for the love of money · for the love of money finding and exploiting vulnerabilities in mobile...
TRANSCRIPT
![Page 1: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/1.jpg)
FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales
systems
LEIGH-ANNE GALLOWAY & TIM YUNUSOV
![Page 2: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/2.jpg)
MPOS GROWTH
2010Single vendor
2018Four leading vendors
shipping thousands of units per day
Motivations
![Page 3: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/3.jpg)
Motivations
![Page 4: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/4.jpg)
MWR Labs “Mission mPOSsible” 2014
Related Work
![Page 5: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/5.jpg)
Mellen, Moore and Losev “Mobile Point of Scam: Attacking the Square Reader” (2015)
Related Work
![Page 6: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/6.jpg)
Research Scope
![Page 7: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/7.jpg)
Research Scope
![Page 8: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/8.jpg)
PAY PA L S Q U A R E I Z E T T L E
S U M U P
Research Scope
![Page 9: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/9.jpg)
“How much security can really be embedded
in a device that is free?”
Research Scope
![Page 10: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/10.jpg)
PHONE/SERVER
HARDWARE
DEVICE/PHONE
MOBILE APP
SECONDARY FACTORS
Research Scope
![Page 11: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/11.jpg)
MERCHANT ACQUIRER CARD BRANDS ISSUER
Background
![Page 12: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/12.jpg)
MPOS
PROVIDERACQUIRER CARD BRANDS ISSUERMERCHANT
MERCHANT
Background
![Page 13: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/13.jpg)
CARD RISK BY OPERATION TYPE
Chip & PIN
Chip & Signature
Contactless
Swiped
PAN Key Entry
Background
![Page 14: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/14.jpg)
EMV enabled POS devices make up between 90-95%of POS population
E U E M V AC C E P TA N C E
EMV enabled POS devices make up 13% of POSpopulation and 9% of the ATM population
90%
13%
U S E M V AC C E P TA N C E
GLOBAL ADOPTION OF EMV - POS TERMINALS
Background
![Page 15: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/15.jpg)
96% of credit cards in circulation support EMV as aprotocol
E M V C R E D I T C AR D AD O P T I O N
However less than half of all transactions are made bychip
E M V C R E D I T C AR D U S AG E
96%
41%
Background
![Page 16: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/16.jpg)
79% of debit cards in circulation support EMV as aprotocol
E M V D E B I T C AR D AD O P T I O N
However less than half of all transactions are madeusing chip
E M V D E B I T C AR D U S AG E
79%
23%
Background
![Page 17: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/17.jpg)
46%
52
MILLIO
N
PERCENTAGE OF TRANSACTIONS
MILLIONS OF NUMBER OF UNITS
MPOS TIMELINE 2019
Background
46%
52
![Page 18: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/18.jpg)
SCHEMATIC OVERVIEW OF COMPONENTS
Background
![Page 19: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/19.jpg)
FINDINGS
SENDING ARBITRARY COMMANDS
AMOUNT MODIFICATION
REMOTE CODE EXECUTION
HARDWARE OBSERVATIONS
SECONDARY FACTORS
Methods & Tools
![Page 20: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/20.jpg)
BLUETOOTH
Methods & Tools
![Page 21: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/21.jpg)
Host Controller Interface (HCI)
SOFTWARE
BT PROFILES, GATT/ATT
L2CAP
LINK MANAGER PROTOCOL (LMP)
BASEBAND
BLUETOOTH RADIO
HO
ST
CO
NT
RO
LLE
R
BLUETOOTH PROTOCOL
Methods & Tools
![Page 22: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/22.jpg)
GATT (Generic Attribute)
/ATT(Attribute Protocol)
RFCOMM
Service
UUID
Characteristic
UUID
Value
Methods & Tools
![Page 23: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/23.jpg)
BLUETOOTH AS A COMMUNICATION CHANNEL
NAP UAP LAP
68:AA D2 0D:CC:3E
Org Unique Identifier Unique to device
Methods & Tools
![Page 24: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/24.jpg)
BLUETOOTH ATTACK VECTORS
SLAVE
MASTER
1.
2.Eavesdropping/MITM
Manipulating characteristics
Methods & Tools
![Page 25: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/25.jpg)
$120$20,000
Frontline BPA 600 Ubertooth One
Methods & Tools
![Page 26: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/26.jpg)
Methods & Tools
![Page 27: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/27.jpg)
SENDING ARBITRARY
COMMANDS
Findings
![Page 28: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/28.jpg)
• Initiate a function
• Display text
• Turn off or on
MANIPULATING CHARACTERISTICS
User authentication doesn’t exist in the Bluetooth protocol,
it must be added by the developer at the application layer
Findings
![Page 29: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/29.jpg)
1. 2. 3.
Findings
![Page 30: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/30.jpg)
Findings
![Page 31: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/31.jpg)
Findings
![Page 32: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/32.jpg)
LEADING PART MESSAGE TRAILING
PART
CRC END
02001d06010b000000
010013
506c656173652072656d6f76652063
617264
00ff08 3c62 03
“Please remove card”
Findings
![Page 33: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/33.jpg)
1. Force cardholder to use a more
vulnerable payment method such as
mag-stripe
2. Once the first payment is complete,
display “Payment declined”, force
cardholder to authorise additional
transaction.
ATTACK VECTORS
Findings
![Page 34: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/34.jpg)
![Page 35: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/35.jpg)
Findings
Data: 0d0501000017010300000c00496e736572742f73776970652063617264440d0a
![Page 36: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/36.jpg)
LEADING PART MESSAGE CRC
0d0501000017 010300000c00496e736572742f737769706520636172
64
44
“Insert/swipe card”
Findings
![Page 37: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/37.jpg)
![Page 38: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/38.jpg)
AMOUNT TAMPERING
Findings
![Page 39: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/39.jpg)
HOW TO GET ACCESS TO
TRANSACTIONS AND COMMANDS
HTTPS
DEVELOPER BLUETOOTH LOGS
RE OF APK ENABLE DEBUG
BLUETOOTH SNIFFER
Findings
![Page 40: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/40.jpg)
HOW TO GET ACCESS TO COMMANDS
1. 0x02ee = 7.50 USD 0x64cb = checksum
2. 0100 = 1.00 USD 0x8a = checksum
Findings
![Page 41: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/41.jpg)
MODIFYING PAYMENT AMOUNT
1. Modified payment value
2. Original (lower) amount
displayed on card reader
for the customer
3. Card statement showing
higher authorised
transaction amount
1
2
3
Findings
![Page 42: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/42.jpg)
![Page 43: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/43.jpg)
MODIFYING PAYMENT AMOUNT
TYPE OF
PAYMENT
AMOUNT
TAMPERING
SECURITY
MECHANISMS
MAG-STRIPE TRACK2 ----
CONTACTLESS POSSIBLE AMOUNT CAN BE
STORED IN
CRYPTOGRAM
CHIP AND PIN ----- AMOUNT IS STORED
IN CRYPTOGRAM
LIMIT PER TRANSACTION: 50 ,000 USD
Findings
![Page 44: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/44.jpg)
ATTACK
Service Provider
$1.00
payment
$1.00
payment
50,000 payment
Customer Fraudulent merchant
Findings
![Page 45: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/45.jpg)
MITIGATION ACTIONS FOR SERVICE
PROVIDERS
REQUEST SOLUTION FROM VENDOR
CONTROL YOUR ECOSYSTEM
NO MAG-STRIPE
Findings
![Page 46: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/46.jpg)
REMOTE CODE
EXECUTION
Findings
![Page 47: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/47.jpg)
RCE = 1 REVERSE ENGINEER + 1 F IRMWARE
@ i va c h yo u
Findings
![Page 48: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/48.jpg)
HOW FIRMWARE ARRIVES ON THE READER
https://frw.******.com/_prod_app_1_0_1_5.bin
https://frw.******.com/_prod_app_1_0_1_5.sig
https://frw.******.com/_prod_app_1_0_1_4.bin
https://frw.******.com/_prod_app_1_0_1_4.sig
Header - RSA-2048 signature (0x00 - 0x100)
Body - AES-ECB encrypted
Findings
![Page 49: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/49.jpg)
https://www.paypalobjects.com/webstatic/mobile/pph/sw_repo_app/u
s/miura/m010/prod/7/M000-MPI-V1-41.tar.gz
https://www.paypalobjects.com/webstatic/mobile/pph/sw_repo_app/u
s/miura/m010/prod/7/M000-MPI-V1-39.tar.gz
HOW FIRMWARE ARRIVES ON THE READER
Findings
![Page 50: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/50.jpg)
HOW FIRMWARE ARRIVES ON THE READER
Findings
![Page 51: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/51.jpg)
RCE
HOW FIRMWARE ARRIVES ON THE READER
Findings
![Page 52: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/52.jpg)
INFECTED MPOS
PAYMENT ATTACKS
COLLECT TRACK 2/PIN
PAYMENT RESEARCH
Findings
![Page 53: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/53.jpg)
DEVICE PERSISTENCE
GAME OVER
REBOOT
Findings
![Page 54: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/54.jpg)
ATTACK
Service ProviderReader UPDATES
RCE
Device with
Bluetooth
Fraudulent customer
Merchant
Findings
![Page 55: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/55.jpg)
MITIGATIONS
NO VULNERABLE OR OUT-OF-DATE
FIRMWARE
NO DOWNGRADES
PREVENTATIVE MONITORING
Findings
![Page 56: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/56.jpg)
Findings
![Page 57: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/57.jpg)
HARDWARE OBSERVATIONS
Findings
![Page 58: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/58.jpg)
SECONDARY FACTORS
ENROLMENT PROCESS
ON BOARDING CHECKS VS TRANSACTION MONITORING
DIFFERENCES IN GEO – MSD, OFFLINE PROCESSING
WHAT SHOULD BE CONSIDERED AN ACCEPTED RISK?
: (
:0
ACCESS TO HCI LOGS/APP, LOCATION SPOOFING
Findings
![Page 59: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/59.jpg)
ReaderCost reader/Fee per transaction
Enrollment processAntifraud +
Security checksPhysical security FW RE Mobile Ecosystem Arbitrary commands Red teaming Amount tampering
Square [EU] $511.75-2.5%
Low - no anti money laundering checks but some
ID checks
Strict – active monitoring of transactions
N/A - strict - - -
Square [USA]
Strict – correlation of “bad” readers, phones and acc
info
N/A - medium (dev) - + -$50
2.5-2.75%
Free2.5-2.75%
Square mag-stripe [EU + USA]
Strict (see above) Low - low - + + [no display]
Square miura [USA]
Strict (see above) N/A + N/A + [via RCE] + + (via RCE)$1302.5-2.75%
PayPal miura$60
1-2.75%
High - anti-money laundering checks + credit check (to
take out credit agreement)
Strict – transaction monitoring
N/A + low + [via RCE] + + (via RCE)
SumUp$40
1.69%Medium - low + + +
iZettle datecs$40
1.75%
Medium - ant-money laundering check + ID checks
Low – limited monitoring, on finding suspect activity block
withdrawal - acc otherwise active
High - low + - +
Conclusions
![Page 60: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/60.jpg)
PAYMENT
PROVIDER
1. Carry out an assessment of reader to gather preliminary data + info from cards.
2. Use data to carry out normal transactions to obtain baseline.
3. Use info obtained during this process to identify potential weaknesses and
vulnerabilities.
4. Carry out “modified” transactions
MPOS FOR RED TEAMING
Conclusions
![Page 61: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/61.jpg)
: 0
ASSESSING RISK - WHAT DOES THIS MEAN FOR YOUR BUSINESS?
: (
: |
Conclusions
![Page 62: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/62.jpg)
Conclusions
![Page 63: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/63.jpg)
CONCLUSIONS
RECOMMENDATIONS FOR MPOS MANUFACTURERS
Control firmware versions, encrypt & sign
firmware
Use Bluetooth pairing mode that provides
visual confirmation of reader/phone pairing
such as pass key entry
Integrate security testing into the
development process
Implement user authentication and input
sanitisation at the application level
Conclusions
![Page 64: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/64.jpg)
CONCLUSIONS
Protect deprecated protocols such as mag-
stripe
Use preventive monitoring as a best practice
Don’t allow use of vulnerable or out-of-date
firmware, prohibit downgrades
RECOMMENDATIONS FOR MPOS VENDORS
Place more emphasis on enrolment checks
Protect the mobile ecosystem
Implement user authentication and input
sanitization at application level
Conclusions
![Page 65: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/65.jpg)
CONCLUSIONS
Control physical access to devices
Do not use mag-stripe transactions
RECOMMENDATIONS FOR MPOS MERCHANTS
Assess the mPOS ecosystem
Choose a vendor who places emphasis on
protecting whole ecosystem
Conclusions
![Page 66: FOR THE LOVE OF MONEY · FOR THE LOVE OF MONEY Finding and exploiting vulnerabilities in mobile point of sales systems LEIGH-ANNE GALLOWAY & TIM YUNUSOV](https://reader031.vdocuments.mx/reader031/viewer/2022011815/5e68e43a480522643107b238/html5/thumbnails/66.jpg)
THANKS
Hardware and firmware:
Artem IvachevLeigh-Anne Galloway
@L_AGalloway
Tim Yunusov
@a66at
Hardware observations:
Alexey Stennikov
Maxim Goryachy
Mark Carney