

#Restaurant story hack android android
He began buying NFC readers and point-of-sale devices from eBay, and soon discovered that many of them suffered from the same security flaw: They didn't validate the size of the data packet sent via NFC from a credit card to the reader, known as an application protocol data unit or APDU.īy using a custom app to send a carefully crafted APDU from his NFC-enabled Android phone that's hundreds of times larger than the reader expects, Rodriguez was able to trigger a "buffer overflow," a decades-old type of software vulnerability that allows a hacker to corrupt a target device's memory and run their own code. Rodriguez, who has spent years testing the security of ATMs as a consultant, says he began exploring a year ago whether ATMs' contactless card readers-most often sold by the payment technology firm ID Tech-could serve as an in-road to hacking them. "Patching so many hundreds of thousands of ATMs physically, it's something that would require a lot of time," Rodriguez says. Even so, he warns that the sheer number of affected systems and the fact that many point-of-sale terminals and ATMs don't regularly receive software updates-and in many cases require physical access to update-mean that many of those devices likely remain vulnerable. Rodriguez says he alerted the affected vendors-which include ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, Nexgo, and the unnamed ATM vendor-to his findings between 7 months and a year ago. "If you chain the attack and also send a special payload to an ATM's computer, you can jackpot the ATM-like cash out, just by tapping your phone." There are a lot of possibilities here," says Rodriguez of the point-of-sale attacks he discovered.
#Restaurant story hack android install
You can make the device useless, or install a kind of ransomware. "You can modify the firmware and change the price to one dollar, for instance, even when the screen shows that you're paying 50 dollars. He declined to specify or disclose those flaws publicly due to nondisclosure agreements with the ATM vendors. Rodriguez says he can even force at least one brand of ATMs to dispense cash-though that "jackpotting" hack only works in combination with additional bugs he says he's found in the ATMs' software. With a wave of his phone, he can exploit a variety of bugs to crash point-of-sale devices, hack them to collect and transmit credit card data, invisibly change the value of transactions, and even lock the devices while displaying a ransomware message. Now Rodriguez has built an Android app that allows his smartphone to mimic those credit card radio communications and exploit flaws in the NFC systems' firmware. You can find them on countless retail store and restaurant counters, vending machines, taxis, and parking meters around the globe. NFC systems are what let you wave a credit card over a reader-rather than swipe or insert it-to make a payment or extract money from a cash machine. Josep Rodriguez, a researcher and consultant at security firm IOActive, has spent the last year digging up and reporting vulnerabilities in the so-called near-field communications reader chips used in millions of ATMs and point-of-sale systems worldwide.

Now one researcher has found a collection of bugs that allow him to hack ATMs-along with a wide variety of point-of-sale terminals-in a new way: with a wave of his phone over a contactless credit card reader. For years, security researchers and cybercriminals have hacked ATMs by using all possible avenues to their innards, from opening a front panel and sticking a thumb drive into a USB port to drilling a hole that exposes internal wiring.
