NFC Flaws Let Researchers Hack ATMs by Waving a Phone

Now one researcher has found a collection of bugs that allow him to hack ATMs—along with a wide variety of point-of-sale terminals—in a new way: with a wave of his phone over a contactless credit card reader.Josep Rodriguez, a researcher and consultant at security firm IOActive, has spent the last year digging up and reporting vulnerabilities in the so-called near-field communications reader chips used in millions of ATMs and point-of-sale systems worldwide. He also didn't provide a video demo of a jackpotting attack because, he says, he could only legally test it on machines obtained as part of IOActive's security consulting to the affected ATM vendor, with whom IOActive has signed an NDA.)The findings are "excellent research into the vulnerability of software running on embedded devices," says Karsten Nohl, the founder of security firm SRLabs and a well-known firmware hacker, who reviewed Rodriguez's work. He began buying NFC readers and point-of-sale devices from eBay, and soon discovered that many of them suffered from the same security flaw: They didn't validate the size of the data packet sent via NFC from a credit card to the reader, known as an application protocol data unit or APDU.By using a custom app to send a carefully crafted APDU from his NFC-enabled Android phone that's hundreds of times larger than the reader expects, Rodriguez was able to trigger a "buffer overflow," a decades-old type of software vulnerability that allows a hacker to corrupt a target device's memory and run their own code.When WIRED reached out to the affected companies, ID Tech, BBPOS, and Nexgo didn't respond to requests for comment, and the ATM Industry Association declined to comment.