>>So um, I’m here to talk to you today about doomed point of sale systems, so if you’re not here for that talk then uh I hope you enjoy it anyway. Um, so, my name’s Nolan Ray, um, I’m a former security consultant and uh I work se-uh-security engineer now. Um, and I’m sort of an adrenaline junkie, uh an outdoor day drinker, I’m romantically available so keep that in mind [laughter] y’know um. And of course I’m a hacker which is why I’m here today to talk to you guys, um, about our target, right?
So after a couple drinks and uh ebay-ing things that make my, uh, credit card statement sad later. Uh I bought a whole bunch of these, uh, Verifone MX nine hundred series terminals. There’s the nine fifteen and the nine two five. Uh, they’re pretty similar so I’m gonna mainly focus on the the nine two five. Really the only difference is the display size. Um, [cough] awesome. So basically, uh, I, my motivation for this talk is that these things are everywhere so I hopped out of my, uh, my cab actually or hopped into the cab at the airport on the ride here and there was actually one of these sitting on the back of the seat. And also, uh, I assumed it would be a pretty hard target and I love hacking at hard targets. 
Um, [cough] oftentimes also companies use these, uh, and actually encryption on these terminals to justify really weak access controls elsewhere in their network. And uh I don’t think that’s great. And also the companies that do care often don’t have the internal resources to validate any security claims that vendors make. Um, or and really investigate the security of these devices themselves. So, I wanted to shed some light on that from a third party perspective. And of course really, uhI just love doom. Uh and I wanted to play doom on one of these things and, y’know, so had to do that. 
So, um what this talk is not. This is not an exhaustive comparison of all pin pads or card terminals. Um and it's not an endorsement or an indictment of any specific vendor. This is just one specific terminal that I decided to go after because I bought enough of them. Uh, and, y’know that’s kind of where this is at. And it's not a guide to configuration or compliance so if you’re here for that I’m sorry. 
Uh, what this talk is is an in depth dive into one line of devices and how they’re hardened and of course exploits so hopefully you guys enjoy that. 
Um, so previous work, uh, that other people have done . You’ve got lots of more nefarious people who don’t want to run doom and instead want to steal credit cards. And of course a lot of one of their common things is skimmers that they go after. And of course there was a little while back a security research labs put pong on a couple payment card terminals and now that’s more along the lines of like work that I support, y’know. Um, [cough] and then additionally, uh, Cambridge research labs, uh, Cambridge computer labs, uh, actually does a whole bunch of work on tamper resistance of these different terminals and also just general EMV protocol exploits. Pretty cool stuff. Uh, additionally at uh RSA, uh uh, Trustwave and Bishop Fox uh guys actually presented a survey of previous point of sale attacks and these, uh, y’know previous attacks analysis of them and one of the really interesting things that came out of this at least from our perspective for this talk is that ninety percent of these devices actually use the default pin in the field and that’s gonna actually matter a lot later as we keep talking. 
Um, and of course you've got things like your Target breach, so there’s that, um, [cough] y’know we all know about that. 
So let’s get knee deep in the dead and dig into the first level and look at how, like an overview of our device. So, the first thing, uh, it runs Linux under the hood. You saw that little tux penguin in the first, uh, photo. They call it V/OS I assume for Verifone OS. Uh, and it runs a four hundred megahertz, ARM eleven, thirty-two bit RISC processor. And unfortunately it runs the ARMv6 instruction set so if you ever had to cross compile anything for the originally raspberry pie A and Bs then you know how much of a pain in the a** it is to cross compile anything for these devices. Um, but unfortunately, y’know that’s that’s where it is. And of course it has five twelve megabytes of ram, um, two fifty-six flash, two fifty-six SDRAM. And, uh, of course a four or seven inch display. So this is a massive display. Y’know throw out your home entertainment center. Get rid of your gaming computer. This is all you need. Awesome.
So, connectivity. How do these things talk to the outside world. So, um, what you usually have is, uh, there’s a lot of different ways and it completely varies depending on the device configuration and the store configuration. Um, what you see here, uh, in this picture is actually an IO module, uh, that you can swap in and out and that supports ethernet, wifi, bluetooth, RS-232. These ancient IO uh modules from the MX800 series. So if you have some really old hardware you can, uh, still use that with your newer payment terminals. And they generally expose the-the same functionality That’s kind of what matters to us here. You can request a transaction. You can, uh, make it display different pages that have already been loaded on the devices. Stuff like that. 
Um, [cough] the truly remote attack surface of these devices cause obviously, the, we always wanna like have a completely remote exploit. That’d be awesome. Uh, but unfortunately there's only two TCP ports open in normal operation. And this is only if you actually have a device that’s actually running the ethernet module which a lot of them aren’t. And these, uh, services expect XML messages and sometimes you get DHCP, um, good luck, y’know writing some DHCP exploit if you’ve been sitting on an oh day for that for a long time, y’know maybe talk to me about that.
But anyway, um, [cough] so in normal operation of this, uh, you've got this frmAgent dot exe running as usr1 and that is actually an ELF binary so I don’t know why it's named dot exe. But, um, essentially, [chuckle] that, uh, kind of sits there and it handles all the different connectivity. Uh, and it configure-communicates with all the configured interfaces. So, that’s usually USB or ethernet. And really y’know it doesn't expose much attack surface again only two network ports if you’re in, uh [cough] uh if it's in ethernet mode. Uh, and then there’s also several daemons running as different users that expose, uh, IPC for privileged operations so if you want to request a card swipe that's going on in the background. But you can't directly get to any of that functionality. So really for normal operations-well when one of these things is running in its normal operation mode processing credit cards. Without physically interacting with it there's not a lot of attack surface. So what is that physical attack surface though. So first of all, uh, you’ve got the smart card reader, mag stripe reader. Um, [cough] very limited attack space there. I’m not gonna say you couldn’t pop an exploit with that but if you do, like, I will buy you many beers, um, [cough] uh there’s the USB host port actually and that’s uh the lower image of the two. Uh, that left most, or sorry, yeah uh leftmost RJ45 jack is not ethernet, that’s actually USB so these actually support, uh, USB host and you can plug literally any device you want into there. So you can plug in your USB keyboard. Oh anything that there’s a driver for. Uh, you, removeable storage, y’know. You can get your keyboard and mouse for your gaming rig and stuff like that. That’s-that’s what's important there. Um [cough] um of course you’ve got your USB over serial um that you usually talks to those computers, um, if that’s the way the device is configured to be communicating with the point of sale system. And you’ve got several com ports as well for um [cough] uh y’know of course  uh more communications operations. And then there's an SD card slot because of course on your secure terminal you want removable storage, uh, obviously these aren’t really used and usually they’re on the back of the device where its inaccessible, um, unless you steal it. And there’s this BERG port that supports the ancient uh, uh, MX800 series peripherals. 
So if we want to disassemble one of these and like start poking at it. Cause usually it’s like someone who’s a little more on my level my first desire is to go after like a hardware exploit, dump the firmware so we can reverse the firmware and exploit things. But it turns out there's a bunch of tamper resistant hardware in these. And it's actually done pretty well and it's uh mechanical, um, g-generally mechanical mechanisms such as the one pictured here on the left that’s actually a series of traces on the PCP and if you drill into the PCP you’re gonna trip one of them and then y’know you won’t be able to tap into the device. And there’s lots of these throughout the, uh, the-the device’s assembly and the device really likes to wipe itself if you open it up so that’s kind of unfortunate. Um, but, luckily, [chuckle] it's not necessary to get the firmware. So, y’know, I’m very lazy. I want to go back to outdoor day drinking so why bother, um, y’know setting like-doing some elaborate hardware hack and killing a bunch of these devices when it's not necessary. But I did void my warranty and uh that I don’t think came with the ebay purchase and teared this apart for your viewing pleasure, um, you can look at these in the slides later. 
Um, so really that's kind of your overall tax service but there's this magical mode called administrator mode and this is great. Um, and what we have here is if you walk up to one of these terminals and you press one five nine and then you enter the default pin which you can find in the manual online. Uh, I’ll leave that as an exercise for the reader. And uh, [chuckle] um of course now all of a sudden you have a massively increased attack surface. You still can’t load your own arbitrary code on the device but you can exercise a lot more functionality. You can get all kinds of diagnostic information so you can get all kinds of software versions and start pulling down those open source pieces of software, reversing them at the code level. I, uh, look for public CVs things like that and of course if you actually have signed firmwar-er signed applications from that are-traces up to the Verifone route of trust you can install software there’s a little bit of a tax surface there as far as like, y’know fuzzing the parsing of those pac-like those packages and things, but unfortunately for our purposes we don’t have a signatur-uh, uh, certificate to sign this so it's not very useful to us. 
Um, and of course you know the software updates. Uh, this is a picture pulled from their manual. Um, it basically just says if you don’t have an intermediate certificate signed by verifone you’re not gonna install software on this device sorry. Um, and of course, uh, most of the in- software update mechanisms actually require manual interaction and so this is gonna matter because a lot of these devices in the field don’t get software updates so even though there's a lot of really good software updates that drastic-dramatically improve the security of these devices. A lot of them in the field don’t get those and of course the updates must be signed so it's not very useful for us to install our video games. So, [cough] um of course we can load, uh, encryption keys, again signatures required. But more interestingly we can configure a lot of, uh, kind of, uh, configuration settings. So, for example we can change all these ethernet settings and reroute traffic somewhere else. Um, we can, uh, essentially change all of the different settings in the user, uh, mode program that's running. And most of this can be used, y’know, some of this data gets maybe shelled out or maybe it gets parsed by something or changes some setting that gives us extra attack surface. So this is all areas you can kind of chase down different rabbit holes, uh, looking for exploits. 
Um, but more interesting is this file manager. This is cool, right. I like managing files. Um, so you can actually use this to copy files off of the device to a removable storage you plug in via the strange RG45 USB port. Um, but you can't copy anything to the device unfortunately because that would violate the whole signature, uh, structure. But, a creed of hackers, since it allows you to copy everything from the entire root file system, uh a creative hacker might go to proc self and y’know copy some interesting files and maybe you copy proc self cmdline because you wanna find out what binary its running, uh, so that you can actually, uh, copy that into IDA and stop reversing it and looking for exploits. Uh, but when you do that you might actually see that proc self cmdline is actually uh cp your target file proc self cmdline, uh, mount usb store. So, okay, it's shelling out to copy this. Well that's interesting. What if we add some strange characters to file names. Um, [cough] as a hacker usually does and of course with a couple semicolons some uh dollar signs IFS’s some weird forward slashes and directory structures you can actually pop command injections interface and that gets you your first shell so great, wow, we’ve got command execution, we’re going along. This is gonna be so exciting except really we can’t do anything. We need to start privilege escalating. Because it turns out this binary uh it’s actually running is sys4 user. And the sys4 user uh actually can’t backdoor our um [cough] our standard user mode application. It can’t really get it anything interesting. It can’t read the mag stripe data. Its pretty boring, uh, we’re at that level of access. So we start looking at ways to get root. And unfortunately there are no SUID binaries on the entire file system. So even if you knew the root password you couldn’t SUID a root because SUID is running as sys4. Um, there’s only six processes running as root, uh, and only three of them expose IPC mechanisms so really these are your main way of trying to get root on the device so this is a pretty hardened attack surface. Um, and of course there’s reasonably good file system permissions and I would say on the newer models even excellent uh file system permissions. Um, and so, uh, even if you managed to find some kind of issue with those that might let you tweak something to like pop an exploit on startup or something you’re still gonna end up with a bunch of grsec issues because, uh, functionalities separate by user. But grsec is actually installed in the kernel and it heavily uses the role based access controls, uh, to kind of mitigate a lot of, uh, exploits. Uh and of course if you’re trying to pop a kernel exploit, uh, grsec’s gonna make you have a bad day.
Um [cough] So patch levels, oh my. Uh, under the hood this device runs the Linux Kernel two point six point three one point one four. So, for those of you who keep track of Linux Kernel versions which is not me, I’m pretty sure it's behind. Um It’s uh in fact uh not like a it's-it's far enough behind that uh it's not actually up to date with the two six three one line of security patches but it is grseced so if you’re gonna try and pop a kernel exploit you’re gonna be spending a lot of time doing that. It uses an outdated libxml2 and also a bunch of other outdated image parsing libraries so I guess kind of across the devices you’ll see, uh, open source software is often not as updated as it could be but unfortunately a lot of that is mitigated. Um, because especially in the newer versions of these devices, um, all binaries on the system are actually compiled with fstack protector strong, so all your stack buffer overflows become much harder to exploit. Um, and all writable partitions are actually mounted as noexec so if you’re trying to interact with something that uses like say a sys5 shared memory to pop an exploit, um, you’re gonna have a very bad time because you can’t actually compile your C code, drop it on the system, and execute it. You’re constrained to using what’s on the file system already and so you’d actually have to pop an exploit, uh, a memory corruption vulnerability in something you can execute as your own user just to be able to load an arbitrary code to exploit something running as another user. Um, and of course grsec prevents, um, [cough] any of those noexec bypass of the old two six line. And uh there’s also very aggressive grsec role based access controls, so even if you somehow gained permissions as a different user you’re still fairly constrained about what you can do. And uh in the newer versions um many bugs are patched but still not all. There’s still a lot of code here that uh just uh they’re are still churning through fixing bugs uh there's still plenty in there. 
Now, so let's start looking at those root services. Uh, because those are probably our most interesting privilege escalation attack point cause we need to privilege escalate so we can end up uh being able to access the frame buffer and run doom. So, [cough] uh first of all you’ve got K log D and sys log D and IF plug D, uh, those are pretty boring. But more interestingly the three that expose IPC you’ve got user local sbin secins uh vfinetctrl and svc netcontrol. The later two, uh, we’re gonna dive into each one of these. The later two, uh, are obviously networking related and secins is interestingly enough security related, uh and that’s pretty interesting. Um, there’s also a ton of non root services you could try and pivot through to gain more privileges or maybe be able to access the mag stripe data but I didn’t take that route I wanted to go straight to root. Um [cough] so if we-oh uh download through our file manager or now our shell. Vfinetctrl and start looking at it. It exposes IPC, uh, via, uh, vfinetctrl. It's basically a unix named pipe. And then it exposes about eight operations and they’re all networking related and they’re actually pretty boring so you can pretty quickly reverse all eight of those handlers and none of them have exploits and that makes me sad and probably people who pay with credit cards happy. Um, [cough] however, secins is much more interesting. Now this is a security related binary and I was like, great let's go for that next. Um, it handles package installation and security so there’s a lot to learn there. It handles IPC via unix socket. And it, uh, it also handles grsec configuration on startup of the device which is really interesting. Uh and it also has lots of other interesting functionality. Y’know, CH owning files. Or requesting files to be CH owned if certain criteria are matched. Things like that. Um, and of course, so we want to reverse all this functionality. And uh it ends up if you open it in IDA and take a look at it it's got uh essentially, uh, an outcode, uh a jump table with twenty-two supported uh IPC opcodes, um and each one of them contains fairly complicated functionality and if you spend all of your time looking at this and you spend a couple weekends y’know kind of beating your head against a wall looking for vulnerabilities in each one of these you’ll find out that it's clearly pretty well audited relative to some of the other code that’s sitting on the system. Uh, i guess it had security in the name and it probably makes sense that people looked at that. Um, [cough], so after that you’ll be really sad, uh, and then decide to maybe try for a softer target and take a look at the only other option that’s easy, uh, for, uh easy for privilege escalation. So that leaves us to svcnetctrl. This exposes, uh, IPC via shared five, uh uh sys5 shared memory interface.So it's kind of a pain in the a** to like interact with um but it allows limited users to request changes to network interfaces and so it actually shells out a ton. Um and so that's obviously pretty interesting. And it exposes numerous different functions. So it use-lets you set up different network interfaces, add routes through XML, set the NTP server. All kinds of really fun stuff. Um, and it also has this beautiful binary setting right next to it called svc net test that exercises a lot of this functionality so if you’re trying to reverse it so that you can, y’know, pop an exploit and run doom uh that’s pretty handy.
Um, [cough] now of course this is what that function looks like in IDA. Uh, this is the IPC handler and each one of those little bottom blocks or most of the bottom blocks jump off to extremely much more complicated functions that handle all kinds of things. So obviously there's a lot of attack surface here and so digging into this uh I started going through each one of those boxes that calls out and looking for vulnerabilities. Because I’m-yeah that’s that’s what I do with my life. Um [cough] so eventually I found one that was interesting. I found this uh sprintf to pppd with a dollar sign s-er percent eses so obviously you can see this would potentially be a command injection. Uh, but [cough] unfortunately a lot of the shell metacharacters, well unfortunately for us uh a lot of the shell metacharacters are actually um, uh escaped. However, uh, and spaces are also escaped. But if we look at the uh the manual for pppd, you’ll notice that there’s this beautiful connect option that actually allows you to call out to an arbitrary script to set up, uh, the environment and so [cough] you can actually, uh, although they’ve filtered out spaces they didn’t filter out vertical tabs or regular tabs. So you can actually uh call this uh IPC handler and instead of an IP address or with the IP address add some interesting connect script functionality, uh, and then uh the-it’ll actually happily execute that for you. hm, as soon as uh [cough] uh as soon as you invoke it. So now all of a sudden this is-this is a service running its root and it’ll execute our arbitrary skip-script so we get root. Awesome. We’re super excited. We’re like root, lets run doom, let’s start having a party. We’ll get a LAN party together with these extra devices and then grrrrrrrrsec. Uh, this is a very unfortunate grsec uh kind of made me have a nice bad day. Uh And so grsec’s role based access controls actually constrict even the root user from most file system access. Unless its specifically running under certain binaries. Um, and so with that, uh we still can’t ptrace secins which would be really interesting for uh uh dynamic reversing and there’s no acce-access to the magstripe uh read writer or the smart card uh reader. And uh of course y’know that’s uh unfortunate if you’re trying to steal, uh, credit card data and for our purposes we still can’t access the framebuffer so we can’t run doom and that's what we wanna do so this is very frustrating. So what are our options? Y’know. We can continue staring at the secins uh IPC handler hoping that we missed something the first time um cause I'm not very good at hacking. Um, or we can go for a kernel exploit. Uh but unfortunately grsec’s gonna make that very hard. Uh or we can get creative uh and I like to get creative cause I wanna go back outside and y’know. [chuckle] Get away from my computer. So uh as we’re brainstorming uh we can start and stop other processes with different uh grsec role based access controls. So maybe we can find something that does something interesting that we can trick to do something more- trick into doing something more interesting. Uh, and we can also send signals to other processes so this is uh interesting. Maybe we can send a sig9 and tell something to stop in the middle of doing something. Uh, that could be interesting. Uh, lots of race conditioning ideas there. And of course uh secins can start and stop grsec with gradmin and it does this on startup or anytime you invoke the binary. Um, and on startup it actually turns out if you start reversing that code looking for maybe some kind of exploit you could pop during the boot chain or something uh you’ll actually find that uh grsec disables the role based access control, or I’m sorry secins disables the role based access controls then reenables them to ensure that the roles are loaded correctly. Uh and it does that instead of refreshing them and I don’t know why. Um, but, uh this is obviously kind of a-a race condition issue so you can see here uh from the binary there's the grsec uh gradmin password of one two three four five six, um, however that doesn’t actually get you anything because the role based access controls stop you from invoking gradmin which is what you use to disable grsec. Um, so you still can’t use that password but what you can see is there’s uh it sets the password and then it uses the dash d option where it executes the program to disable the roles. Uses the dash e option to execute the program and reenable them and of course uh this is a race to the finish so we can actually kill the currently running version of secins, start it up again, uh wait for it to turn off the role based access controls, kindly ask it to stop running, uh before it reenables them and then we have the grsec role based access controls disabled. So now we have a full chain from the file manager all the way up to running root on these devices so that’s awesome. 
So that brings us to our demo time. Um and hopefully, hopefully I’ve sacrificed enough to the demo gods that this works. Um, nope. There it is. Alright, so we’ve got our terminal here uh the screen is changed. Uh, this is just a jpeg I swapped out beca-but I actually got this uh and it had the-the application from the previous company that owned this terminal uh so, [chuckle] obviously swapped that out. But here, we’ll uh take a look. [cough] 
Hmm, no that’s not gonna [inaudible]
Can I uh remove this, [off mic] yeah alright. [inaudible mumbling] Sorry [cough] 
Alright. Okay. Am I on? 
Alright well, [cough] uh Hello? Testing
Testing? Oh there we go. Alright awesome. So we have our device here and we can walk up to it and then uh so normally you would need to plug in your USB drive. Uh I already have that plugged in just to automate this a little bit faster. The port is exposed on the back in most installations and we can press our one five nine. This is gonna bring up our administrative mode. Hopefully it's not too washed out is it? Let's see here. Lower the exposure. There we go. Alright. There we go. Alright. So then we can enter our password, uh that’s gonna bring up our administrative menu here. And then we can actually go into the file manager. Oop, and it's a little touchy. And then go to our root file system, our mount location, our flash drive with strangely named files. Lots of strangely named files. And then we can tell it to copy that file and now our exploit chain’s gonna run uh and this is gonna take a minute because I’m bad at coding and my race condition doesn’t successfully win all the time um so I rerun it over and over. [cough] Um until it works. Uh so this- this is gonna take just about, it usually takes about thirty seconds so all the interaction you’ve seen so far is all that’s actually required for the jailbreak. You can actually walk away from the device at this point. But, um, and then every-it-it- you could manually script it to like actually go through and um y’know just uh complete the back dooring and reboot into the main app um but of course we’re gonna launch our video game maybe if the demo gods love us. 
And I’m gonna get a drink of water here. [pause]
Well, give it one more second. Sometime dooms-doom takes a second to boot. If not we’ll just run it all again [cough]. Of course this would happen. [cough] Ran this like ten times and not a single problem earlier today. Of course. Hmm hmm hmm. Yeah. That’s a lot of people back there. [chuckle] And ooo alright. [grumbling] Some version numbers. Oh well. [cough] Let’s see here. And…
>>[off mic question]
>>Yeah I might switch over to video. Um, gonna let this keep going. We’ll see. Alright. Hmm. That’s frustrating. Op nope there it goes. There we go. Alright. It ran. 
>>[applause] 
>>Alright. Alright. It works. Alright it works. Awesome. [applause] So this is a fully playable doom that we have going on here so this is pretty cool. Um so you can actually start a game and uh we can like start navigating around, y’know, doing this it’s-it’s a little clunky y’know really. It’s probably not my ideal gaming system but y’know we’re on a budget so um [cough] so of course y’know um y’know in this modern economy we-we-we y’know have to pay for everything so I’m gonna swipe a card here. Um this is I believe a four four four four four credit card and that will trigger uh some cheat codes and get us [cough] an amazing little uh, that’s what we want. [applause]. That’s- yeah that’s better. Alright. Let’s see here. Let’s attack the barrel. Oh okay, see we probably should have got a health plan so I assume that in a world where uh Hell has come back to Earth the Republicans are still in Congress and health plans cost a lot but uh luckily y’know um we have a-a black card here um I don’t know if you can- so we have a lot of money and we can just buy amazing healthcare and then uh we can get God mode which is pretty cool and then we’ll buy another uh another chainsaw here. And then uh [cough] we’ll get that back y’know lets see here. Do do doo, now we can go about the-the real uh goal of doom which is I assume disposing of all these dangerous barrels. Oh wait did God mode turn off? Oh well. Well. E-Even with enough money sometimes things get you I guess. But anyway, alright. Cool. Um yeah so that’s that’s the demo. [applause]
So, cool, so that’s the end of demo time. MC Hammer said. [cough] Alright, so what other interesting input do we have, um so if-if we were a little more nefarious or we’re trying to y’know uh execute cheat codes when certain credit cards are swiped, uh there’s some interesting input files we can look at. So we’ve got uh dev a msr which is your mag stripe read writer and now that we’re fully jailbroken we can access all these. Um you’ve also got your smart card uh read writer uh that allows you to basically transceive uh protocol messages over um [cough] uh over VICTL’s. There’s some more stuff that I haven’t reversed that looks like it's related to the smart card. And of course you’ve your dev input event2 which is your pinpad and that’s just a standard keyboard so you can actually just cat that file monitor all the scan codes and then uh actually uh just extract people’s pins that are entered from that. Uh, once it’s fully jailbroken. 
Uh, persistence. So if you wanna actually persist this uh these actually have if-uh-cause ideally right now the state that it’s in if I reboot this it’ll be clean. Um, y-the device actually has uh a pretty decent secure boot implementation. I’m still kind of looking at that. Um but uh essentially what happens is there are software packages uh that are tar files and they have a p7s signature file sitting next to them, uh and uh basically uh these are actually all verified and then extracted onto the file system uh at boot time. And so it requires uh you have to find some kind of either exploit in that parsing code which uh is gonna be actually kinda hard cause if the parsing fails uh and you don’t immediately pop an exploit it deletes the package so the next time you boot up the device it doesn’t have it so I’d recommend not trying fuzzing that with like something that’s system critical cause you’ll turn it into a doorstop really fast. Um [cough] and of course so essentially you’re gonna need some kind of exploit that runs on boot time. And these are um [cough] um definitely possible to find um so there's lots of config options. Things that are parsed different y’know images and other things that you might be able to go after you drop something that’ll get run on boot. Uh But it is gonna require a substantial amount of effort to uh port this over so that it persists across reboots uh however these devices aren’t rebooted very often. 
Uh, data exfiltration. If you wanna get uh data out of the uh [cough] uh the system. You’ve got your uh store network slash internet um and a lot of these store networks actually allow you to route traffic directly out um because they’re not very- they’re not secured very well because they’re excited that uh that every credit card number is encrypted on the device so [cough] um a lot of times that’s an option to you or you can plant some type of pone plug and if you can’t route directly out to the internet somewhere else within the store network to collect data and send it out. Um, of course if the device isn’t connected over ethernet you can’t do that but again a lot of times these point of sale systems are secured very poorly because they uh uh oftentimes merchants rely on these terminals to provide the security so you can probably either exploit the POS system first and then propagate it down to the terminal or vice versa. Uh [cough] and then of course if you have wifi or bluetooth as a module uh there's an infinite amount of things that you can do uh to exfiltrate data, y’know, you could monitor for a specific Mac address and then y’know set up a-a-a ad hoc AP as soon as uh you see it and then send out data over that or something. Lots of ways. You could also uh write out data uh over a smart card. Obviously this requires manually walking up to the terminal and like inserting a smart card to dump them. However after starting to go down this route I redid my math and you can only store about four to five hundred uh credit cards uh numbers like on a smart card so it's a lot of manual interaction for anything so it's kind of uh not that useful. Um, and of course there’s all kind of interesting side channels you could go on so even if uh the store network is completely locked down and you’ve also got um uh [cough] the uh-your point of sale system’s hardened very well. You could actually still have a lot of like, other side channels for example uh you could exfiltrate data over ultrasonic sound, you could use uh of course there’s all these uh air gapping talks at Black Hat all the time- air gap jumping talks at Black Hat where you actually uh use different incidental RF emissions to transmit data intentionally. Uh and of course one of the more interesting ones is actually LED modulation uh you could pretty easily put a camera trained on these uh devices and actually uh monitor the LEDs on the side and then modulate them to transmit data out. Uh and that would actually be a pretty effective way to slowly migrate your card um-uh sorry, your card database off of the device. 
And of course uh mitigations. So, uh-uh for mitigations we have uh obviously don’t use the default pin. Um, so that’s very important. Everything I’ve presented here today can be eliminated by that but again ninety percent of the ones in the field use this default pin, um and so that’s very important. That’s a first step. Um additionally you really need to have uh a process in place to actually update the card terminal software on hopefully a fairly regular basis. Um, ideal-even if its yearly these terminals are actually their security improves leaps and bounds uh between different versions of the software and so getting that on there is very important even if you only do it once in awhile cause unfortunately it's a pretty intensive process to update these terminals which is why a lot of times they’re not done in the field. Uh and of course harden the rest of your store network and the point of sale systems that are connected to it. Um and that’s very important to prevent y’know just defense in depth.
So, vendor response. Uh obviously I reported these issues to Verifone um and they quickly responded um to my vulnerability reports. Um often much quicker than I could actually respond to them so I-I thanked them for y’know being uh very quick about that. And they were able to produce patches and in some cases they had actually already identified these vulnerabilities themself and patched them. Uh however unfortunately a lot of these patches again don’t get out to devices in the field. But overall I’d say that Verifone was uh excellent to work with from a vendor perspective and they didn’t sue me so that’s awesome.
Um [laughter]
So takeaways uh-um use defense in depth to secure the entire store network. That’s very important, right? Number one. Uh where there’s a will there's a way. So if you did uh move all your security to a single device even if it's well hardened uh you can still uh it’ll-someone will still get through. And of course don’t let all your security rely on a single third party device. And more research should be done into different brands and product lines. So uh hopefully someone will go out and look at the other brands and see if y’know this is uh y’know if all of them are well hardened like this or if there’s other ones that are more well hardened. It’d be great to get more research that's uh y’know kind of in the public eye. And of course push for audits and transparency and not marketing. And hopefully push for more automatic update mechanisms. Uh right now uh unfortunately it's pretty hard to update these. And uh-um so we actually would uh it's-if you have a whole bunch of these in the field it's very important to go and uh y’know so-kind of actually request that the update mechanisms uh function and function well and uh allow you to update them on a regular basis. [cough] 
And uh that’s about all I have for you. Uh I’d like- I’d really like to give some greetz out. Thanks very much to uh Fareed Khattak for uh making my slide deck beautiful cause I don’t know how to do anything with any image editing programs. Uh, Mike Weber and Um samuslav for putting up with my neurotic, uh complaints and uh worries about this and also listening to me talk over and over. And uh chaosdata as well for putting up with my c**p. Richo for taking weird uh-uh requests from me about ultrasonic stuff and of course uh Dean Jerkovich for listening to very early drafts of this presentation uh multiple times. So thank you very much. [applause]