IOActive information security expert Josep Rodriquez has warned that NFC readers used in many modern ATMs and point-of-sale systems make them vulnerable to attacks. The flaws make them vulnerable to a range of problems, including being crushed by a nearby NFC device, being locked as part of a ransomware attack, or even being hacked to extract certain credit card data.
Rodrik also warns that the vulnerabilities can be used as part of a so-called "jackpot" attack to trick a machine out of money, however, such an attack is only possible when paired with additional bug exploits, and Wired says it hasn't been able to view a video of such The attack was due to an IOActive confidentiality agreement with the affected ATM vendor.
By relying on vulnerabilities in machine NFC readers, Rodriquez's hacks are relatively easy to implement, while some previous attacks have relied on the use of devices such as medical endoscopes to examine devices, Rodriquez can simply point an Android phone running its software in front of the device's NFC reader To exploit any loopholes it might have.
In a video shared with Wired earlier, Rodriquez caused an ATM in Madrid to display an error message, simply by waving his smartphone over his NFC reader, and then the machine became unresponsive to real credit cards that were shown to the reader.
The research highlights two big problems with the systems. The first is that many NFC readers are vulnerable to relatively simple attacks, Wired reports. For example, in some cases readers do not check how much data they receive, which means that Rodriquez was able to overwhelm the system with too much data and corrupt its memory as part of a "buffer overflow" attack.
The second problem is that even once a problem is identified, companies can be slow to apply the patch to hundreds of thousands of devices in use around the world. A device often needs to be physically visited to apply the update, and many of them do not receive regular security patches year 2020.
Rodriguez plans to present his findings as part of a webinar in the coming weeks to highlight what he says are the weak security measures for embedded devices.