shopshifting warning about potential payment system abuse

SRLabsTemplatev12

ShopshiftingWarningaboutpotentialpaymentsystemabuse

FabianBräunlein<[email protected]>PhilippMaier<[email protected]>

KarstenNohl<[email protected]>

Card-basedpaymentreliesontwoprotocols

Cashierstation

Paymentprocessor

LAN Internet

ZVTorOPIprotocol ISO8583/Poseidonprotocol

Authorizationrequest

ConfirmationConfirmation

Sendencryptedpaymentdetails

§ ReadmagstripeorstartEMVtransaction

§ AskforPIN

Paymentterminal

2

Thistalkinvestigatesthesecurityoftheprotocolsusedtomakecashlesspaymenthappen

Agenda

§ Localpaymentabuse

§ Poseidonshopshifting

§ Evolutionneed

3

ZVTallowsunauthenticatedaccesstomagstripedata

ZVTprotocol§ Configuresandcontrolspaymentterminals

§ Designed forserial,nowTCP-based,unencrypted

§ OriginallydesignedbyG+Din1990s

§ Nowactivelyusedby~80%ofpaymentterminalsinGermany

Cashierstation Attacker Payment

terminal

ARPspoofing tobecomeMITM

Authorization_ReqReadcard

Magstripeandchipdetails

Authorization_Reqincludingmagstripe

Confirmation

4

AccesstoPINrequirescryptographicMAC

HowPINentryusuallyworks

ZVT:AuthorizewithPIN

Paymentterminal

Poseidon:Encryptedtransactionw/PIN

Requestnumber

PIN

MainCPU Display&PINpadHSM

DoPINtransaction

EncryptedPIN

UnencryptedPIN

ZVT:Textdisplaywithnumericalinput,MAC

PINPoseidon:TransactionwithnoPIN(“Lastschrift”)

AuthorizewithoutPIN

Attackershould notbeabletocreatevalidMACsinceMACkeyisprotectedwithinHSM

Isit?

Displaytext,MAC

5

RequestPIN

PIN

AttackerswouldneedMACtostealPINfromZVT

MainCPUsendsMAC

HSMleaksMACthroughtimingsidechannel

HSMCPUcomparesMAC

Response ResponsetimeFail

Fail

Fail

Fail

Fail

Fail

Ok

26.000

26.000

26.000

26.005

26.005

26.010

26.040

MAC00…

01…

02…

03…

0301…

0302…

0302AF…05

MainCPUiseasilyhackable:ActiveJTAG,RCE,…

HSMprotectssecretsandshouldbemuchbettersecured

…

§ MACcomparisonisdonebyte-by-byte

§ ResponsetimeleakscompleteMACwithinminutes

§ MACisnotterminal-specific:Worksacrossmanydifferentterminals

6

MagstripeandPINtheftviaZVToverLAN

Demo1

7

ZVTalsoallowslocalterminalhijacking

Paymentterminal Attacker Payment

processor

Attackpreparation

ARPspoofingtobecomeMITM

ZVT:SetterminalID

ZVT:Extendeddiagnose

Poseidon:Extendeddiagnose

Limits,merchantbanner,…Swapbanner

StayMITM,changeport

Ifterminalwasalreadyconfiguredtotherightport:

TransactionsaredoneundernewterminalID,moneygoestoattackerTransactionhijacking

Requiresstaticpassword,whichisthesameforallterminalsofaprocessor

Otherwise:

8

RedirectmerchanttransactionstoattackeraccountviaZVT

Demo2

Smallcomplication:Attackersneedtheirownmerchantaccounts

9

Agenda



§ Evolutionneed

10

Poseidon’sauthenticationmodelissimplywrong

Poseidonprotocol§ DialectofglobalpaymentstandardISO8583

§ De-factostandardinGermany

§ Strongmonoculture:Onlyonebackendimplementation,usedbyallprocessors

§ ApparentlyalsousedinFrance,Lux,andIceland

Paymentterminal

Paymentprocessor

11

TerminalID

Terminalconfiguration,encryptedwithterminalkey

Poseidoninitialization:

Poseidonauthenticationusespre-sharedkeys,similartoVPNs.However, thekeyisthesameformanyterminals!Thiscannotbesecure.

FewparametersareneededforPoseidoninitialization

Orbrute-forceoverZVT,orreadthroughJTAG,…

TASK Technology GmbH

RETAIL AUTOMATION SYSTEMS

Kurt Kastner

Seite 1 / 2

TASK Technology GmbH, Nobelstraße 9 - 13, 76275 Ettlingen, Germany

Inbetriebnahme Artema hybrid TeleCash TA 7.0

Version 0,8 (vorläufig) – 3. Dezember 2009

Vertraulich – nur für internen Gebrauch

Versionen

Für den Betrieb an der Tankstelle ist zumindest die Version 55.03 der Terminalsoftware nötig.

TaskSTAR POS benötigt mindestens V3.05.00 SP2 Hotfix TA 7.0.

Kennwörter

Kassierer: 000000

Servicetechniker: 210888

IP-Adressierung

Sofern durch den DSL-Anschluss oder das vorhandene Hausnetz nichts anderes erzwungen wird, werden feste IP-Adressen mit Subnetzmaske 255.255.255.000 verwendet. Die Terminals bekommen dann folgende Adressen:

Terminal 1: 192.168.001.101,

Terminal 2: 192.168.001.102,

Terminal 3: 192.168.001.103,

usw.

DHCP: in der Regel NEIN.

Die IP-Adressen für DSL-Zugang TeleCash-Zahlungshost lauten 217.073.032.104 und 217.073.032.105. Die Portnummer ergibt sich bei Hypercom-Geräten aus folgender Formel:

51500 + PU-Nummer.

Beispielsweise lautet die Port-Nummer der PU 16 : 51516. Bitte beide Hosts eintragen, damit beim Ausfall eines der Hosts der andere erreicht werden kann.

Einen DSL-Zugang zum Testhost (PU 99) gibt es Stand 3.11.2009 nicht.

Das Terminal fragt bei der Inbetriebnahme, ob ein IP-Längenbyte verwendet werden soll. Im Normalfall ist das nicht sinnvoll. Sollte die Initialisierung nicht klappen, bitte auch mal mit Längenbyte versuchen.

Die IP-Adressen des TeleCash-Wartungshosts sind Stand 19.11.2009 nicht bekannt. Im Gerät verbleiben die werksseitig eingestellten Werte. TeleCash wird diese im Laufe 2010 per TKM-Update automatisiert überschreiben.

1.Google

12


2.Goshopping

OrsimplyguessTIDs:Theyareassignedincrementally.

13


3.BruteforceTCPport

14

ShopshiftingovertheInternet:Issuingarefundtransaction

Demo3

15

Shopshiftingattackputsmerchantsatsignificantfraudrisk

Worstcasescenario

1. AttackerguessesterminalIDs.(Theyareassignedincrementally)

2. Shopshifts terminals,anonymously overtheinternet

3. Receivesinbound banktransactions(ortop-upvouchers)fromuptohundreds ofthousandsofmerchants

4. (PerhapsextendsattacktootherISO8583dialectstoscaleglobally)

Shop-shifting

Merchantterminal

Poseidonbackendatpaymentprocessor

MerchantBank

Registers

Alsoregisterswithspoofed terminalID

CreatesSIMcardtop-upvouchersIssuesrefunds toarbitrarybankaccountsAttacker

terminal

16

Customersandmerchantsarevulnerabletovariouspaymentabusescenarios

AttackvictimCustomer Merchant

FromLAN

§ MagstripeandPINtheftthrough ZVT

§ MerchanttransactionredirectthroughZVTMITM

§ (VariantofZVTabusewithoutMITMagainsthundreds ofInternet-exposedterminals)

§ Shopshifting overPoseidon

Overtheinternet

Commonvulnerabilitycause:Missingauthenticationorauthenticationwithsymmetricsystem-widekeys(inHSM)

17

Agenda



§ Evolutionneed

18

19

HSMHackingChallenge–Secretsarestoredinabattery-backedRAMunderaplasticcover.

Whenametalmeshinthisplasticcoverisbreached,thesecretsareerased.

Toolofchoice–TheHackingNeedle

Needlefitsunderneathmesh,overwritesmeshcheck

20

Withsecuritycheckdeactivated,RAMinsideHSMcanberead

21

Flash content is read with Arduino

22

ActiveJTAGinHSMallowsfordebugging

23

HSMcompromiseaffectskeysforZVT,Poseidon,EMVandothers

24

ZVTMACcomputationinsideHSM:

Agenda



§ Evolutionneed

25

ZVTandPoseidonarenotsecurebydesign

26

Vulnerabilityrootcauses

ZVT Poseidon

Usedwithsymmetriccrypto

System-widesignaturekeys

System-wideauth keys

Also,butnotmakingmattersworse:

StoredininsecureHSMs

StoredininsecureHSMs

Bothprotocolsmix“securitythroughobscurity”(system-widekeys)with“securitycertification”(HSMs).Neitherimplements“securitybydesign”

Heuristicdefensesareneededintheshortterm

27

Deactivateunnecessaryfunctions

ZVT

§ Remotemanageabilitywithstaticpassword– Shouldrequireaconfirmationonterminalinstead

§ MagstripetransactionfromEMV- capablecard(mustbecheckedonlinesincecarddatacannotbetrusted)

Poseidon

§ Refund(activatedbydefault!)§ SIMcardtop-up(deactivatedbydefault)

§ TerminalIDsconnecting towrongport(alreadyimplemented insomeplaces)

§ SerialnumberchangesforaterminalID(noteffectivewhenHSMishacked)

§ Refundsthatdonotcorrespond totransactionincashregister(double-entry accounting)

Detectsuspiciousbehavior

Paymentsystemneedbetterprotocolsandmoresecurehardware!Whilethesearebeingdeveloped,afewstop-gapmeasuresareavailable:

Otherpaymentstandardsappearequallyvulnerable

28

§ OpenPaymentInitiativeprotocol ismoremodern thanZVT:XML-based,2003

§ Stilllacksauthenticationandencryption

§ Missessomeofthefunctionality thatcanbeabused inZVT(good!)

§ Vendorsuseproprietaryextensionstobringbacksuchvulnerablefunctionality inOPI(bad!), includingremotemaintenance

MainZVTalternative:OPI

§ Poseidon isoneofmanyISO8583dialects

§ System-widesymmetrickeys,Poseidon’sAchillesheel,arenotmandatory inISO8583

§ Itdoesnotappearthatcurrentterminalsgothrough keyexchangesaspartoftheirinitialization, suggesting thatother ISO8583dialectsalsosufferfromPoseidon’s securityissues

§ Internationalsecurityresearchcommunity:Yourhelpisneeded

Poseidon’sfamily:ISO8583

Takeaways

Questions?

FabianBräunlein<[email protected]>PhilippMaier<[email protected]>KarstenNohl<[email protected]>

§ Paymentsystemsallowformagstripe/PINtheftandremoteattacksonmerchants

§ Victimsofcardabuseshouldfighttheirbanks,researchersshouldhelp

§ Paymentprotocolsneedactualauthenticationusingindividualkeys

29

shopshifting warning about potential payment system abuse

Software