PIN Pad Pong: Is Verifone Playing Games With German POS Security?Written by Frank Hayes
The most popular PIN pad in Germany may have a major security hole—at least that’s what a German security lab says. Verifone insists it can’t reproduce the problem. In response, the researchers on July 12 went public with a demonstration on German TV in which a PIN pad was hacked to turn it into a Pong game. Yes, it looks like this started by being about security, and then about money—now, it’s personal.
The problem with this needle match is that what sticks in the minds of consumers is a PIN pad playing Pong—and with that image, who can take payment security seriously?
The PIN pad in question, the Artema Hybrid Terminal, is one that Verifone acquired when it bought all of Hypercom’s business outside the U.S. It handles both Chip-and-PIN and magstripe cards with a single slot, which explains both the Hybrid name and why it’s so popular in Germany—about 300,000 are in use by retailers in Germany and Austria. Naturally, the device has passed muster with the German equivalent of PCI.
But last week, Security Research Labs (SRL) in Berlin claimed the PIN device has both software and hardware vulnerabilities. SRL researchers say the device’s network stack is subject to buffer overflows, the serial-port interface also enables code execution through a buffer overflow and a diagnostic port is accessible from outside the device, making it possible to get full debugging control over the device without opening it.
“These attacks target the terminal’s application processor,” the two-man research team wrote. “The security of the cryptographic module (HSM) has not yet been investigated as far as key extraction attacks are concerned. However, a design or implementation shortcoming in the HSM enables control over display and PIN pad from the application processor.”
In other words, even if the security module is safe, what customers (and retailers) see can still be controlled by malware, which could enable PIN capture or other attacks.
At least, that’s what the researchers say. Verifone, for its part, insists the PIN pad is secure. “At no point was the security module or encrypted PIN compromised in this reported attack scenario; neither was the integrity of the EMV transaction violated,” responded Verifone payment security VP Dave Faoro. “As the security module is not affected by the attack scenario, it is not possible using an amended application program to modify the security module’s PIN processing of a successful card payment transaction.”
That is, transactions on the Artema Hybrid are safe—but no word on whether PINs or card data can be grabbed.
Faoro also said Verifone hired its own security lab, which couldn’t reproduce the attack scenario, and hired two more penetration testing firms to work on the problem. He complained that the German researchers haven’t given Verifone enough information to understand the attack. The researchers say they notified Verifone about the vulnerability more than six months ago, and Verifone’s inaction is why they went on TV.
This all sounds like some strange passive-aggressive security dance, with the researchers saying, “You have a security hole but we won’t tell you what it is,” and Verifone responding, “How can we know what’s wrong if you won’t tell us?”
What neither side is saying is that this is probably about money.