New research shows EMV terminals can be compromised with malicious spoofed credit cards able to create memory corruptions, denial of services, and arbitrary code execution.
Peach Fuzzer says discovering these exploitable vulnerabilities enabled solution providers to mitigate their vulnerabilities quickly and cheaply, before they became a hacker’s attack vector.
Researchers from a collaboration between Deja vu Security and Peach Fuzzer, used two different setups during their testing.
First, they tested physical terminal hardware using a malicious credit card, Smart Card Reader, and a FPGA Simulating EMV Protocol Bridge. Second, they tested software integrity using multiple EMV terminal emulators.
Throughout testing of the EMV terminals, Peach Fuzzer found that malicious credit cards could be used to compromise EMV terminals. Three major categories of vulnerabilities were discovered:
• Memory Corruption – Allows attackers to read and write memory and crash the reader
• Denial of Service – Renders the unit unusable to POS vendors or their customers
• Arbitrary Code Execution – Enables attackers to define and run their own code on the terminals
In one test case, a spoofed card was created to match all of the physical specifications of an EMV card. This card was put into an EMV terminal, connected to a field programmable gate array (FPGA) which simulated the EMV protocol, and then connected to Peach. This allowed Peach Fuzzer to trick the terminal into thinking a real card was being used, granting access to its systems.
For a complete archive of more than 70,000 articles published since 1995 search the CardFlash.com library.