He hacks cash machines with an Android and an NFC vulnerability!
We knew it was possible to hack ATMs (cash machines) with a USB key, but with NFC, it is no longer even worth touching the machine!
This is what Josep Rodriguez, a security consultant specializing in the ATM field, discovered. The latter played with the NFC functionality of different machines: cash dispensers, but also parking meters, drink dispensers, payment terminals, etc. Thanks to a home application and an Android device equipped with NFC, he was able to exploit various loopholes to crash the machine, display messages and even change the value of the transaction from X € to 1 € (save money with NFC! ).
Jackpotting!
Stronger, he made a ” jackpotting »On an ATM brand (for which he did not disclose the brand): he was quite simply able to recover the money without being debited.
And this is not a single country concern, but a global problem. To put it simply, Josep’s application masquerades as a bank card and then manages to overflow the machine’s buffer memory to enter foreign code. However, this is a known flaw linked to the APDU (application protocol data unit), a data packet sent to the machine to initiate communication. Josep’s, 100 times bigger than normal, crashes the system. With a little trial and error and perseverance, Josep Rodriguez was able to demonstrate once again that the NFC is not really reassuring …
The ATM must of course have an NFC reader, which is more and more common. Josep started his small manipulations about a year ago and immediately notified the manufacturers of the machines concerned. Small problem: an ATM or a coffee machine does not update like a smartphone or a PC: you need physical access to the machine and patching everything will take time.
Josep, whistleblower
Without being able to show his protocol in full, Josep still had to show that he is not a mythomaniac: he had to share a video with the WIRED site asking them not to publish it for fear of taking a trial. Smart. Especially since some manufacturers have since denied that their devices were vulnerable in such widths. For example Verifone (a service that provides payment solutions for businesses) explained that the exploit described by Josep could not work since 2018.
The problem is that the expert explained that he had recently used the technique in Madrid on a device that had apparently not been updated. In short, the situation is embarrassing. He has since come up with the idea of revealing a little more to ensure that the makers of these machines no longer minimize the scope of such a critical flaw: “These vulnerabilities have been present in firmware for years and we use these devices on a daily basis to manage our bank cards and our money. They must be secure ”. We hope that we will not find our Iberian friend who committed suicide by two bullets in the back …
Source: WIRED