- A security researcher was able to hack ATMs and point-of-sale systems by simply waving his phone.
- He used a collection of bugs to manipulate the machines and trigger a decade-old software vulnerability.
- His trick allowed him to crash the machines, collect credit card data from them, and even “jackpot” some ATMs.
Many people have probably fantasized about getting more money out of an ATM than they have in their bank accounts. Some have even successfully tried all sorts of methods to exploit ATMs by physically tinkering with the machines’ hardware. But now, a researcher has managed to hack ATMs and other point-of-sale (POS) machines by simply waving his phone over a contactless card reader.
According to Wired, Joseph Rodriguez, a security consultant at IOActive, managed to exploit a flaw in the NFC system of ATMs and POS systems found widely in shopping malls, restaurants, and retail stores. He used a phone with NFC and an Android app that he designed to infect the NFC reader chips of these machines with a variety of bugs to crash them, hack them to collect credit card data, invisibly change the value of transactions, and even “jackpot” some ATMs into spitting out cash. However, the last exploit also required manipulation of existing vulnerabilities in the ATMs’ software.
“You can modify the firmware and change the price to one dollar, for instance, even when the screen shows that you’re paying 50 dollars. You can make the device useless, or install a kind of ransomware. There are a lot of possibilities here,” Rodriguez told Wired. “If you chain the attack and also send a special payload to an ATM’s computer, you can jackpot the ATM-like cash-out, just by tapping your phone,” he added.
Also read: The best security apps for Android
Rodriguez began his research into the ability to hack ATMs’ contactless card readers by buying NFC readers and point-of-sale devices from eBay. He soon discovered that many of them did not validate the size of the data packet being sent via NFC from a credit card to the reader. Using a custom Android app, he sent a data packet hundreds of times larger than what the machine expected, thereby triggering a “buffer overflow,” a decades-old software vulnerability that allows an attacker to corrupt a device’s memory and run their own code.
Rodriguez informed the affected brands and vendors of the security vulnerability about a year ago, but he says that the sheer number of devices that need to be physically patched is huge and will take a lot of time. The fact that many POS terminals don’t get regular software updates makes this flaw even more dangerous.
The researcher kept most of his findings hidden for a year but now pans to share technical details about them to push affected vendors to implement patches.
