A huge percentage of PoS (point of sale systems) and hotel room locks are vulnerable by temporarily placing a small inexpensive device a few inches away from their card reader devices.
The said gadget is due to be presented this Sunday at the DEF CON conference in Las Vegas.
This device is the brainchild of Weston Hecker who is a senior security engineer at Rapid7.
His inspiration for developing the device is another device called MagSpoof which was designed by Samy Kamkar.
The MagSpoof was designed to trick most standard card readers by means of tricking it to believe that a certain card has been swiped by generating a strong electromagnetic field wherein which it stimulate the data on the card’s magnetic stripe.
Kamkar presented it to the public as a method to replace all your cards with a single device, however, Hecker decided to take the idea and researched what else he could do with it.
During the process, he started to look at PoS systems closely and discovered that many of them are treated as USB human input devices and therefore would in turn accept instructions via keyboard input through it.
Once he figured it out, he created a device similar to MagSpoof. In turn, once it is placed near a card reader, it will send malicious keyboard instructions that will in turn be executed on the PoS system.
So what does it mean to a regular user? A hacker could use such a device to remotely open a comand prompt on the system he is trying to connect to and use it to download and install malware.
The vulnerability is not vendor specific. Upon testing, he was able to attack and in turn affecting most PoS systems that run Windows and are designed to work with a keyboard, according to Hecker.
We are all aware that this design is popular and such payment systems are widespread.
The attacker would needs close range and place the device within four-and-a-half inches of the reader. This would ensure that there is no interference and packet loss.
As of writing this article, the device is still quite noticeable which is about the size of a deck of cards. But still, it can be easily hidden. They would just need to find an opportunity that the target PoS system is unattended.
Rapid7 reported the design flaw to US-CERT, which is in the process of identifying and notifying affected vendors.
Sad to say, this issue will not be patched anytime soon because they are still in the proces of identifying and notifying the vendors, and in turn the vendors will also need time to patch them. And in some cases, many PoS devices need manual updating by a technician.
So why stop there? Hecker eventually found a way to use this device on electronic hotel door locks which also uses magetic cards by doing a brute force on the data encoded on the programmed key card.
The information contained on the hotel room access key cards are not very secure and is not encrypted and contains few information like the record ID, room number, check-out date etc.
Hecker estimates that brute forcing a typical room lock in a hotel with 50 to 100 rooms would take around 18 minutes. Brute forcing a special key, like those used by housekeeping and other staff, would take around a half an hour.
The nice part, for the attacker, is that he can even leave the device working on the door and be notified on his mobile phone when the correct data combination has been found.
This is another design flaw that seems to affect many vendors, Hecker said. The best fix would be for folio numbers to be made larger and to be assigned randomly to new guests. Adding encryption to the process would be better, but would almost certainly require replacing the existing system with new encryption-capable locks, he said.