This is page 2 of:
PIN Pad Pong: Is Verifone Playing Games With German POS Security?
What neither side is saying—except for a brief reference by Verifone to the researchers as a “commercial” security firm—is that this is probably about money. The researchers want to be hired to fix the problem they found. Verifone doesn’t want to pay their price.
And after the researchers went on TV last week, it’s likely Verifone sees this as war. How dare these hackers publicly embarrass Verifone by showing how easily the PIN pad can be taken over—even if they didn’t actually reveal enough details for Verifone or anyone else to figure out how it was done.
Meanwhile, the researchers are publicly lamenting the state of PIN pad security and the fact that German retailers will be saddled with insecure PIN pads for years, even after their TV appearance, because Verifone and retailers aren’t likely to replace hundreds of thousands of PIN pads with versions that don’t have the hardware diagnostic port exposed.
Yes, it has all descended into the realm of the personal, which is the least useful place for a security problem to be.
The irony, of course, is that after all the huffing and puffing, it may not matter much. A security hole that’s so obscure—and apparently never been exploited in the wild—is very nearly the equivalent of an unknown bug. Except that if a retailer is ever actually breached, the retailer can point to Verifone as the source of the problem.
Yes, there probably is a risk, and it should be fixed. But until someone else figures out the details of the problem, it looks like it’ll be the security researchers’ little secret.
Beyond that, German retailers aren’t likely to care—they’re worried about their own businesses and assuming PIN pad security is someone else’s problem (specifically Verifone’s). Consumers won’t care either, because what they’re most likely to remember is that two guys on TV managed to play Pong on the same device they use to pay for groceries.
That’s not going to encourage consumers to take payment-card security seriously. As one commenter on the tech-news site Ars Technica described an imaginary scenario: “You plug your card into the machine to make a transaction [and] Pong appears on the screen. You know your card security has been breached, but you’re compelled to make it to level 10.”
Then again, it may mean there’s an opportunity for Verifone. If the vendor ever does track down those alleged buffer-overflow problems and issue a software to fix them, maybe it could include a screen-saver option for when the PIN pad isn’t being used for transactions. Tetris, anyone?
-Marc
July 19th, 2012 at 12:03 pm
Internally, PIN pads have two discrete processing components, an application processor and a security module. The security module contains the keys and does the encryption. The researchers have not claimed they broke into this module. The app processor displays the screens, and gathers user input, and this is where the attack was demonstrated.
To prevent fraud by a dishonest retailer, applications and screens that display 10 key pads have to be reviewed and digitally signed by the manufacturer to ensure the app isn’t falsely requesting the customer’s PIN.
However, the app’s security is enforced by the app processor’s OS. With JTAG access (USB JTAG communications modules can be bought online or built for about $20 in parts), or other network vulnerabilities that enable accessing system level code, the attacker could take over the OS, bypass the signature requirements and run their own code, enabling them to intercept PINs.
The guys at Security Research Labs have done some serious work in the area of breaking ciphers, and have developed and released software that mathematically analyzes generic crypto algorithms, and used it to break the Crypto1 cipher used in the MiFare transit cards in under 40 seconds.
They have the chops. If they claim to have hacked these PIN pads, and if they say a risk exists, I don’t doubt them.