PIN Pad Pong: Is Verifone Playing Games With German POS Security?
Written by Frank HayesThe most popular PIN pad in Germany may have a major security hole—at least that’s what a German security lab says. Verifone insists it can’t reproduce the problem. In response, the researchers on July 12 went public with a demonstration on German TV in which a PIN pad was hacked to turn it into a Pong game. Yes, it looks like this started by being about security, and then about money—now, it’s personal.
The problem with this needle match is that what sticks in the minds of consumers is a PIN pad playing Pong—and with that image, who can take payment security seriously?
The PIN pad in question, the Artema Hybrid Terminal, is one that Verifone acquired when it bought all of Hypercom’s business outside the U.S. It handles both Chip-and-PIN and magstripe cards with a single slot, which explains both the Hybrid name and why it’s so popular in Germany—about 300,000 are in use by retailers in Germany and Austria. Naturally, the device has passed muster with the German equivalent of PCI.
But last week, Security Research Labs (SRL) in Berlin claimed the PIN device has both software and hardware vulnerabilities. SRL researchers say the device’s network stack is subject to buffer overflows, the serial-port interface also enables code execution through a buffer overflow and a diagnostic port is accessible from outside the device, making it possible to get full debugging control over the device without opening it.
“These attacks target the terminal’s application processor,” the two-man research team wrote. “The security of the cryptographic module (HSM) has not yet been investigated as far as key extraction attacks are concerned. However, a design or implementation shortcoming in the HSM enables control over display and PIN pad from the application processor.”
In other words, even if the security module is safe, what customers (and retailers) see can still be controlled by malware, which could enable PIN capture or other attacks.
At least, that’s what the researchers say. Verifone, for its part, insists the PIN pad is secure. “At no point was the security module or encrypted PIN compromised in this reported attack scenario; neither was the integrity of the EMV transaction violated,” responded Verifone payment security VP Dave Faoro. “As the security module is not affected by the attack scenario, it is not possible using an amended application program to modify the security module’s PIN processing of a successful card payment transaction.”
That is, transactions on the Artema Hybrid are safe—but no word on whether PINs or card data can be grabbed.
Faoro also said Verifone hired its own security lab, which couldn’t reproduce the attack scenario, and hired two more penetration testing firms to work on the problem. He complained that the German researchers haven’t given Verifone enough information to understand the attack. The researchers say they notified Verifone about the vulnerability more than six months ago, and Verifone’s inaction is why they went on TV.
This all sounds like some strange passive-aggressive security dance, with the researchers saying, “You have a security hole but we won’t tell you what it is,” and Verifone responding, “How can we know what’s wrong if you won’t tell us?”
What neither side is saying is that this is probably about money.
-Marc
July 19th, 2012 at 12:03 pm
Internally, PIN pads have two discrete processing components, an application processor and a security module. The security module contains the keys and does the encryption. The researchers have not claimed they broke into this module. The app processor displays the screens, and gathers user input, and this is where the attack was demonstrated.
To prevent fraud by a dishonest retailer, applications and screens that display 10 key pads have to be reviewed and digitally signed by the manufacturer to ensure the app isn’t falsely requesting the customer’s PIN.
However, the app’s security is enforced by the app processor’s OS. With JTAG access (USB JTAG communications modules can be bought online or built for about $20 in parts), or other network vulnerabilities that enable accessing system level code, the attacker could take over the OS, bypass the signature requirements and run their own code, enabling them to intercept PINs.
The guys at Security Research Labs have done some serious work in the area of breaking ciphers, and have developed and released software that mathematically analyzes generic crypto algorithms, and used it to break the Crypto1 cipher used in the MiFare transit cards in under 40 seconds.
They have the chops. If they claim to have hacked these PIN pads, and if they say a risk exists, I don’t doubt them.