Security Research
cancel
Showing results for 
Search instead for 
Did you mean: 

Re: Hacking POS Terminal for Fun and Non-profit

Matt_Oh

@erik hutson

 

I think the issue is more complicated than we think. Not so sure if the owners clearly understand the security implications of using old POS terminals. Should the vendor support almost 10 years old POS terminal? Not so sure. In real world, people are using really old machines and they are setup in very vulnerable way. I don't want to take who-to-blame approach. We better know the reality first to fix any problems and this blog only focuses on revealing basic truths.

0 Kudos
About the Author

Matt_Oh

Twitter: @ohjeongwook .

Comments
Facon12

You are potentially getting duplicates of the credit card data the way that you are because the card read is probably reading track 1 and track 2 of the credit card and you logger doesnt know to distinguish that. 

Matt_Oh

Hi Facon12. 

 

Actually the data is not duplicating in a way that track 1 and 2 repeats. Same characters just repeat twice like for "A", it becomes "AA" for some reason. The keylogger was hooking Windows message and maybe it is related to the way how the magnetic reader device driver works.

Textbook

I install and provide tech support for over 150 individually-owned stores using Aloha POS.  The offline mode that the POS terminal is in will only last for 3 weeks.  It's called "redundancy mode" and if the computer hasn't received network communication from the ctlsvr service running on the back of house fileserver computer (server) in 21 days, then the software will stop functioning completely.

 

Our terminals are pretty much configured the same way and we're aware of the security issues.  We do not have our POS terminals connected to the internet.  They are only connected on the local network, and everything gets routed to the back of house computer for processing.

 

We have a VNC service running on the terminal so that we can log into the terminals from the BOH to provide tech support.  The VNC password is not aloha for us, since we configure the POS terminals ourselves we can set it to whatever we want.

 

We disable Windows Updates on the terminals because we don't even have our terminals connected to the internet.  Windows Updates are enabled and kept updated on each store's BOH.

 

The credit card processing software running on the back of house computer is called Aloha EDC and it is susceptible to memory-scraping POS malware.  We had two sites last year infected with the AlinaPOS malware via targeted emails that bypassed antivirus software.  That particular malware would scrape the card numbers from memory on the BOH computer.  We have since stopped using the Aloha EDC software for any new stores and have slowly been converting existing stores to the same system.

 

Our company is currently in the process of developing a custom POS software to replace Aloha system-wide.  Until then, we will continue to use Aloha POS.

Matt_Oh

@Textbook.

 

Thanks for the really detailed info to understand the real world working environment. :)

asdfasfsdfads

Interesting, but you need to attack the BOH server.  Unless it's a really screwed up environment, you won't see the terminals on anything but an isolated LAN / VLAN.  

iifdjasodiJASDOIA

also, I believe the CHD is encrypted on newer terminals, and the reader does not emulate a keyboard.  

Matt_Oh

Honestly, acquiring BOH server for pen-testing is not so easy. FOH research can reflect how overall environment might look like. Also, I believe some components like messaging services will be same on BOH. Definitely, it will be a good research subject to check with newer terminals.

Matt_Oh

For the curious people, here's the product version of the software. I'm pretty sure this machine was used until it was sold early this year.

 

 

 

 

Matt_Oh

For the record, I'm putting the link to the NCR's response blog on this blog.

 

http://blogs.ncr.com/hospitality/hospitality/hacking-pos-terminal-funand-criminal-profit/

 

Techno-functional Payment expert

Hi Matt,

 

Thanks for very detailed analysis of AlohaPOS. I read both your blog as well as NCR.

 

Assuming layered security infrastructure exists at enterprise level, moment back door access is obtained from BOH server, it's quite easy to play around with the FOH vulnerabilities. Things like passwords and shares can not be granted.

 

If some one can access as MIM ( Man in Middle) at FOH level ( Stores outlet's network) still may get through the access to credit card and employee information.

Tony Pelliccio

Yeah, security is an afterthought on most POS systems out there including IBM's products. 

ertertertertertert

It may surprise people but I used to work for a company that made POS and they would share the whole drive with full privileges and no password. When I brought this to someone's attention, they couldn't understand how this was a problem. All they could say was "Well, no one else will be on the network other than our stuff".  I will not name the company but the fact that they shared the whole drive with no password meant that anything could infect the OS.

 

Oh well.

Typhoon87

If  5.3 is the core version that is old. 66.4 was out in 2008 and 6.7 has been out for some time. I cant say the new bulids are inherenaly more secure but upgrading once every decade or so problably isnt a bad idea.

geirb

You probably get each character twice in the keylogger because it logs both the WM_KEYDOWN  and WM_KEYUP messages.

Matt_Oh

Just for your reference, this article has been featured in computerworld, itworld, etc.

 

http://www.computerworld.com/s/article/9249825/Aloha_point_of_sale_terminal_sold_on_eBay_yields_security_surprises

 

Thanks.

erik hutson

You hacked version 5.3, which is no longer even supported by NCR. Should be the responsibility of the owner to properly upgrade his systems to continue to meet PCI and securtiy standards. Aloha is now up to v12.3 and higher to give you a reference to how old this system is outdated.

Matt_Oh

@erik hutson

 

I think the issue is more complicated than we think. Not so sure if the owners clearly understand the security implications of using old POS terminals. Should the vendor support almost 10 years old POS terminal? Not so sure. In real world, people are using really old machines and they are setup in very vulnerable way. I don't want to take who-to-blame approach. We better know the reality first to fix any problems and this blog only focuses on revealing basic truths.

William Sze

Hi,The most interesting part of this is that it's being done by an HP researcher and the blog is actually on an HP.com domain. A lot of companies won't touch pentest research with a ten-foot pole, much less let people actually blog about it on the company website. Anyway I am little bit confused about my POS system which is in my shop.I am using POS system from Alliance Bankcard. I will consult with Alliance Bankcard about my POS system. Thanks for a valuable information. Thanks again.

Philimanjaro

Great article, I appreciate all of this valuable information.

While another commenter pointed out, these POS devices are usually on an isolated network unless the environment is screwed up. I am a penetration tester with many years of experience, and there are more screwed up environments than there should be. In addition, there has always seemed to be a dual-homed server on the network that allows for network pivoting into this typically unroutable network. With that said, the not-so-fun part about being a penetration tester is that we must adhere to the proposed scope of the penetration testing engagement. As in, a client may ask us to test the security and potential exposure of their POS systems, but exclude other machines as part of the scope. A real attacker may hack the in-store password protected WiFi, use that to access the corporate network, compromise a system on that network with a dual-homed connection, and pivot in the internal POS network.


With these other potential attack vectors are sometimes out of the penetration testing scope, it doesn't give the company a real-world risk assessment. Point is, just because a POS network is technically isolated, this isn't a valid excuse to keep these systems out-of-date and completely vulnerable.  There is almost always a way into the network and underlying systems. No encryption? Open VNC ports that are probably vulnerable to the VNC Bypass vulnerability due to outdated software? These are completely vulnerable as the author has outlined. 

Labels
Events
June 6 - 8, 2017
Las Vegas, Nevada
Discover 2017 Las Vegas
Join us for HPE Discover 2017 in Las Vegas. The event will be held at the Venetian | Palazzo from June 6-8, 2017.
Read more
Each Month in 2017
Online
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all