DEF CON 31 - Contactless Overflow Code Execution in Payment Terminals & ATMs - Josep Rodriguez

Подписаться 289 тыс.

Просмотров 101 тыс.

50% 1

We conducted a research to assess the current security of NFC payment readers that are present in most of the major ATM brands, portable point of sales, gas stations, vending machines, transportation and other kind of point of sales in the US, Europe and worldwide. In particular, we found code execution vulnerabilities exploitable through NFC when handling a special application protocol data unit (APDU) that affect most NFC payment vendors. The vulnerabilities affect baremetal firmware devices and Android/Linux devices as well.
After waiting more than 1 year and a half once we disclosed it to all the affected vendors, we are ready to disclose all the technical details to the public. This research was covered in the media by wired.com but without the technical details that we can share now www.wired.com/story/atm-hack-...
Some of the affected vendors are: IDtech - idtechproducts.com/ Ingenico - www.ingenico.com/ Verifone - www.verifone.com/ CPI - www.cranepi.com/ BBPOS - www.bbpos.com/ Wiseasy - www.wiseasy.com/ Nexgo - www.nexgoglobal.com/
In this presentation we will describe the vulnerabilities and also demo how the readers can be compromised, using a special Android app we created, by just tapping an Android phone to the reader. We will discuss the consequences such as financial impact in reader’s users/owners and card data stealing once the firmware is compromised. Also, we will show how to compromise the host that is connected to the reader through USB by manipulating the reader’s firmware, chaining stack buffer overflow vulnerabilities in the SDK provided by the vendor that is running in the host machine.
Finally, since one of the affected vendors (IDtech) is present in most ATM brands in the world, the talk will cover different scenarios of how possible can be jackpotting ATMs just tapping a smartphone into the reader of the ATM. We have many years of experience jackpotting all brands of ATMs in multiple different ways and we will show how this is technically possible.

Наука

Опубликовано:

15 сен 2023

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 166

@TheSparcguy 9 месяцев назад

I can't wait for the next time that I pay for my coffee my payment terminal asks me if I want to play doom.

@publicacct5626 9 месяцев назад

This kind of hack just blows my mind. It was all incredibly easy, basic stuff. JTAG debugging enabled to dump the firmware, accepting 64KB inputs that automatically overflow... We hold the assumption that manufactures do the bare minimum to prevent extremely easy exploits like this. So no one really even bothers to look. But once it's proven that there is incredibly low-hanging fruit available, expect more people to start poking at systems like this to see if they also have easy-mode hacking enabled.

@Lee-wh3ht 9 месяцев назад

You got one thing right, they do the bare minimum 😂😂

@slonktonkster9680 9 месяцев назад

security should not be based on ignorance, it should be based on competence and redundancy, my dude

@bschwand 9 месяцев назад

they did not even prevent firmware extraction... so dumb

@ZeroPlayerGame 8 месяцев назад

truth is, in the modern world most people stick computers in stuff without even having someone with any infosec knowledge on board. That's just how it is. The risk's usually estimated as not worth paying an infosec guy their wage.

@Soloone1 7 месяцев назад

Are you good at pen testing? Can we talk somewhere

@ConstantlyDamaged 9 месяцев назад

Very nice work, and huge props for waiting that two years for the vendors. Great talk.

@tissuepaper9962 9 месяцев назад

15:20 When he said these things don't have secure boot I could not contain my "woah!". How the fuck is an ATM part less secure than like basic android smartphones?

@Jeff-ss6qt 9 месяцев назад

Because the Android smartphone isn't security through obscurity/NDA and is more available to consumers/developers.

@joshua_337 9 месяцев назад

Because Windows CE doesn't support secure boot lol Except for with third party loaders like CELoader

@tissuepaper9962 9 месяцев назад

@@joshua_337 the payment terminal isn't running windows. The ATM might be, but the actual card reading terminal is a totally separate deal with its own firmware and processor. In fact, many of them run Android, which has quite good support for secure boot. Even if the support was trash, there's no excuse for potentially allowing unsigned firmware to process people's credit cards. It's just ridiculous, this is one of the few devices on which I would concede the security benefits of permanently burning an encryption key into e-fuses for checking the signature of the firmware, and they couldn't even be bothered to put the work in to do that.

@joachimtheboss5326 9 месяцев назад

@@Jeff-ss6qt my bike got stolen during the carnivals where there where 4000+ other bicles, security by obscurity is a joke LOL

@sippingthepeachsoda 9 месяцев назад

@@joachimtheboss5326what an odd example

@GBlunted 9 месяцев назад

Damn, those kiosk 3 terminals are attached to almost everything possible where i live! From Red box to carwash to every vending machine

@aliveandwellinisrael2507 3 месяца назад

Yep. All you need the terminal to do is tell the vending machine that the transaction was successful (after you press a certain key combination) and you get anything within for free

@theflowpowa42oshow Месяц назад

@@aliveandwellinisrael2507 Nothing is free in this world lil man.

@davidjohnston4240 8 месяцев назад

I've written a lot of security oriented code in my career. These errors are really basic mistakes. It's pretty shocking to see them present in the majority of payment terminals.

@theflowpowa42oshow Месяц назад

Guess their coding skill aren't up to par or written by AI.

@halotroop2288 9 месяцев назад

Love how the microphone interference just keeps getting louder and louder.

@framegrace1 9 месяцев назад

Hear no interference... maybe because I'm old. Sounds perfectly clear to me.

@lyfandeth 9 месяцев назад

It isn't interferencd. It is a 60 cycle ground hum. Any high school AV squad knows how to check for ground faults. Sometimes it is as simple as turning a plug around in a power socket. Sometimes it is a disconnected ground wire. About as difficult to fix as "gee, my flashight went out."

@framegrace1 9 месяцев назад

@@lyfandeth no hum neither. Clear for me.

@markblacket8900 9 месяцев назад

@@framegrace1 maybe you didn't watch the video for long enough? it starts at around 26 minutes

@JambulaniDE 9 месяцев назад

I heard the humming from the beginning..

@zerog2000 9 месяцев назад

Wow rolling physical firmware updates on millions of devices is going to be a pain. Ok, let’s be real - alot of the POS stuff may never get patched ;)

@user-mn8lz7gf6d 9 месяцев назад

almost all of them you mean

@tissuepaper9962 9 месяцев назад

These points-of-sale are some real pieces of shit. POS POSs, in other words.

@SP-ny1fk 9 месяцев назад

It's ok though - it's the bank's money :)

@tissuepaper9962 9 месяцев назад

@@SP-ny1fk fundamental misunderstanding of the modern financial system. If the banks all lose a shitload of money, *your* money becomes less valuable, because the government will feel obligated to bail out the banks by printing absurd amounts of cash.

@anouarkrassimovich7481 9 месяцев назад

@@SP-ny1fk in case of ATM's, yes. Not in the case of terminals, in this case it's more likely to impact the merchants and/or the consumers, based on the goal of the malware that they implant

@arman_ 9 месяцев назад

great talk Josep, and amazing research.

@joemerino3243 9 месяцев назад

The video: an incredible find of multiple crippling vulnerabilities in everyday money-handling devices; The comments: oMg thE SoUnd iS bUzZinG

@dickheadrecs 9 месяцев назад

SNACK OVERFLOW

@zerog2000 9 месяцев назад

Exploit brand name winner here ;)

@theflowpowa42oshow Месяц назад

Gotta go with the flow my guy

@MeepMu 9 месяцев назад

Multiple buffer overflows... How is payment firmware this amateurish?!

@williamallen7836 9 месяцев назад

Easy. The manufacture is not held criminally or civilly responsible for data breaches. Once we start holding them criminally & civilly responsible they will suddenly secure thier devices.

@adamdnewman 9 месяцев назад

It always is!

@rberkar6669 8 месяцев назад

$$$$

@MAlanThomasII 8 месяцев назад

The hardware vendors probably aren't liable for any losses. The credit card companies are, and they charge the stores 3% of the gross on every transaction to pay their security team and cover their losses. So the biggest liability is on the people who have the least influence over the manufacturers.

@aymanhawari2589 6 месяцев назад

MGM was paying IT techs 15/hr in Vegas.... No ownder they got social enginered

@syrus3k 9 месяцев назад

"Easy Money" - Jon Connor, Terminator 2. That film is getting far too close to reality.

@theflowpowa42oshow Месяц назад

Hasta la vista baby!!!!

@boreddude123456 4 месяца назад

This was great. I’m really new to this sort of stuff and was mostly able to follow along. It gets me excited because even as a newbie, there are still some “low hanging fruit” I can pick at and learn from!

@theflowpowa42oshow Месяц назад

But is the juice worth the squeeze?

@lsdave 9 месяцев назад

How does a conference of hackers have such BAD audio and video.

@ShahabSheikhzadeh 8 месяцев назад

Seems to be getting worse after DEFCON 25.

@anomicxtreme 8 месяцев назад

deafcon? @@ShahabSheikhzadeh 😆😆

@NeverGiveUpYo 9 месяцев назад

Amazing talk

@sjoervanderploeg4340 8 месяцев назад

That explains all the new terminals in most shops!

@0xfrijolito 9 месяцев назад

wow, great talk

@zerog2000 9 месяцев назад

For some reason, I still prefer chip & pin, even though the guys at the counter are like - just tap bro!

@infamousm2223 9 месяцев назад

I have these lil Magtek Edynamo payment devices. They read cards and have NFC and wireless compatibility. I think theyd be a good device to play with.

@sacredk1 9 месяцев назад

Josep rocks

@nisanagabyev248 5 месяцев назад

great talk

@maxdulin2353 6 месяцев назад

Complete lack of binary protections is wild to me. NX, stack cookies, ASLR... all would have made this much harder.

@haczyk84 7 месяцев назад

So basic bug :) Our favorite forum is named in honor of this yet still many people (you mention other os drivers aside of this reader) make this mistakes.

@Crftbt 9 месяцев назад

25:50 buzzing intensifies

@anwiseru9064 6 месяцев назад

15:40 noise gate intensifies

@Crftbt 6 месяцев назад

@@anwiseru9064 I lol'd. great job noticing that. >_

@theflowpowa42oshow Месяц назад

I made it through to the other side

@Detroittruckdoctor55 9 месяцев назад

The gas station i frequent got my business card like this and went crazy at best buy

@barduk9963 8 месяцев назад

1600 functions letsgooooooo

@infamousm2223 9 месяцев назад

I watched this whole segment and paid attention like I knew how to do any one of the wonderful things he has learned and figured out. Maybe one day i will be able to understand and learn from yall! Baby steps. I have to say dude must have plenty of money and super morals and will power cuz itd be hella hard not to just use a lil bit of the monopoly money our gov prints up. Next exploits i want to see someone handle the gambling machines now! Thatd be great! Ppl runin round jackpottin everything!

@versacebroccoli7238 9 месяцев назад

If you steal even 20 dollars from an ATM like this you will be caught and you will face the full force of the us government. It's not even worth considering. You will be left bankrupt and without a future stuck in prison.

@professorpwerrel 9 месяцев назад

Listen to Darknet Diaries episode 18 - Jackpot, where a guy figured out how to get a payout basically whenever he wanted. Of course he got caught cause a casino doesn't just lose money and not wonder why!

@ClickClack_Bam 8 месяцев назад

@@versacebroccoli7238Believe it or not, NOT everybody gets caught for their crimes. Some city detectives in major cities are only 50% at solving homicides. That's with the full support of Gov't resources. In fact murders are going forward on an ever-increasing level unsolved. Guess what? It's a record high right now! I know an old bank robber from the 80's & 90's who STILL spends the old 20 dollar bills in cash. He never moved to a bigger nicer house. NEVER flashed his money & was NEVER caught. He's stolen so much he still spends that money. He works a normal job & spends cash only. Other than having a roll of 100% old school 20's you'd never figure the guy shouldn't really have those or that he got them from robbing banks.

@FukU2222 7 месяцев назад

for whoever is doing the CCs; "inaudible" @ 3:37 is "juicy stuff"

@alpaykasal2902 9 месяцев назад

this is John Conner approved.

@jonnyfatboy7563 9 месяцев назад

imagine being able to hack atm's for 2 years and not being rich... 😂 fair play 👊

@ZeroPlayerGame 8 месяцев назад

Hacking ATMs is super traceable physically, unless you wanna go on the run in another country I don't think that's worth it.

@marceloteles1154 4 дня назад

Wtf I work in the Vending Machine business have to see this😂

@tigidou3344 9 месяцев назад

GG for noob soundman.

@muttch 9 месяцев назад

❤🎉

@hohsmith4723 7 месяцев назад

Was able to crash some gas pumps with contactless using a flipper zero. I know that flipper can't emulate EMV payments, but it will damn sure crash a payment system 😂 It pretty much made the pump unresponsive for ab 10min while it rebooted, the screen showed some pretty interesting information such as firmware version and OS. Was pretty surprised zero crashed it though....

@exchange4918 9 месяцев назад

When will there be better Audio? Most recent uploads are unbearable!

@ClassicRiki 9 месяцев назад

It’s astonishing to me that a conference attended by some of the best minds in technology can’t upload a RU-vid video without an incredibly f*cking annoying interference hum almost as loud as the person. If you’re reading this guys…sort it out; it’s just embarrassing

@ChristopherWoods 9 месяцев назад

It sounds like a nasty ground loop or unterminated audio into a mixer from whatever setup they have to get audio from presenters devices on stage. Perhaps the venue insists on using their provided stage equipment and PA and DEFCON has to take a feed from that for recordings.

@ClassicRiki 9 месяцев назад

@@ChristopherWoods yeah but that’s easily filtered even in the video post production edit right? So it still seems lazy to me

@ClassicRiki 9 месяцев назад

The livestream might be more difficult (not impossible) but once it’s finished; you take that audio and filter out those frequencies

@ChristopherWoods 9 месяцев назад

@@ClassicRiki can be tricky as sometimes the processing can make the vocal quite 'squelchy' and unnatural. I wonder if they just wanted to get the video up quickly despite the audio issues.

@tidenly 9 месяцев назад

It seems like the majority of videos have some kind of levels, mic, sound or video issue in them. Are they really so stingy they wont pay for a good sound technician?

@phnix6242 8 месяцев назад

So Free stuff or not?

@QIKUGAMES-QIKU 5 месяцев назад

I just want the Code for FREE Chips 🍟 😅

@zelko_is_real 9 месяцев назад

I feel proud that I theorized of such an attack and seeing it actually be a thing gives me chills.

@theflowpowa42oshow Месяц назад

Im shaking in my boots

@blackparabellum 7 месяцев назад

BRB moving to China for a infinite social credit score.

@cogspace 8 месяцев назад

Maybe Apple and Google should "weaponize" Apple Pay and GPay using this exploit to update the firmware on any vulnerable devices that are still out in the wild. =)

@Makeybussines 9 месяцев назад

Please fix audio

@lynzoido 9 месяцев назад

Dude needs new top case for his mbp. Flickering touchbar lolol. Great talk

@IndianaDipper194 9 месяцев назад

hes using a 50hz camera and its a 60hz display. nothing wrong with it.

@lynzoido 9 месяцев назад

@@IndianaDipper194 umm, no. I just replaced mine after same tb flickering. Google it

@AfonsodelCB 9 месяцев назад

hello, RU-vidr doing research for your next multi-million view video about the biggest vulnerability in modern banking. I see you. Thanks for doing justice to this, this guy with his highly technical presentation talking in a heavy Spanish accent is burying the lead by not just saying "I could make most of the world's ATMs spew out all their cash, buy anything I wanted for 1 cent, and lead any commerce establishment I want to quick bankrupcy, all using my Pixel phone".

@tissuepaper9962 9 месяцев назад

Attendees of a highly technical conference do not need you to tell them how awesome your research is, they can clearly see the ramifications without bright red arrows and exclamation points. "burying the lead" is also known as "humility" to everybody except journalists.

@AfonsodelCB 9 месяцев назад

@@tissuepaper9962 if you've succeeded well in your life with that mentality, then I have nothing but respect for you

@cameronrich2536 8 месяцев назад

He figured this all out but cant get the computer sound to work lol

@zeroskill. 5 месяцев назад

take a shot every time he says uhhhh

@SqualidsargeStudios 9 месяцев назад

Interesting information, BUT you can hear he isn’t really a public speaker

@kraagnjilwulf1413 9 месяцев назад

Yeah, he's a hacker, public speaking isn't his job. You don't expect a convenience store clerk to fix a car, so what's the issue?

@franz3810 9 месяцев назад

so? go watch politics talking lies if u wanna hear that

@ChristopherWoods 9 месяцев назад

I thought he talked extremely well considering he's presenting a very technical demo of a complicated exploit, in a non-native language, with loads of technical terminology. He's much more fluent and polished a speaker than many English native speaking presenters I've heard...

@Tattootin 9 месяцев назад

I’m curious why the speakers here don’t have to get their way in to make their points? Top tier folks should be able to show off their work and I think adding a component of competition and structural changes within not working together, but almost. I know nothing. I’m just here to see if this is viable? Or maybe this PowerPoint is all anyone needs and these amazing speakers are already established? I mean no disrespect. I don’t know why I was recommended this. But I somehow managed to understand the first points he made. I’m intrigued now.

@nonchip 9 месяцев назад

every 2nd sentence starts with "as you can see in this 2k-lines pale-on-white code vomit with fontsize

@framegrace1 9 месяцев назад

How about reading the documentation they provide... This is just a talk, not a lecture.

@nonchip 9 месяцев назад

@@framegrace1 a talk is supposed to summarize/present the new information it's about, not show a wall of unreadable while going "as you clearly see here" and "as you know" every 2 seconds as if the audience wrote the lecture.

@publicacct5626 9 месяцев назад

You may not be the target audience for this presentation.

@nonchip 9 месяцев назад

@@publicacct5626 who is? people with CSI-style "enhance" built into their screens?

@nurxg 9 месяцев назад

The speaker is using standard exploit strategies (that is partly why this is so jaw dropping - that so much low hanging fruit is there). He doesn't need to explain what a stack overflow or secure boot is to this audience.

@stefanjohansson2373 9 месяцев назад

Embarrassing event that can’t handle sound/video in the presentations. This was the last place I thought the technicians should be incompetent. Impossible to listen to this worthless quality.

@framegrace1 9 месяцев назад

There's a lot of people with hearing problems in this video, must be something about the age maybe? (I've had no problem following the talk)

@stefanjohansson2373 9 месяцев назад

@@framegrace1 Are you the fired sound technician? 😂

@oof-software 9 месяцев назад

It was so bad I opened Equalizer APO to fix it 😭

@franz3810 9 месяцев назад

XDDD@@stefanjohansson2373

@blackmoon9511 8 месяцев назад

It's perfectly fine on mobile lmao get a hearing check

@DragonwoodDesigns 7 месяцев назад

3 "uhm's" per sentence? Unwatchable! Wish i could hear the story!

@lyfandeth 9 месяцев назад

I wish the speaker gave a damn about speaking ENGLISH to an audience in America. There's no excuse for that heavy accent. He'd be a blast speaking a tonal language like Mandarin or Thai. Between his accent and the ground hum in the PA...Come on guys, this shouldn't be amateur night. And yes, I'm multilingual. I know it can be done.

@bijavix 9 месяцев назад

I'm pretty sure It's Spanish accent. Every accent WILL sound different as the phonetics used between languages variate a lot. He was a little nervous and did great.

@hakz07 9 месяцев назад

are you kidding the guy was perfectly understandable

@kosherkatfishing1614 9 месяцев назад

LMAO imagine being in tech complaining about this guys accent...

@decencies 9 месяцев назад

That’s a bit petty, don’t you think? I agree with the persistent humming noise present near the end of the talk, but an accent? cmon now.

@camiscooked 9 месяцев назад

Lol figure out how to do the exploit yourself, it's as easy as not talking in accent you absolute genius you

@Sam-wu5ry 8 месяцев назад

Why are the fake comments taking😢😢😢😢😢 forever to load i keep on typing and the words constantly disappear #restaurant#byyourowncredict #creditcard

@theflowpowa42oshow Месяц назад

nope seems like they are working to me.

@darkreddust2135 9 месяцев назад

Why is it so hard for the organisers to get the sound working... every single time a talk is supposed to have sound it's not working...

@JeanQPublique 9 месяцев назад

VLC was muted. You can hear the sound tech turning up the PC sound channel so much that the 60Hz hum is audible. This was presenter error, not tech error.

@darkreddust2135 9 месяцев назад

@@JeanQPublique well, even if it was. There have been a lot of talks where the sound hasn't worked even one where the whole presentation hasn't worked for the first half...