![Page 1: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/1.jpg)
SRLabsTemplatev12
ShopshiftingWarningaboutpotentialpaymentsystemabuse
FabianBräunlein<[email protected]>PhilippMaier<[email protected]>
KarstenNohl<[email protected]>
![Page 2: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/2.jpg)
Card-basedpaymentreliesontwoprotocols
Cashierstation
Paymentprocessor
LAN Internet
ZVTorOPIprotocol ISO8583/Poseidonprotocol
Authorizationrequest
ConfirmationConfirmation
Sendencryptedpaymentdetails
§ ReadmagstripeorstartEMVtransaction
§ AskforPIN
Paymentterminal
2
Thistalkinvestigatesthesecurityoftheprotocolsusedtomakecashlesspaymenthappen
![Page 3: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/3.jpg)
Agenda
§ Localpaymentabuse
§ Poseidonshopshifting
§ Evolutionneed
3
![Page 4: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/4.jpg)
ZVTallowsunauthenticatedaccesstomagstripedata
ZVTprotocol§ Configuresandcontrolspaymentterminals
§ Designed forserial,nowTCP-based,unencrypted
§ OriginallydesignedbyG+Din1990s
§ Nowactivelyusedby~80%ofpaymentterminalsinGermany
Cashierstation Attacker Payment
terminal
ARPspoofing tobecomeMITM
Authorization_ReqReadcard
Magstripeandchipdetails
Authorization_Reqincludingmagstripe
Confirmation
4
![Page 5: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/5.jpg)
AccesstoPINrequirescryptographicMAC
HowPINentryusuallyworks
ZVT:AuthorizewithPIN
Paymentterminal
Poseidon:Encryptedtransactionw/PIN
Requestnumber
PIN
MainCPU Display&PINpadHSM
DoPINtransaction
EncryptedPIN
UnencryptedPIN
ZVT:Textdisplaywithnumericalinput,MAC
PINPoseidon:TransactionwithnoPIN(“Lastschrift”)
AuthorizewithoutPIN
Attackershould notbeabletocreatevalidMACsinceMACkeyisprotectedwithinHSM
Isit?
Displaytext,MAC
5
RequestPIN
PIN
AttackerswouldneedMACtostealPINfromZVT
![Page 6: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/6.jpg)
MainCPUsendsMAC
HSMleaksMACthroughtimingsidechannel
HSMCPUcomparesMAC
Response ResponsetimeFail
Fail
Fail
Fail
Fail
Fail
Ok
26.000
26.000
26.000
26.005
26.005
26.010
26.040
MAC00…
01…
02…
03…
0301…
0302…
0302AF…05
MainCPUiseasilyhackable:ActiveJTAG,RCE,…
HSMprotectssecretsandshouldbemuchbettersecured
…
§ MACcomparisonisdonebyte-by-byte
§ ResponsetimeleakscompleteMACwithinminutes
§ MACisnotterminal-specific:Worksacrossmanydifferentterminals
6
![Page 7: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/7.jpg)
MagstripeandPINtheftviaZVToverLAN
Demo1
7
![Page 8: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/8.jpg)
ZVTalsoallowslocalterminalhijacking
Paymentterminal Attacker Payment
processor
Attackpreparation
ARPspoofingtobecomeMITM
ZVT:SetterminalID
ZVT:Extendeddiagnose
Poseidon:Extendeddiagnose
Limits,merchantbanner,…Swapbanner
StayMITM,changeport
Ifterminalwasalreadyconfiguredtotherightport:
TransactionsaredoneundernewterminalID,moneygoestoattackerTransactionhijacking
Requiresstaticpassword,whichisthesameforallterminalsofaprocessor
Otherwise:
8
![Page 9: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/9.jpg)
RedirectmerchanttransactionstoattackeraccountviaZVT
Demo2
Smallcomplication:Attackersneedtheirownmerchantaccounts
9
![Page 10: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/10.jpg)
Agenda
§ Localpaymentabuse
§ Poseidonshopshifting
§ Evolutionneed
10
![Page 11: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/11.jpg)
Poseidon’sauthenticationmodelissimplywrong
Poseidonprotocol§ DialectofglobalpaymentstandardISO8583
§ De-factostandardinGermany
§ Strongmonoculture:Onlyonebackendimplementation,usedbyallprocessors
§ ApparentlyalsousedinFrance,Lux,andIceland
Paymentterminal
Paymentprocessor
11
TerminalID
Terminalconfiguration,encryptedwithterminalkey
Poseidoninitialization:
Poseidonauthenticationusespre-sharedkeys,similartoVPNs.However, thekeyisthesameformanyterminals!Thiscannotbesecure.
![Page 12: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/12.jpg)
FewparametersareneededforPoseidoninitialization
Orbrute-forceoverZVT,orreadthroughJTAG,…
TASK Technology GmbH
RETAIL AUTOMATION SYSTEMS
Kurt Kastner
Seite 1 / 2
TASK Technology GmbH, Nobelstraße 9 - 13, 76275 Ettlingen, Germany
Inbetriebnahme Artema hybrid TeleCash TA 7.0
Version 0,8 (vorläufig) – 3. Dezember 2009
Vertraulich – nur für internen Gebrauch
Versionen
Für den Betrieb an der Tankstelle ist zumindest die Version 55.03 der Terminalsoftware nötig.
TaskSTAR POS benötigt mindestens V3.05.00 SP2 Hotfix TA 7.0.
Kennwörter
Kassierer: 000000
Servicetechniker: 210888
IP-Adressierung
Sofern durch den DSL-Anschluss oder das vorhandene Hausnetz nichts anderes erzwungen wird, werden feste IP-Adressen mit Subnetzmaske 255.255.255.000 verwendet. Die Terminals bekommen dann folgende Adressen:
Terminal 1: 192.168.001.101,
Terminal 2: 192.168.001.102,
Terminal 3: 192.168.001.103,
usw.
DHCP: in der Regel NEIN.
Die IP-Adressen für DSL-Zugang TeleCash-Zahlungshost lauten 217.073.032.104 und 217.073.032.105. Die Portnummer ergibt sich bei Hypercom-Geräten aus folgender Formel:
51500 + PU-Nummer.
Beispielsweise lautet die Port-Nummer der PU 16 : 51516. Bitte beide Hosts eintragen, damit beim Ausfall eines der Hosts der andere erreicht werden kann.
Einen DSL-Zugang zum Testhost (PU 99) gibt es Stand 3.11.2009 nicht.
Das Terminal fragt bei der Inbetriebnahme, ob ein IP-Längenbyte verwendet werden soll. Im Normalfall ist das nicht sinnvoll. Sollte die Initialisierung nicht klappen, bitte auch mal mit Längenbyte versuchen.
Die IP-Adressen des TeleCash-Wartungshosts sind Stand 19.11.2009 nicht bekannt. Im Gerät verbleiben die werksseitig eingestellten Werte. TeleCash wird diese im Laufe 2010 per TKM-Update automatisiert überschreiben.
1.Google
12
![Page 13: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/13.jpg)
FewparametersareneededforPoseidoninitialization
2.Goshopping
OrsimplyguessTIDs:Theyareassignedincrementally.
13
![Page 14: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/14.jpg)
FewparametersareneededforPoseidoninitialization
3.BruteforceTCPport
14
![Page 15: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/15.jpg)
ShopshiftingovertheInternet:Issuingarefundtransaction
Demo3
15
![Page 16: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/16.jpg)
Shopshiftingattackputsmerchantsatsignificantfraudrisk
Worstcasescenario
1. AttackerguessesterminalIDs.(Theyareassignedincrementally)
2. Shopshifts terminals,anonymously overtheinternet
3. Receivesinbound banktransactions(ortop-upvouchers)fromuptohundreds ofthousandsofmerchants
4. (PerhapsextendsattacktootherISO8583dialectstoscaleglobally)
Shop-shifting
Merchantterminal
Poseidonbackendatpaymentprocessor
MerchantBank
Registers
Alsoregisterswithspoofed terminalID
CreatesSIMcardtop-upvouchersIssuesrefunds toarbitrarybankaccountsAttacker
terminal
16
![Page 17: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/17.jpg)
Customersandmerchantsarevulnerabletovariouspaymentabusescenarios
AttackvictimCustomer Merchant
FromLAN
§ MagstripeandPINtheftthrough ZVT
§ MerchanttransactionredirectthroughZVTMITM
§ (VariantofZVTabusewithoutMITMagainsthundreds ofInternet-exposedterminals)
§ Shopshifting overPoseidon
Overtheinternet
Commonvulnerabilitycause:Missingauthenticationorauthenticationwithsymmetricsystem-widekeys(inHSM)
17
![Page 18: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/18.jpg)
Agenda
§ Localpaymentabuse
§ Poseidonshopshifting
§ Evolutionneed
18
![Page 19: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/19.jpg)
19
HSMHackingChallenge–Secretsarestoredinabattery-backedRAMunderaplasticcover.
Whenametalmeshinthisplasticcoverisbreached,thesecretsareerased.
Toolofchoice–TheHackingNeedle
![Page 20: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/20.jpg)
Needlefitsunderneathmesh,overwritesmeshcheck
20
![Page 21: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/21.jpg)
Withsecuritycheckdeactivated,RAMinsideHSMcanberead
21
![Page 22: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/22.jpg)
Flash content is read with Arduino
22
![Page 23: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/23.jpg)
ActiveJTAGinHSMallowsfordebugging
23
![Page 24: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/24.jpg)
HSMcompromiseaffectskeysforZVT,Poseidon,EMVandothers
24
ZVTMACcomputationinsideHSM:
![Page 25: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/25.jpg)
Agenda
§ Localpaymentabuse
§ Poseidonshopshifting
§ Evolutionneed
25
![Page 26: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/26.jpg)
ZVTandPoseidonarenotsecurebydesign
26
Vulnerabilityrootcauses
ZVT Poseidon
Usedwithsymmetriccrypto
System-widesignaturekeys
System-wideauth keys
Also,butnotmakingmattersworse:
StoredininsecureHSMs
StoredininsecureHSMs
Bothprotocolsmix“securitythroughobscurity”(system-widekeys)with“securitycertification”(HSMs).Neitherimplements“securitybydesign”
![Page 27: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/27.jpg)
Heuristicdefensesareneededintheshortterm
27
Deactivateunnecessaryfunctions
ZVT
§ Remotemanageabilitywithstaticpassword– Shouldrequireaconfirmationonterminalinstead
§ MagstripetransactionfromEMV- capablecard(mustbecheckedonlinesincecarddatacannotbetrusted)
Poseidon
§ Refund(activatedbydefault!)§ SIMcardtop-up(deactivatedbydefault)
§ TerminalIDsconnecting towrongport(alreadyimplemented insomeplaces)
§ SerialnumberchangesforaterminalID(noteffectivewhenHSMishacked)
§ Refundsthatdonotcorrespond totransactionincashregister(double-entry accounting)
Detectsuspiciousbehavior
Paymentsystemneedbetterprotocolsandmoresecurehardware!Whilethesearebeingdeveloped,afewstop-gapmeasuresareavailable:
![Page 28: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/28.jpg)
Otherpaymentstandardsappearequallyvulnerable
28
§ OpenPaymentInitiativeprotocol ismoremodern thanZVT:XML-based,2003
§ Stilllacksauthenticationandencryption
§ Missessomeofthefunctionality thatcanbeabused inZVT(good!)
§ Vendorsuseproprietaryextensionstobringbacksuchvulnerablefunctionality inOPI(bad!), includingremotemaintenance
MainZVTalternative:OPI
§ Poseidon isoneofmanyISO8583dialects
§ System-widesymmetrickeys,Poseidon’sAchillesheel,arenotmandatory inISO8583
§ Itdoesnotappearthatcurrentterminalsgothrough keyexchangesaspartoftheirinitialization, suggesting thatother ISO8583dialectsalsosufferfromPoseidon’s securityissues
§ Internationalsecurityresearchcommunity:Yourhelpisneeded
Poseidon’sfamily:ISO8583
![Page 29: Shopshifting Warning about potential payment system abuse](https://reader033.vdocuments.site/reader033/viewer/2022042906/58a10e921a28ab4b658b5439/html5/thumbnails/29.jpg)
Takeaways
Questions?
FabianBräunlein<[email protected]>PhilippMaier<[email protected]>KarstenNohl<[email protected]>
§ Paymentsystemsallowformagstripe/PINtheftandremoteattacksonmerchants
§ Victimsofcardabuseshouldfighttheirbanks,researchersshouldhelp
§ Paymentprotocolsneedactualauthenticationusingindividualkeys
29