (IDtech) is present in most ATM brands in the world, the talk will cover different scenarios of how possible can be jackpotting ATMs just tapping a smartphone into the reader of the ATM. We have many years of experience jackpotting all brands of ATMs in multiple different ways and we will show how this is technically possible.

КОМЕНТАРІ: 165

@TheSparcguy 7 місяців тому

I can't wait for the next time that I pay for my coffee my payment terminal asks me if I want to play doom.

@publicacct5626 7 місяців тому

This kind of hack just blows my mind. It was all incredibly easy, basic stuff. JTAG debugging enabled to dump the firmware, accepting 64KB inputs that automatically overflow... We hold the assumption that manufactures do the bare minimum to prevent extremely easy exploits like this. So no one really even bothers to look. But once it's proven that there is incredibly low-hanging fruit available, expect more people to start poking at systems like this to see if they also have easy-mode hacking enabled.

@Lee-wh3ht 7 місяців тому

You got one thing right, they do the bare minimum 😂😂

@slonktonkster9680 7 місяців тому

security should not be based on ignorance, it should be based on competence and redundancy, my dude

@bschwand 7 місяців тому

they did not even prevent firmware extraction... so dumb

@ZeroPlayerGame 7 місяців тому

truth is, in the modern world most people stick computers in stuff without even having someone with any infosec knowledge on board. That's just how it is. The risk's usually estimated as not worth paying an infosec guy their wage.

@Soloone1 5 місяців тому

Are you good at pen testing? Can we talk somewhere

@tissuepaper9962 7 місяців тому

15:20 When he said these things don't have secure boot I could not contain my "woah!". How the fuck is an ATM part less secure than like basic android smartphones?

@Jeff-ss6qt 7 місяців тому

Because the Android smartphone isn't security through obscurity/NDA and is more available to consumers/developers.

@joshua_337 7 місяців тому

Because Windows CE doesn't support secure boot lol Except for with third party loaders like CELoader

@tissuepaper9962 7 місяців тому

@@joshua_337 the payment terminal isn't running windows. The ATM might be, but the actual card reading terminal is a totally separate deal with its own firmware and processor. In fact, many of them run Android, which has quite good support for secure boot. Even if the support was trash, there's no excuse for potentially allowing unsigned firmware to process people's credit cards. It's just ridiculous, this is one of the few devices on which I would concede the security benefits of permanently burning an encryption key into e-fuses for checking the signature of the firmware, and they couldn't even be bothered to put the work in to do that.

@joachimtheboss5326 7 місяців тому

@@Jeff-ss6qt my bike got stolen during the carnivals where there where 4000+ other bicles, security by obscurity is a joke LOL

@sippingthepeachsoda 7 місяців тому

@@joachimtheboss5326what an odd example

@ConstantlyDamaged 7 місяців тому

Very nice work, and huge props for waiting that two years for the vendors. Great talk.

@GBlunted 7 місяців тому

Damn, those kiosk 3 terminals are attached to almost everything possible where i live! From Red box to carwash to every vending machine

@aliveandwellinisrael2507 Місяць тому

Yep. All you need the terminal to do is tell the vending machine that the transaction was successful (after you press a certain key combination) and you get anything within for free

@theflowpowa42oshow 6 днів тому

@@aliveandwellinisrael2507 Nothing is free in this world lil man.

@davidjohnston4240 6 місяців тому

I've written a lot of security oriented code in my career. These errors are really basic mistakes. It's pretty shocking to see them present in the majority of payment terminals.

@theflowpowa42oshow 6 днів тому

Guess their coding skill aren't up to par or written by AI.

@halotroop2288 7 місяців тому

Love how the microphone interference just keeps getting louder and louder.

@framegrace1 7 місяців тому

Hear no interference... maybe because I'm old. Sounds perfectly clear to me.

@lyfandeth 7 місяців тому

It isn't interferencd. It is a 60 cycle ground hum. Any high school AV squad knows how to check for ground faults. Sometimes it is as simple as turning a plug around in a power socket. Sometimes it is a disconnected ground wire. About as difficult to fix as "gee, my flashight went out."

@framegrace1 7 місяців тому

@@lyfandeth no hum neither. Clear for me.

@markblacket8900 7 місяців тому

@@framegrace1 maybe you didn't watch the video for long enough? it starts at around 26 minutes

@JambulaniDE 7 місяців тому

I heard the humming from the beginning..

@zerog2000 7 місяців тому

Wow rolling physical firmware updates on millions of devices is going to be a pain. Ok, let’s be real - alot of the POS stuff may never get patched ;)

@user-mn8lz7gf6d 7 місяців тому

almost all of them you mean

@tissuepaper9962 7 місяців тому

These points-of-sale are some real pieces of shit. POS POSs, in other words.

@SP-ny1fk 7 місяців тому

It's ok though - it's the bank's money :)

@tissuepaper9962 7 місяців тому

@@SP-ny1fk fundamental misunderstanding of the modern financial system. If the banks all lose a shitload of money, *your* money becomes less valuable, because the government will feel obligated to bail out the banks by printing absurd amounts of cash.

@anouarkrassimovich7481 7 місяців тому

@@SP-ny1fk in case of ATM's, yes. Not in the case of terminals, in this case it's more likely to impact the merchants and/or the consumers, based on the goal of the malware that they implant

@arman_ 7 місяців тому

great talk Josep, and amazing research.

@NeverGiveUpYo 7 місяців тому

Amazing talk

@MeepMu 7 місяців тому

Multiple buffer overflows... How is payment firmware this amateurish?!

@williamallen7836 7 місяців тому

Easy. The manufacture is not held criminally or civilly responsible for data breaches. Once we start holding them criminally & civilly responsible they will suddenly secure thier devices.

@adamdnewman 7 місяців тому

It always is!

@rberkar6669 7 місяців тому

$$$$

@MAlanThomasII 6 місяців тому

The hardware vendors probably aren't liable for any losses. The credit card companies are, and they charge the stores 3% of the gross on every transaction to pay their security team and cover their losses. So the biggest liability is on the people who have the least influence over the manufacturers.

@aymanhawari2589 4 місяці тому

MGM was paying IT techs 15/hr in Vegas.... No ownder they got social enginered

@joemerino3243 7 місяців тому

The video: an incredible find of multiple crippling vulnerabilities in everyday money-handling devices; The comments: oMg thE SoUnd iS bUzZinG

@sjoervanderploeg4340 7 місяців тому

That explains all the new terminals in most shops!

@boreddude123456 3 місяці тому

This was great. I’m really new to this sort of stuff and was mostly able to follow along. It gets me excited because even as a newbie, there are still some “low hanging fruit” I can pick at and learn from!

@theflowpowa42oshow 3 дні тому

But is the juice worth the squeeze?

@0xfrijolito 7 місяців тому

wow, great talk

@dickheadrecs 7 місяців тому

SNACK OVERFLOW

@zerog2000 7 місяців тому

Exploit brand name winner here ;)

@theflowpowa42oshow 6 днів тому

Gotta go with the flow my guy

@syrus3k 7 місяців тому

"Easy Money" - Jon Connor, Terminator 2. That film is getting far too close to reality.

@theflowpowa42oshow 3 дні тому

Hasta la vista baby!!!!

@sacredk1 7 місяців тому

Josep rocks

@lsdave 7 місяців тому

How does a conference of hackers have such BAD audio and video.

@ShahabSheikhzadeh 7 місяців тому

Seems to be getting worse after DEFCON 25.

@anomicxtreme 7 місяців тому

deafcon? @@ShahabSheikhzadeh 😆😆

@infamousm2223 7 місяців тому

I have these lil Magtek Edynamo payment devices. They read cards and have NFC and wireless compatibility. I think theyd be a good device to play with.

@zerog2000 7 місяців тому

For some reason, I still prefer chip & pin, even though the guys at the counter are like - just tap bro!

@nisanagabyev248 4 місяці тому

great talk

@haczyk84 5 місяців тому

So basic bug :) Our favorite forum is named in honor of this yet still many people (you mention other os drivers aside of this reader) make this mistakes.

@muttch 7 місяців тому

❤🎉

@Detroittruckdoctor55 7 місяців тому

The gas station i frequent got my business card like this and went crazy at best buy

@maxdulin2353 4 місяці тому

Complete lack of binary protections is wild to me. NX, stack cookies, ASLR... all would have made this much harder.

@barduk9963 7 місяців тому

1600 functions letsgooooooo

@alpaykasal2902 7 місяців тому

this is John Conner approved.

@Crftbt 7 місяців тому

25:50 buzzing intensifies

@anwiseru9064 5 місяців тому

15:40 noise gate intensifies

@Crftbt 5 місяців тому

@@anwiseru9064 I lol'd. great job noticing that. >_

@theflowpowa42oshow 3 дні тому

I made it through to the other side

@FukU2222 5 місяців тому

for whoever is doing the CCs; "inaudible" @ 3:37 is "juicy stuff"

@infamousm2223 7 місяців тому

I watched this whole segment and paid attention like I knew how to do any one of the wonderful things he has learned and figured out. Maybe one day i will be able to understand and learn from yall! Baby steps. I have to say dude must have plenty of money and super morals and will power cuz itd be hella hard not to just use a lil bit of the monopoly money our gov prints up. Next exploits i want to see someone handle the gambling machines now! Thatd be great! Ppl runin round jackpottin everything!

@versacebroccoli7238 7 місяців тому

If you steal even 20 dollars from an ATM like this you will be caught and you will face the full force of the us government. It's not even worth considering. You will be left bankrupt and without a future stuck in prison.

@professorpwerrel 7 місяців тому

Listen to Darknet Diaries episode 18 - Jackpot, where a guy figured out how to get a payout basically whenever he wanted. Of course he got caught cause a casino doesn't just lose money and not wonder why!

@ClickClack_Bam 7 місяців тому

@@versacebroccoli7238Believe it or not, NOT everybody gets caught for their crimes. Some city detectives in major cities are only 50% at solving homicides. That's with the full support of Gov't resources. In fact murders are going forward on an ever-increasing level unsolved. Guess what? It's a record high right now! I know an old bank robber from the 80's & 90's who STILL spends the old 20 dollar bills in cash. He never moved to a bigger nicer house. NEVER flashed his money & was NEVER caught. He's stolen so much he still spends that money. He works a normal job & spends cash only. Other than having a roll of 100% old school 20's you'd never figure the guy shouldn't really have those or that he got them from robbing banks.

@user-dt7px5xp6z 6 місяців тому

@@versacebroccoli7238people do crimes daily and don't get caught

@jonnyfatboy7563 7 місяців тому

imagine being able to hack atm's for 2 years and not being rich... 😂 fair play 👊

@ZeroPlayerGame 7 місяців тому

Hacking ATMs is super traceable physically, unless you wanna go on the run in another country I don't think that's worth it.

@ClassicRiki 7 місяців тому

It’s astonishing to me that a conference attended by some of the best minds in technology can’t upload a UKposts video without an incredibly f*cking annoying interference hum almost as loud as the person. If you’re reading this guys…sort it out; it’s just embarrassing

@ChristopherWoods 7 місяців тому

It sounds like a nasty ground loop or unterminated audio into a mixer from whatever setup they have to get audio from presenters devices on stage. Perhaps the venue insists on using their provided stage equipment and PA and DEFCON has to take a feed from that for recordings.

@ClassicRiki 7 місяців тому

@@ChristopherWoods yeah but that’s easily filtered even in the video post production edit right? So it still seems lazy to me

@ClassicRiki 7 місяців тому

The livestream might be more difficult (not impossible) but once it’s finished; you take that audio and filter out those frequencies

@ChristopherWoods 7 місяців тому

@@ClassicRiki can be tricky as sometimes the processing can make the vocal quite 'squelchy' and unnatural. I wonder if they just wanted to get the video up quickly despite the audio issues.

@tidenly 7 місяців тому

It seems like the majority of videos have some kind of levels, mic, sound or video issue in them. Are they really so stingy they wont pay for a good sound technician?

@tigidou3344 7 місяців тому

GG for noob soundman.

@exchange4918 7 місяців тому

When will there be better Audio? Most recent uploads are unbearable!

@hohsmith4723 6 місяців тому

Was able to crash some gas pumps with contactless using a flipper zero. I know that flipper can't emulate EMV payments, but it will damn sure crash a payment system 😂 It pretty much made the pump unresponsive for ab 10min while it rebooted, the screen showed some pretty interesting information such as firmware version and OS. Was pretty surprised zero crashed it though....

@zelko_is_real 7 місяців тому

I feel proud that I theorized of such an attack and seeing it actually be a thing gives me chills.

@theflowpowa42oshow 3 дні тому

Im shaking in my boots

@cogspace 7 місяців тому

Maybe Apple and Google should "weaponize" Apple Pay and GPay using this exploit to update the firmware on any vulnerable devices that are still out in the wild. =)

@phnix6242 7 місяців тому

So Free stuff or not?

@lynzoido 7 місяців тому

Dude needs new top case for his mbp. Flickering touchbar lolol. Great talk

@IndianaDipper194 7 місяців тому

hes using a 50hz camera and its a 60hz display. nothing wrong with it.

@lynzoido 7 місяців тому

@@IndianaDipper194 umm, no. I just replaced mine after same tb flickering. Google it

@blackparabellum 5 місяців тому

BRB moving to China for a infinite social credit score.

@Makeybussines 7 місяців тому

Please fix audio

@QIKUGAMES-QIKU 3 місяці тому

I just want the Code for FREE Chips 🍟 😅

@AfonsodelCB 7 місяців тому

hello, UKpostsr doing research for your next multi-million view video about the biggest vulnerability in modern banking. I see you. Thanks for doing justice to this, this guy with his highly technical presentation talking in a heavy Spanish accent is burying the lead by not just saying "I could make most of the world's ATMs spew out all their cash, buy anything I wanted for 1 cent, and lead any commerce establishment I want to quick bankrupcy, all using my Pixel phone".

@tissuepaper9962 7 місяців тому

Attendees of a highly technical conference do not need you to tell them how awesome your research is, they can clearly see the ramifications without bright red arrows and exclamation points. "burying the lead" is also known as "humility" to everybody except journalists.

@AfonsodelCB 7 місяців тому

@@tissuepaper9962 if you've succeeded well in your life with that mentality, then I have nothing but respect for you

@cameronrich2536 6 місяців тому

He figured this all out but cant get the computer sound to work lol

@SqualidsargeStudios 7 місяців тому

Interesting information, BUT you can hear he isn’t really a public speaker

@kraagnjilwulf1413 7 місяців тому

Yeah, he's a hacker, public speaking isn't his job. You don't expect a convenience store clerk to fix a car, so what's the issue?

@franz3810 7 місяців тому

so? go watch politics talking lies if u wanna hear that

@ChristopherWoods 7 місяців тому

I thought he talked extremely well considering he's presenting a very technical demo of a complicated exploit, in a non-native language, with loads of technical terminology. He's much more fluent and polished a speaker than many English native speaking presenters I've heard...

@zeroskill. 3 місяці тому

take a shot every time he says uhhhh

@Tattootin 7 місяців тому

I’m curious why the speakers here don’t have to get their way in to make their points? Top tier folks should be able to show off their work and I think adding a component of competition and structural changes within not working together, but almost. I know nothing. I’m just here to see if this is viable? Or maybe this PowerPoint is all anyone needs and these amazing speakers are already established? I mean no disrespect. I don’t know why I was recommended this. But I somehow managed to understand the first points he made. I’m intrigued now.

@nonchip 7 місяців тому

every 2nd sentence starts with "as you can see in this 2k-lines pale-on-white code vomit with fontsize

@framegrace1 7 місяців тому

How about reading the documentation they provide... This is just a talk, not a lecture.

@nonchip 7 місяців тому

@@framegrace1 a talk is supposed to summarize/present the new information it's about, not show a wall of unreadable while going "as you clearly see here" and "as you know" every 2 seconds as if the audience wrote the lecture.

@publicacct5626 7 місяців тому

You may not be the target audience for this presentation.

@nonchip 7 місяців тому

@@publicacct5626 who is? people with CSI-style "enhance" built into their screens?

@nurxg 7 місяців тому

The speaker is using standard exploit strategies (that is partly why this is so jaw dropping - that so much low hanging fruit is there). He doesn't need to explain what a stack overflow or secure boot is to this audience.

@stefanjohansson2373 7 місяців тому

Embarrassing event that can’t handle sound/video in the presentations. This was the last place I thought the technicians should be incompetent. Impossible to listen to this worthless quality.

@framegrace1 7 місяців тому

There's a lot of people with hearing problems in this video, must be something about the age maybe? (I've had no problem following the talk)

@stefanjohansson2373 7 місяців тому

@@framegrace1 Are you the fired sound technician? 😂

@oof-software 7 місяців тому

It was so bad I opened Equalizer APO to fix it 😭

@franz3810 7 місяців тому

XDDD@@stefanjohansson2373

@blackmoon9511 7 місяців тому

It's perfectly fine on mobile lmao get a hearing check

@DragonwoodDesigns 6 місяців тому

3 "uhm's" per sentence? Unwatchable! Wish i could hear the story!

@lyfandeth 7 місяців тому

I wish the speaker gave a damn about speaking ENGLISH to an audience in America. There's no excuse for that heavy accent. He'd be a blast speaking a tonal language like Mandarin or Thai. Between his accent and the ground hum in the PA...Come on guys, this shouldn't be amateur night. And yes, I'm multilingual. I know it can be done.

@bijavix 7 місяців тому

I'm pretty sure It's Spanish accent. Every accent WILL sound different as the phonetics used between languages variate a lot. He was a little nervous and did great.

@hakz07 7 місяців тому

are you kidding the guy was perfectly understandable

@kosherkatfishing1614 7 місяців тому

LMAO imagine being in tech complaining about this guys accent...

@decencies 7 місяців тому

That’s a bit petty, don’t you think? I agree with the persistent humming noise present near the end of the talk, but an accent? cmon now.

@camiscooked 7 місяців тому

Lol figure out how to do the exploit yourself, it's as easy as not talking in accent you absolute genius you

@Sam-wu5ry 7 місяців тому

Why are the fake comments taking😢😢😢😢😢 forever to load i keep on typing and the words constantly disappear #restaurant#byyourowncredict #creditcard

@theflowpowa42oshow 3 дні тому

nope seems like they are working to me.

@darkreddust2135 7 місяців тому

Why is it so hard for the organisers to get the sound working... every single time a talk is supposed to have sound it's not working...

@JeanQPublique 7 місяців тому

VLC was muted. You can hear the sound tech turning up the PC sound channel so much that the 60Hz hum is audible. This was presenter error, not tech error.

@darkreddust2135 7 місяців тому

@@JeanQPublique well, even if it was. There have been a lot of talks where the sound hasn't worked even one where the whole presentation hasn't worked for the first half...

@prgnify 7 місяців тому

It's cause the organisers were hacked

@zerog2000 7 місяців тому

Yeah I always thought DefCon was probably one of the most hostile RF environments outside of an active theatre of war ;)