Hotel POS and Magstripe Cards Vulnerable to Attacks, Brute-Forcing

  /     /     /  
Publicated : 22/11/2024   Category : security


Hotel POS and Magstripe Cards Vulnerable to Attacks, Brute-Forcing


Researchers from Rapid7 at DefCon will demonstrate vulnerabilities that allow attackers to turn point-of-sale devices into keyboards



Magnetic stripe readers, you are the gift that keeps on giving. Unfortunately.
Researchers from Rapid7 Inc. will demonstrate how point-of-sale systems and hotel keys with magstripe technology can be hacked and used in brute-force attacks as part of a DefCon presentation this weekend.
Building on work from
Samy Kamkar
and his
MagSpoof
techniques, along with integrated bad barcode from Tencent, Rapid7s Weston Hecker will show how to inject OS commands into a Windows-based POS system with the magstripe reader.
Often a magstripe reader is configured as a general-purpose device, so you can drop in commands to open a register, open a window, or download malware and install, said Tod Beardsley, senior security research manager at Rapid7, in a phone interview with Dark Reading.
With a device thats programmable via an electromagnetic field, the hacker has lots of options: open a cash register drawer, open a window on the computer, or download and install malware. You only need to distract the operator for a couple seconds -- it all happens very quickly, Beardsley explained.
In effect, the attack turns the magstripe reader into a keyboard. If youve seen the
rubber ducky attacks
with the exposed USB ports, you know that something that mimics a keyboard gives you direct access to the [POS] device, Beardsley added. The vulnerability affects everything from hotel keys to loyalty cards, gas cards, or special access cards for first responders to use elevators.
Rapid7 has already notified the manufacturer, Samsung, but the vulnerability affects nearly all vendors POS devices, which aren’t that different from one another, according to Beardsley. Theres also been no official response from Samsung, though Beardsley assumes theyre doing their own testing and due diligence. Rapid7 is also working with CERT for handling the vulnerability disclosure.
Beardsley and Weston point to two areas that need to be fixed. The first is not to allow magstripe readers to be used as a keyboard, which can be addressed by new driver definitions, an OS fix, Beardsley said. Secondly, because the devices can be tricked into taking certain types of commands, the applications they use should limit the kind of data theyre expecting. Credit card data is ASCII, not anything exciting. But the fact I can inject keystrokes, like the F8 key, is unexpected, Beardley said. Its a fundamental design flaw in how these Windows-enabled systems run.
Brute-forcing a magstripe hotel card is also remarkably simple; the data it contains is encoded but not encrypted, Beardsley said. An attacker with a magstripe hotel card will look for the folio number associated with check-in, which is usually six digits and tends to be assigned incrementally (123456, 123457, 123458…) rather than randomly. The attacker will also look for the room number on the magstripe card and the checkout date. All three pieces of data have to be accurate for a room doorlock to open.
Once you have a device, its short work to guess a number on the fly that opens a lock – the doors to guest rooms, Beardsley said. By replacing incremental IDs with random ones and expanding the number of digits in the data fields, hotels and other affected industries can help address the vulnerabilities – a cheaper, easier fix than using encrypted cards. Encryption will happen at some point, but today its pretty much the same basic technology from the 1970s, Beardsley said.
Related Content From Black Hat 2016:
This Time, Miller & Valasek Hack The Jeep At Speed
8 Bad Ass Tools Coming Out Of Black Hat
Browser Exploits Increasingly Go For The Jugular
 

Last News

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security

▸ Fully committed to the future world of technology. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Hotel POS and Magstripe Cards Vulnerable to Attacks, Brute-Forcing