IOActive security researcher Josep Rodriquez has warned that the NFC readers used in many modern ATMs and point-of-sale systems are leaving them vulnerable to attacks, Wired reports. The flaws make them vulnerable to a range of problems, including being crashed by a nearby NFC device, locked down as part of a ransomware attack, or even hacked to extract certain credit card data.
Rodriquez even warns that the vulnerabilities could be used as part of a so-called “jackpotting” attack to trick a machine into spitting out cash. However, such an attack is only possible when paired with exploits of additional bugs, and Wired says it was not able to view a video of such an attack because of IOActive’s confidentiality agreement with the affected ATM vendor.
By relying on vulnerabilities in the machines’ NFC readers, Rodriquez’s hacks are relatively easy to execute. While some previous attacks have relied on using devices like medical endoscopes to probe machines, Rodriquez’ can simply wave an Android phone running his software in front of a machine’s NFC reader to exploit any vulnerabilities it might have.
In one video shared with Wired, Rodriquez causes an ATM in Madrid to display an error message, simply by waving his smartphone over its NFC reader. The machine then became unresponsive to real credit cards held up to the reader.
The research highlights a couple of big problems with the systems. The first is that many of the NFC readers are vulnerable to relatively simple attacks, Wired reports. For example, in some cases the readers aren’t verifying how much data they’re receiving, which means Rodriquez was able to overwhelm the system with too much data and corrupt its memory as part of a “buffer overflow” attack.
The second problem is that even once an issue is identified, companies can be slow to apply a patch to the hundreds of thousands of machines in use around the world. Often a machine needs to be physically visited to apply an update, and many don’t receive regular security patches. One company said the problem Rodriquez has highlighted was patched in 2018, for example, but the researcher says he was able to verify that the attack worked in a restaurant in 2020.
Rodriguez plans to present his findings as part of a webinar in the coming weeks to highlight what he says are the poor security measures of embedded devices.