Recipe for disaster: Bluetooth-enabled POS Terminals + MagStripe-based Cards

These days convenience is proportional to security; it can never be convenient if strict security protocols are in-place and vice-versa. As people tend to embrace the cashless way of paying for items for sale, the mobile POS (point of sale terminals) have become a common facility any sales business entity has in their store. Today, even small no-name stores and shops offer a card reading POS, which accepts debit and credit cards with ease.

Cybersecurity firm Positive Technologies, through its cybersecurity expert, Leigh-Anne Galloway, and Timur Yunusov have checked the most common card readers rolled-out in stores. The POS readers came from vendors such as Square, iZette, SumUp, and PayPal in both Europe and the United States.

In their audit, they have realized that not all of them are created equal. There are enough differences on how their respective infrastructure has been devised but still arrives at the same destination of charging the customer for the cost of the product sold. “Hardware security mechanisms are generally sophisticated in these products, but many other aspects of the payment ecosystem are far less secure, such as the mobile ecosystem and enrollment processes,” said Galloway.

It is unfortunate that the transition from the magstripe-based cards to chip-based cards are not yet complete for some banks. The former introduces a weakness into the POS system, as it is can easily be manipulated, let alone copied. “This attack vector can be used for social engineering to force a cardholder to use a less secure method of payment, such as mag-stripe. Or it may be used to display a ‘payment declined’ message as a means to make the cardholder carry out additional transactions,” explained Galloway.

The weakest link is the enabled Bluetooth capability of the POS, which an attacker can attempt to remotely enter using a nested terminal command, which requires no authentication as it happens in Bluetooth mode. “(The) need access to a copy of the target device, such as a mobile POS terminal, a phone which allows for HCI logging and the mobile application. Once HCI logging is enabled, you can capture the core functionality of the mobile point-of-sale terminal. This can be done by making sample transactions using different payment methods, in order to obtain different results. Once this information has been captured, Wireshark can be used to analyze the communication to and from the phone and mobile point-of-sale terminal. This information, along with information obtained in the mobile application, make it possible to correlate functions with characteristics and their handles,” explained in the report.

The hijacking of Bluetooth connection is not new, it has been repeatedly taken advantage with when it comes to attacking Bluetooth-enabled networks, however, Bluetooth-aware POS hack has not been recorded heavily prior to the discovery. If the customer uses a mag-stripe card, the amount in the computed sales transactions can be manipulated by a 3rd party remotely through the Bluetooth Network. Interception through SSL can be bypassed in order to pull off the attack against the magstripe-using customer.“After an attacker has obtained full access to the operating system, it is possible to intercept Track 2 data before it is encrypted and to enable plaintext mode (command mode) on the terminals’ PIN pad, to collect PINs,” concluded Galloway.

Only the deliberate discontinuation of magstripe cards can stop the easily implementable exploit such as this one, but that requires the full cooperation of all banks and all of their customers.