point of sale

POS device manufacturers release vulnerability patches

Point-of-sale(POS) device makers Verifone and Iningenico have released fixes to device defects that researchers have discovered could allow to steal payment card data, clone cards or install malware.

See also: SASE Model: A New Approach to Security

Independent researcher Aleksei Stennikov and Timur Yunusov, head of offensive security research at Cyber R.D Lab, described their vulnerability findings in a paper published recently in the Black Hat Europe 2020 virtual event.

To mitigate the risk of defects, the researchers urge device owners to immediately apply vendor-provided patches.

The researchers say vulnerabilities in the default password settings, as well as arbitrary code execution, can affect the Verifone VX520 and Verifone MX series, as well as the Iningenico Telium 2 series – all of which are widely used.

The two suppliers, along with the Payment Card Industry Security Standards Council, released fixes to the defect in November, after the researchers notified them.

A spokesman for Iningenico could not be reached for comment. A representative for Verifone told Inform Security Media Group that while it is unlikely to use the methods described in this article to attack, the company urged its customers to patch affected POS devices.

“So far, we haven’t realized that these vulnerabilities are being exploited in the market,” a Verifone spokesman said. “Security companies have verified that the latest patches and software updates available to all of our customers correct these vulnerabilities. Customers are currently at different stages of implementing these patches or software updates. “

POS devices are primarily vulnerable to default password settings. can access any new device using a Google password, the study said.

“All hardware devices come with the manufacturer’s default password, including POS terminals – Google searches can easily find them,” the researchers said. “These credentials provide access to special ‘service modes’ where hardware configurations and other features can be used. One manufacturer, Iningenico, even prevents you from changing. “

Once attackers gain access to service patterns in these devices, they can use stack overflow and buffer overflow vulnerabilities to execute arbitrary code to take advantage of other attacks. According to the researchers, these attacks include:

Send arbitrary packets: This could allow an to modify the POS terminal and its processing network data transfer, changing transactions and target banks through server-side vulnerabilities.
Clone card: By copying credit card information, duplicate data can be written to a new credit card for fraudulent transactions.
Clone Terminal: By cloning a payment terminal, an can run fraudulent transactions, process less secure transactions, and bypass secure EMV transactions.
Gain persistence: An could use this malware to install malware that can survive even after the device restarts.
Prevent default password attacks
Jake Moore, a cyber security expert at security firm ESET, said: “If all hardware devices come with a default password, it doesn’t make sense to use a password to override any other security on the device in the first place.” A simple Google search will display the password and cause a decrease in security. If I can’t even change these passwords, I’ll seriously consider not using these devices. “

Chris Hazelton, director of security solutions at security firm Lookout, says smaller businesses are unlikely to apply POS patches immediately.

“Point-of-sale machines require multiple layers of security against physical and digital threats,” Hazelton said. “Moms and pop stores may not be aware of the need to maintain the latest firmware for their POS computers because they don’t see what they really mean. Although vendors provide patches, it’s easy to admit that many users haven’t implemented easy-to-use tools for small businesses to see the risks to endpoints of all connections, especially when vulnerabilities are involved. “