For this purpose, the expert has created an Android application with which his smartphone can simulate credit card radio communications and exploit vulnerabilities in the firmware of NFC-enabled systems. By simply waving his phone, Rodriguez said he can exploit problems and cause denial of service to PoS terminals, hack them and collect and transfer credit card data, discreetly change the value of transactions, and even lock the device and display a ransom notification on its screen.
Moreover, the researcher says it is possible to force ATMs (of at least one manufacturer) to dispense cash, although this method only works in conjunction with the exploitation of other vulnerabilities he found in the ATM firmware.
Studying NFC and payment terminals, Rodriguez found that they are all subject to the same vulnerability - the devices do not check the size of the data packet sent via NFC from the credit card to the reader (application protocol data unit, APDU).
APDU is a format for communication between a card and a terminal. The terminal sends a Command APDU (C-APDU) and the card responds with a Response APDU (R-APDU).
Using the application he created, the researcher sent a specially formed APDU request from the smartphone to the reader and provoked a buffer overflow.
“You can modify the firmware and change the price, for example, by one dollar, even if the screen shows that you are paying fifty dollars. You can render the device useless or install some ransomware. There are many possibilities. If you carry out an attack and send a special payload to the ATM computer, you can get cash just by touching the smartphone screen, ”says Rodriguez.
The specialist informed the manufacturers of vulnerable devices, including ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS and Nexgo, about the problems several months ago. ID Tech, BBPOS and Nexgo did not respond to Wired's request. Representatives of the manufacturer of card terminals Ingenico said that the vulnerabilities described by Rodriguez can only cause a device failure, but not code execution. However, the company has already released a corresponding fix.