Millions of point-of-sale systems and hotel room locks can be hacked by temporarily placing a small, inexpensive device several inches away from their card readers.
The device, due to be presented Sunday at the DEF CON conference in Las Vegas, is the creation of Weston Hecker, a senior security engineer at Rapid7. It was inspired by MagSpoof, another device created last year by security researcher Samy Kamkar.
MagSpoof can trick most standard card readers to believe a certain card was swiped by generating a strong electromagnetic field that simulates the data stored on the card's magnetic stripe. Kamkar presented it as a way to replace all your cards with a single device, but Hecker took the idea and investigated what else could be done with it. He started by looking at point-of-sale systems and found that many of them treat the card readers as standard USB human input devices and would therefore also accept keyboard input through them.
Hecker created a device that's similar to MagSpoof and which, when placed near a card reader, will send malicious keyboard commands that will be executed on the point-of-sale system. This means an attacker could use such a device to remotely open a command prompt on the system and then use it to download and install memory scraping malware through the necessary keyboard commands.
The vulnerability is not vendor specific, the attack affecting most PoS systems that run Windows and are designed to work with a keyboard, according to Hecker. This design is popular and such payment systems are widespread. An attacker would need to place the device within four-and-a-half inches of the reader in order to ensure that there is no interference and packet loss. However, because the device is about the size of a deck of cards, it can be easily hidden in the attacker's sleeve or in an empty phone case. Then it's only a matter of creating a situation where the PoS remains unattended for a few seconds, like asking the cashier to summon the manager.
Rapid7 reported the design flaw to US-CERT, which is in the process of identifying and notifying affected vendors. Unfortunately, the flaw will take a long time to fix even if vendors develop a software patch because many PoS devices require manual updating by a technician.
Hecker also found a way to use his device on electronic hotel door locks, which also typically work with magnetic cards. Unlike the PoS attack, where the goal was to infect the system, in the case of hotel door locks, the goal is to brute force the data encoded on the associated key card. The data on room access cards are not encrypted and consist of a record ID generated by the hotel when a guest checks in, the room number and the check-out date.
The date can be determined or guessed easily because a hotel stay is usually limited to a few days, and the record ID, or folio number, can be brute-forced using Hecker's device because it's typically short and is increased sequentially with each new guest. This means that an attacker can have a pretty good idea about the range of numbers to test by reading data of another card -- for example, his own.
Hecker estimates that brute forcing a typical room lock in a hotel with 50 to 100 rooms would take around 18 minutes. Brute forcing a special key, like those used by maids and staff, would take around a half an hour. The nice part, for the attacker, is that he can even leave the device working on the door and be notified on his mobile phone when the correct data combination has been found.
This is another design flaw that seems to affect many vendors, Hecker said. The best fix would be for folio numbers to be made larger and to be assigned randomly to new guests. Adding encryption to the process would be better, but would almost certainly require replacing the existing system with new encryption-capable locks, he said.
110 Reykjavik, Iceland