While the banknote dispensers with contactless reader land in France, an expert has managed to “crash” an ATM via the NFC chip of his Android smartphone. Explanations.
The cash dispensers (DAB) have always been a playground appreciated by criminals, even a challenge, and many methods, more or less destructive, to achieve their ends exist. With ATMs equipped with contactless readers, there is no need for DIY to access the electronics, or to add a fake reader to steal a bank card code. A small panel of bugs existing systems can simply cause the distributor to crash, or even get their hands on the magot by passing a smartphone over the sensor without touching.
Josep Rodriguez, computer security researcher and consultant to security firm IOActive, spent the last year unearthing any possible vulnerabilities that could surround chips NFC for contactless payment. But, above all, he started from the observation that practically all distributors suffer from a vulnerability as old as IT. On many models, it is possible to trigger an overflow of their buffer memory. A phenomenon which makes the machine “crash” and also allows the memory to be corrupted to possibly implant its own malicious code.
He therefore wondered whether on ATMs equipped with readers without touching, it was possible to use this means to trigger this attack. Bingo! The researcher quickly found that it was indeed possible to send a data packet of an disproportionate size through the NFC of a smartphone to the point of causing this memory overflow. The bug is that the size of the data packet is simply not validated by the system. The researcher has also shown his manipulations to the media Wired to prove this dysfunction.
A difficult update to deploy
L’application Android that it has developed could allow it to go further. It claims that it is possible to hack ATMs in order to collect and transmit credit card data. The transaction values could also be modified in an invisible way for the user, and to make matters worse, it would even be possible to infect an ATM with a ransomware.
According to his tests, with at least one ATM brand, it is possible to withdraw banknotes. He indicated that this ability comes from other software bugs present in these counters. Malfunctions, however known, but not corrected as is also the case for the attack by buffer overflow. For the moment, Josep Rodriguez has refused to publicly disclose his findings other than with DAB providers. Despite the fact that they are alerted, that does not mean that the machines will be updated. First, because they are numerous and it is often necessary to intervene physically on them.
What you must remember
- By using the contactless reader of a ticket dispenser, it is possible to make it “crash”.
- This method could infect the distributor by injecting it with ransomware.
- On some ATMs, it is even possible to withdraw money via this hacking technique by taking advantage of other loopholes.
Discover Fil de Science! Every Friday, from 6.30 p.m., follow the summary of the scientific news of the week, deciphered for you by the journalists of Futura.
Interested in what you just read?