Commercial Security Scanning POS Vulnerability and Mitigation Techniques | Rosario Soria

here all

yours good afternoon everybody and thanks for sticking around I know it's been a long day for all of you uh my name is Rosario and I'm going to be talking today about commercial security scanning on point of s uh potential work around and mitigation technique um before I jump to the subject uh this is a research paper that I got involved um a few a few years back and uh just wanted to give you a quick background how I landed into this area uh there was a time where PCI DSS was heavily targeted uh by SAR criminals and you know we saw a lot of news around the world uh large companies were uh having

this Brides where multiple uh credit card details were exposed and this was costing millions of dollars uh to remediate this was a waking call for companies uh large sizes to to have and run incident response teams um so it was quite it is quite hot and still happening um so yeah that is a little bit of a ground also uh with this paper uh I want to give you uh the goal what we're trying to do here uh the goal was mainly to have or to to give you a foundation and then to to build from here so we wanted to see and explore uh the network how this POS Works in a realistic World um you know what

processes what uh protocols ports getting to know the device uh that was hot in the market uh more and uh mimic a real payment um going out and you know how this could be in a realistic world how an attacker would actually be H able to bypass this Al righty so let's start today um I'm going to have this is the overview of today so we're going to go uh talk about a quick introduction on PCI DSS we're going to go over worldwide cases uh just to give you you know again a quick summary a quick view on what happened there uh we're going to have a peek on the experimental network uh that we run our um experimentals uh testings

uh we're going to get to know more our Target so the vx680 uh the terminal which is uh provided by Baron my sponsor at a time uh and also we're going to go on the penetration system so in here we subdivide it into intrusive and non-intrusive attacks um so we're going to go how we did it what tools we use um what were the findings and you know what uh direction we took after we gathered this information uh at the end uh we're going to see you know knowing all of this how we can bypass uh the PCI DSS whilst compliant and what can we do about it so you know if you have a

compromise what can we do as as customers as people who use PCI DSS in our day-to-day life so put your hands up if you know what PCI DSS is yes yes yes a lot of hands up nice okay so I'm not going to spend time in here then we can skip it uh yes PCI DSS we find it in our day-to-day every time that we make a purchase transactions uh this is where you know you you're dealing with it um and every company that uh makes transaction or deals with payment transaction should be compliant otherwise they uh lose the ability to um make some payment transactions online or uh the hardware uh any other possible

ways um very quickly just uh these are the PCI DSS standards uh there are six goals and they have 12 requirements um as you can see from this image you know you there is some Basics uh words and sometimes uh they could be open to interpretation uh which is quite scary because what it means uh the meaning that the way that I could interpretate some of this uh could be different than the way that you might interpretate so this is a good start for us to understand what pcidss mean to us and how they they working okay so let's talk about some of those cases that we mentioned before yes you've seen Home Depot uh large retail

in the states you've seen TJ Maxx or TK Maxx also a large retail in the United States both companies very large companies in the United States targeted and breach successfully losing millions of credit card details and make this public um unfortunately even though you know one of these companies invested a lot of money in their security software they were still uh got brid so um you know they lost customers they lost sales uh they H reputation of the company got damaged um again you know investing in in in security software is no enough you must have also your incident response team that should uh respond to it accurately to security alerts uh but yeah some one

of these company actually was delay the response was delayed to this alert hence there were like 60 million credit card details exposed to the world um I stop here because this is our neighbor country so they were heavily hit as well by a Romanian uh cyber criminal and not too long ago uh so basically the attackers were quite um adventurous here because they wanted to take the extra step not just to get those credit card details with them but they also wanted to start printing then into physical cards and then go into those ATMs and withdraw starting withdraw money so they were hard yes um and the last one uh so not very recent but the Warner group another uh very

large uh PCI DSS attack uh and it shows you know again even though we tighten those PCI uh standards we um implementing them to our best understanding the these attacks are still happening uh and and most likely will continue happening so this is a collaborative work how we can remediate them um in the little graphic right there you could see Al the industries that are uh mostly attacked by then um now um moving on uh into our specific case so this is uh this is the network design that we um elaborated we we deploy uh we wanted to mimic you know having all that information that we gathered before on uh previous cases uh what we know what happened in New

Zealand um and and how businesses work in this nowadays uh we try to mimic just a simple Lo Network having uh services like ID uh DNS DCP uh we wanted to combine H wire connections wireless connections we want to have the ability to move the device around um just to give you so areas of attacks from the attacker perspective uh we have the wireless connections we have the wire connection but we also have the device itself so the device itself is a big one for us because it was quite new uh the testing server it was um it was a testing server that was sitting in our sponsors um uh in our sponsor environment so that was out of a scope

uh but we were able to make transactions on our side uh and those transactions we all communicate with a testing server of

Barone okay let's get to know our Target device so our Target device uh any handheld device you know if you driving down the road buying some veggies uh fruits uh this is a device that you will be handed up um it's a very F terminal VX uh 680 uh it's uh it works on 5G it works on wireless connections uh it prints uh their own receipts colorful uh screen and some of you might uh wonder why this device right I mean there is plenty of options that we could have chosen from but based on the statistic statistics of the net uh sponsor this is a device this was a device most most popular uh chosen by

Merchants uh when they are on the go uh because it give uh the ability to you know go anywhere still being able to make transactions or receive payments uh and it was yeah based on the popularity of the device um that's why we chose this device okay so now we want to move on the non-intrusive attacks uh if you remember in the beginning we talked about we're going to subdivide this into the non-intrusive attacks and intrusive attacks so non-intrusive taxs uh we wanted to get to know the device more you know foot printing for scanning we wanted to see we wanted to find want to run scans and find hopefully open ports for malicious attackers that can be uh

exploited that can give you uh access to the device and through running those scans why would you know how you know it's just getting to know the device more and also the network the tools that we use use uh just narrowing down to those uh areas so aircraft aircraft was chosen mostly to put to taste uh one of the standards um if I don't remember wrong the standard there is a standard uh 2.1.1 which says in a wireless network you should use good encryption good encryption but what kind of encryption it doesn't tell you what kind of encryption so air CL uh was then chose to test that uh and map just to see the

port open filter close um in the next slide I'm going to go with the findings uh open B and nus buff uh vulnerability scanners so was there any existing vulnerability in the device um how old is the vulnerability what is the score of the vulnerability so all of these things we wanted to know and Sparta Sparta is getting popular in the Cyber wall um what Sparta added into this research um it was showing a connection on The Wire uh SE on The Wire area of the network uh it shows similarity of a chip set sitting in the VM uh in the in the terminal uh and to the AP finings uh just by footprinting po

scanning we were able to see or we able to have a the best guess of the operating system running on the device the number of ports just to give you more details there were two TCP ports there were there was an FTP Service open uh there were 65,000 uh closed ports uh you know you can see Mac addresses Source IPS destination IPS you could see protocols you could see protocols and uh UDP ports uh Wi-Fi technology uh vulnerable law or operating system um and as you can see like there is actually you know the net BSD uh it give you the severity 9.3 out of 10 um so yeah quite high and uh that's the OS the vulnerability existing

there was actually five years old uh right now will be a different situation because we have given all these results to our sponsor uh now patch um but yet that's quite interesting now moving onto the more into the intrusive part you know like we know now we understand what is running we haven't touched and penetrate and try to penetrate the security uh we carried out two different TXS uh the evil twin attack and the Man in the middle attack for the evil twin attack um we use an antenna with the Ki Linux operating system so we um mimic or we tried we pretended we we put the rock AP and pretended to be the access the

legitimate access point and uh with a dose after launching a dose attack to the device we force the device to disconnect from the legitimate IP and then connected to our Rock IP once having this connection uh up and running um we were making transactions having all these transactions um traffic going through our Rock IP which is a success nice um so to standard 2.11 broken uh however what else can we do from there once you have this device connected to your rock AP you know you kind of owning the connection now so we launch metas Ploy and try to inject a a packets malicious packets to the V to the POS terminal unfortunately the P the

the POs refus to attacks um but this is not where we sto we took a pineapple a Wi-Fi pineapple and try again uh but there was no difference in the results uh for maning the middle attack uh we have two sectors and we mainly carry this tack on to see to compare a packet so we capture uh packets from two different connections of the device um so one is from the vx680 to the legitimate AP and the other one is from the legitimate IP to the internet um from this T we use ater cup uh to sit in the middle and start watching the traffic and uh I can tell you uh the time and date were key factors here

because you could see even a micr second it will make the difference in each uh packet um also during this uh during this attack we were able to see the receipts in plain text in the packet captures uh while having these connections and and these attacks on H you know we made transactions using a magnetic strip car a cheap car and uh there was a huge difference there which um which it was uh cryptography additionally these are um these are Services um uh physical ports assisting in the device so even though these are not cyber attacks we wanted to see uh how these services and uh physical ports um you know could be used uh from the attacker's perspective so uh

an FTP Service an FTP Service uh it was tested to to see what else can you install and and before I go further for the FTP Service there is a pin which is in plain Tex if you carefully look at the device uh just by connecting through the FTP uh it you will see a pin in our case the pin was in plain text and knowing this pin it allowed us to have more visibility so we were able to see the firmware the directories the groups existing there some of the results right there SC um so yeah the visibility of the device of the system increased um for the micro SD car um this is a

physical device and the micro SD car uh it's if you take the battery out and disconnected you can actually load any external you can use it as as a Micro SD card you know you can load your external files auto run scripts whatever you feel like and load it there insert it back into the device once you turn it on it's going to ask you to check the file F signatures we couldn't bypass the file signatures and the file hashes uh but the um the other research and papers where uh they run they unpack the firmware they modify the firmware and then they reload it on the device uh using external files so uh in our case we were able to

put external fires into the device um and nothing happened it was it was still even though the the the device Rebooted um it was existing there the file the malicious file were coexisting were legitimate files not raising any alerts um so I yeah quite quite interesting um there is also a USB port um this USB port it was mostly to um to have to increase the visibility of the device uh it has a mini HDMI at the end uh so you could use it either to connect it to a software a software running in a computer uh and you can increase your visibility and capability of the device so now we're going to compare you

know we run nonintrusive scans intrusive scans what we see so we know the programming language running on the pvx uh Society it's post XML which is an XML uh this language is used to for developers to create new application uh to develop new features of the device um and is this is the current uh language and the current firmware the operating system Network information uh features you can also load new features to the device um you would as you can see through FTP you were able to see the folder structure the directory listing uh the packet ctures were uh showing receipts in plain text uh cryptography I'm going to stop right here uh because while we were making

transactions um even though we were able to see the receipts and we were able to see the traffic uh the difference the main difference that you will see it's when you were making transactions using the magnetic strip car and the uh chip card so cryptography is the main difference here cryptography is only used for uh credit cards us in the chip technology uh which is another layer of security so if you ever you know are presented with options whether to use a magnetic strike C or a chip card I would highly suggest it to to use the chip card um I'm not saying this is 100% secure nothing is 100% secure this days but you know it's it's it has another

layer of security in it again the pin uh of the device was in PL Tech um the encryption using the devices and this was reconfirmed with the vendor uh it's three death which is that's three times uh the net bios uh open ports and you know open the doors for potential exploitation um also uh we try to explore the device Hardware itself uh you can remove pieces put it back compile it together uh but there is a anti tampering uh on the device so replacing um the internal components of the device you will have to bypass the anti-tampering protection it's not is it is possible we haven't explored that function yet and also again you know uh having those fys

physical ports and uh physical functionalities for the device open possibilities uh to for you or for persons who are with have malicious um intents to place external files into the device and having them coexisting with the legitimate files now we know the device we know the network we've gather information uh we know about the physical open ports uh services and how can we bypass them I'll show you so this is a demonstration uh of an attack a s Channel attack uh which could bypass the PCI DSS requirements entirely well still complying with them so we're going to use here a fake terminal and we're going to use on the attacker side we're going to be using

two people uh so let's say you know you're walking down the road streets and you see a shop next to the raw you want to buy some strawberries so you will be handed over at device POS device to make a payment what you don't know is that your credit card details are being stolen and then pass over onto a second attacker who is making a real transaction with the real amount uh this second attacker uh is going to go and make the transaction the transaction is going to get approved by the payment server and then second attacker is going to get a receive uh which is accepted which then second attacker is going to communicate to

First attacker hey you know we good to go the pin number is valid the car number is valid it's all good we charging $9 for uh box of strawberries on the customer side you don't know because you simply pay $9 for a customer you were told that it was $9 that it was going to cost you and you pay the $9 nothing happened no red flags and again you know our our goal here is not to charge more to the cust Customer because that would be a red flag it is only to gather the car details that's what that's the goal here uh but how does this look in our two favorite imaginary people know Alice

and Bob Alice and Bob Alice and Bob so this is a a cycle you have Bob and Alice working together uh Bob is you know facing the customer information handing over the fake terminal to the C customer uh customer swipes the card and makes a payment the information is grabbed pass it on to Alice Alice does Alice has a real POS um uh with her she makes the transaction using the credit card details uh send it to the payment card the payment card then sends back an approv received to her and then she sends a signal to Bob say hey Bob you know we're good to go next customer and imagine having this multiple times you will never know you

know I'm not I'm not here to charge you $80 I'm here to charge you $5 and I could just sit my shop on the on the corner and and start selling strawberries or veggies you will never know uh but from the attackers perspective once you have this credit card details F you can do I think the possibilities are endless here but some of them you know the most common the ones that we every day uh you can sell this uh car holders information in the D web good Market uh you can do you can start printing uh this information in physical cards and also resell them or you can do you know what happened in New

Zealand taking the extra step and actually walk into ATMs and start withdrawing money um but also uh this is a little bit of a gray area because some of you might say no this only happens to bank cards no this could also happen to gift cards to Loyalty cards and any card that uses the magnetic stripe technology um so I can easily load my bank card details onto a gift card details so uh that's a a bit of a gray area but it's possible after it so um yeah it is it is very scary there all right so we we got to know the network we got to know the device we actually bypass the PCI DSS standards we

carry uh we carry on an attack we have the details but from the defensive side now you know changing your hearts how do you mitigate them well first of all um if you do a simple Google uh search you will find this POS terminal uh for sale so it's available to anybody you can you can grab your phone we can do a simple Google on the bx6 it and I think I did it yesterday and you know they are 35 Australian dollars you might have to invest a little bit more in the shipping because a long way um but you know uh for $35 you can have your own POS terminal start modifying the hardware

updating the firware putting your own own firmware and run your own scam not that you should do it but um yeah um also uh so blocking these devices uh Sales Online is a way to go I mean I don't I don't understand really why these device are um you know for sale so blocking this would be one way also cross reference so when the transactions are made from company to company they have the ability to uh cross reference that the Buy IDs the terminal IDs and that way you can actually make sure that you're making a legitimate payment um and again you know keeping in mind that this can be extended into loyal uh cars and gift

cards um overall uh this is my this is my takeaway for you guys uh even though this attack is going to be hard to mitigate uh keep in mind that this will only happen to Magnetic stri cards uh because the new work card the chip cards or the other ones NFC use different technology so again you know if you ever ever are presented uh with options and one of them is using the magnetic strike card avoid that and yeah or think again because you know yesterday uh when I was doing this presentation somebody said like what if uh they block the functionality of NFC and uh chip cards forcing you to use magnetic strike Hearts so you know that's that's

actually a nice experiment which we didn't do it but it can be possible anybody you know the T imagination can go really far away so even if the device is newer nowadays they can block those functionalities and force you to use the magnetic stripe um so future developments on this case uh during the research unfortunately we also found that the transaction details were sitting in the ram of the POS device even though it's a fraction of a second and it's uh really hard for an attacker to carry out an uh an attack on this it is possible it is possible knowing that those uh transaction details are sitting and leaving in the room open uh possibilities for Ram

scraping attacks um also if you do a simple search on uh POS malwares you will find a list of them so there's people uh you know blackhe hat uh white hat that have actually Britain malwares only dedicated for POS uh in my experience uh while doing while you're working on this research um I wanted there was a presentation in black hat about Jack POS and I wanted to see how that works and I was able to get a copy of it uh just just by tweeting uh twe no x uh the author of the attack um again you know uh chip cards are newer but NFC NFC contact L uh always making sure who you're dealing with um

any any red flag where you making the transaction uh yeah it's do not use it um and remember you know there is another uh there's also a possibility for you to load uh Scripts exal scripts onto the device and make them coexisting or interacting with a legitimate uh operating system these are some of the highlights of this paper uh hopefully I give you uh use information to make you want to learn more uh there is uh actually the ram scraping is uh there is another group that is currently developing on this and if you want to know a bit more this paper uh and more details it's actually publish for the i e you can

scan this with your phones and uh yeah have a look on it um thank

you all right thank you for that uh this is little gift from bide Seer and just now we can take some

questions did your work out why there was an FTP server on it did you work out why there was an FTP server on it yes yes so the FTP server was to update the firmware of the device oh sorry FTP server the FTP server yeah yeah yeah so I was used to update the firmware so I guess the firmware was signed I hope yes but also you can uh develop your own firmware you don't have to use the firmware given by uh Barone or by any of those companies you can develop your own firmware you can download it from external sources and load it onto your device

okay just gonna ask some technical questions now because I'm interested um you mentioned that the encryption B the device is triple dead so that's encryption uh in transit right not at rest okay so you mentioned the pin you talk about the pin of the device or the pin of the user putting in their card the pin the pin of the device pin of the device so accessing the device of higher functions that's what you're talking about okay um the other thing was about the uh encryption of um magnetic stripes now obviously it's not all technology and you're saying it's not encrypted in transit it is encrypted in transit but it's an old one or but it's an old one

you can yeah that is an old one so it is encrypted in transic we wouldn't able to see the transaction details uh when we were capturing the packets uh so it is encrypted um but it again you know these these details that are being in transit are existing in your car so if you swap Dash D magnetic car with a reader you are able to see the car details the expiration name your name and all of those that's why they sitting there they sitting in your car so if those cars are lost or you know misplaced you should immediately block it because somebody can come you know read the information hosting in those cards and make a new

car out of it it's very easy to be honest i' I've I've Clon a few cars myself um so that's very unfortunate okay so you talk about more about the uh magnetic stripes that obviously can be done with really old way with cassette deck or something like versus the the sock that it's on um chips yes correct okay all right no that's cool even even though even though magnetic stripes you know he's saying it's quite old yes it is old but it's still relevant you know if you walk around uh people are still using those um to pay petrol you know the people companies are loading those gift cards and giving to employees to to

pay petrol uh I don't know if we we use prissy cars in here uh so prissy cars are giv their gift cards you know giving to employees to go to Westfield mall to spend some money how do you pay they are not chip card they are magnetic best cards so it is it is still relevant you know and they are loaded with money so again you lose it work around pick it up go home make a copy of it throw it and I'm good to go those security awesome that's very informative anyone else last chance to ask a question okay that's good here we go um very interesting talk and one thing you said you call a lot of your C I'm

kind of curious like what type of methodology you actually calling because I know there's a lot of emulator out there like flipper zero and stuff but flipper they have a negative point is you can actually call card from Bank CU they have like encryption and stuff that you can really decry it using flipper some kind of curious of the approach you use to CL the card wow so uh yeah so flipper is mainly focused on NFC so you know contact l so it's a whole new word from here um magnetic stripes uh they use yes I did Clon some cards uh and they were bank cards and uh so what these are this is a machine uh that is

basically just reading and writing our magnetic stri so you have a little software running on one machine you connect your magnetic strip reader and brigher to that machine and swap it you will get all the details of the car on the software and then it will ask you do you want to write this or do you want to save them go right and then you you use another magnetic Striker it doesn't matter if it's blank new it doesn't matter you can use a gift card that uses magnetic stripe just swipe it again and basically you have a duplication of your of any card of the card that you uh making a duplicate of okay so you

definitely need to like close contact with the machine to read it rather than just do like flipper to then yes yes yes it's just it's simple it's just through cable um but yeah flipper flipper it's you know on the NFC on the contact L um I know that now it's you know making a copy of those NFC or other cards like bank cards it's not possible um yeah but uh there is a St here who's selling uh flipper flipper uh yeah so he was telling me that you can also reload or frameware unpack and repack momentum is the one that uh extreme uh developers are working on so yeah that's a new technology they're doing thank

youis just um quickly on that like it's obviously a common thing people that the fear of The Flipper zero and copying cards just to reiterate that the uh the system on a chip on your magnetic cards is encryption uh at time right so it can't be replicated that's what you're saying right at at at the moment anyway it's not something that people can go and just copy your card no not for the bank card not for the bank cards no just to just to debunk that F myth which you see online it's not real okay uh any last questions no last one of the day that's it all right wrap it up thank you very

much it's very awesome thank you thank you

been turn it on uh so that's the last one of the day and I think we've got uh a uh a networking event at 5:00 upstairs uh so you can probably take a break and walk around in that meantime and we'll catch you afterwards thank you