POS Device Makers Push Patches for VulnerabilitiesResearchers Found Flaws in Devices Made by Verifone, Ingenico
Point-of-sale device manufacturers Verifone and Ingenico have released fixes for flaws in some of their devices after researchers found the vulnerabilities could have enabled attackers to steal payment card data, clone cards or install malware.
Independent researcher Aleksei Stennikov and Timur Yunusov, head of offensive security research at Cyber R&D Lab, described their flaw findings in a paper presented at the recent Black Hat Europe 2020 virtual event.
To mitigate the risks posed by the flaws, the researchers urge device owners to immediately apply the patches from the vendors.
The vulnerabilities in the default password settings as well as arbitrary code execution affect the Verifone VX520 and Verifone MX series and the Ingenico Telium 2 series - all of which are in widespread use, the researchers say.
After being notified by the researchers and before the paper was published, the two vendors, along with the Payment Card Industry Security Standard Council, issued fixes for the flaws in November.
A spokesperson for Ingenico could not be reached for comment. A representative of Verifone tells Information Security Media Group that the company is urging its customers to patch their affected POS devices, even though an attack using the methods described in the paper is not likely.
"To date, we are not aware of these vulnerabilities being exploited in the market," the Verifone spokesperson says. "The security firm has validated that our latest patches and software updates, which are available to all customers, remedy these vulnerabilities. Customers are currently in different phases of implementing these patches or software updates."
The POS devices were primarily vulnerable to default password settings; attackers could simply Google the password to gain access to any new devices, according to the research paper.
"All hardware devices ship with manufacturer’s default passwords, including POS terminals - a Google search easily reveals them," the researchers note. "Those credentials provide access to special 'service modes,' where hardware configuration and other functions are available. One manufacturer, Ingenico, even prevents you from changing."
Once the attackers gained access to the service modes within these devices, they could perform arbitrary code execution using stack overflows and buffer overflow vulnerabilities to leverage additional attacks. According to the researchers, these attacks include:
- Sending arbitrary packets: This could enable attackers to modify data transfer in the POS terminal and its processing network, alter transactions and target banks via server-side vulnerabilities.
- Cloning cards: By copying credit card information, duplicate data could then be written to a new credit card for running fraudulent transactions.
- Cloning terminals: By cloning the payment terminal, the attackers could run fraudulent transactions through it, process less secure transactions and bypass secure EMV transactions.
- Gaining persistence: This could enable attackers to install malware that would survive even after the device reboots.
Preventing Default Password Attacks
"If all hardware devices are shipped with default passwords, there is little point in even having a password in the first place overriding any other security on the device," says Jake Moore, a cybersecurity specialist at security firm ESET. "A simple Google search will reveal the password and cause the security to fall over. If these passwords cannot even be changed, then I would seriously consider not using these devices."
Chris Hazelton, director of security solutions at security firm Lookout, says smaller businesses are unlikely to promptly apply POS patches.
"Point-of-sale machines require several layers of security to protect them from physical and digital threats," Hazelton says. "Mom and pop shops are likely unaware of the need to maintain the latest firmware for their POS machines, as they don't see them for what they really are. While vendors are offering patches, they readily admit that many users have yet to implement them. What is needed are easy-to-use tools for small businesses to see the risk that all connected endpoints face, particularly when it comes to vulnerabilities."
Other POS Attacks
In November, ESET found that a POS malware variant called "ModPipe" was targeting devices that used Oracle software (see: 'ModPipe' POS Malware Attacking Hospitality Industry).
In October, Visa's payment fraud team published an alert warning of recent malware attacks on POS devices used by two North American hospitality companies. In one of these incidents, three POS malware variants designed to scrape payment card data were found on the targeted firm's network and devices (see: Visa Alert: POS Malware Attacks Persist).