MADRID, 28 Jun. (Portaltic/EP) –
A combination of vulnerabilities in ATMs and in the NFC short-range communications protocol, used for features such as contactless mobile payments, exposes these devices to be ‘hacked’ just by bringing them a mobile phone.
Vulnerability, which is present in both ATMs that support NFC as in mobile payment terminals or dataphones, has been discovered by cybersecurity researcher Josep Rodríguez, from the firm IOActive, as reported by Wired.
Rodríguez has developed a Android mobile application with which it is possible to replicate communications that usually take place in ATMs and payment terminals exploiting vulnerabilities present in the ‘firmware’ of NFC systems.
Through this ‘hacking’ technique it is even possible for the cyber attacker to take control of the user credit card details, invisibly change the amount of a transaction or even encrypt devices through ‘ransomware’ attacks.
Likewise, Rodríguez affirms that it has been possible ‘hack’ at least one brand of ATM manufacturers to get cash through this technique. The rest of the brands affected are Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS y Nexgo.
The researcher has assured that he informed the manufacturers of the vulnerable devices ago between seven months and a year, but what many of the existing terminals are still exposed due to a shortage of security updates.
The problem in question, which Rodríguez has investigated for a year, is due to the fact that most terminals with NFC do not validate the data size that are sent from a card to the reader, known as the application protocol data unit, or APDU, for its acronym in English.
Using the Android application, the developed technique sends a file one hundred times longer than the reader expects, which generates a buffer overload error.
In some cases, like Ingenico, the manufacturers assure that this type of attack can only cause errors, but not execute code, and in this case the company has already solved the security flaw that was causing it.
Verifone, for its part, claims that it patched these vulnerabilities in 2018, but the researcher claims to have found vague terminals in Spain that recently continued to be exposed.