shopshifting warning about potential payment system abuse
TRANSCRIPT
SRLabsTemplatev12
ShopshiftingWarningaboutpotentialpaymentsystemabuse
FabianBräunlein<[email protected]>PhilippMaier<[email protected]>
KarstenNohl<[email protected]>
Card-basedpaymentreliesontwoprotocols
Cashierstation
Paymentprocessor
LAN Internet
ZVTorOPIprotocol ISO8583/Poseidonprotocol
Authorizationrequest
ConfirmationConfirmation
Sendencryptedpaymentdetails
§ ReadmagstripeorstartEMVtransaction
§ AskforPIN
Paymentterminal
2
Thistalkinvestigatesthesecurityoftheprotocolsusedtomakecashlesspaymenthappen
Agenda
§ Localpaymentabuse
§ Poseidonshopshifting
§ Evolutionneed
3
ZVTallowsunauthenticatedaccesstomagstripedata
ZVTprotocol§ Configuresandcontrolspaymentterminals
§ Designed forserial,nowTCP-based,unencrypted
§ OriginallydesignedbyG+Din1990s
§ Nowactivelyusedby~80%ofpaymentterminalsinGermany
Cashierstation Attacker Payment
terminal
ARPspoofing tobecomeMITM
Authorization_ReqReadcard
Magstripeandchipdetails
Authorization_Reqincludingmagstripe
Confirmation
4
AccesstoPINrequirescryptographicMAC
HowPINentryusuallyworks
ZVT:AuthorizewithPIN
Paymentterminal
Poseidon:Encryptedtransactionw/PIN
Requestnumber
PIN
MainCPU Display&PINpadHSM
DoPINtransaction
EncryptedPIN
UnencryptedPIN
ZVT:Textdisplaywithnumericalinput,MAC
PINPoseidon:TransactionwithnoPIN(“Lastschrift”)
AuthorizewithoutPIN
Attackershould notbeabletocreatevalidMACsinceMACkeyisprotectedwithinHSM
Isit?
Displaytext,MAC
5
RequestPIN
PIN
AttackerswouldneedMACtostealPINfromZVT
MainCPUsendsMAC
HSMleaksMACthroughtimingsidechannel
HSMCPUcomparesMAC
Response ResponsetimeFail
Fail
Fail
Fail
Fail
Fail
Ok
26.000
26.000
26.000
26.005
26.005
26.010
26.040
MAC00…
01…
02…
03…
0301…
0302…
0302AF…05
MainCPUiseasilyhackable:ActiveJTAG,RCE,…
HSMprotectssecretsandshouldbemuchbettersecured
…
§ MACcomparisonisdonebyte-by-byte
§ ResponsetimeleakscompleteMACwithinminutes
§ MACisnotterminal-specific:Worksacrossmanydifferentterminals
6
MagstripeandPINtheftviaZVToverLAN
Demo1
7
ZVTalsoallowslocalterminalhijacking
Paymentterminal Attacker Payment
processor
Attackpreparation
ARPspoofingtobecomeMITM
ZVT:SetterminalID
ZVT:Extendeddiagnose
Poseidon:Extendeddiagnose
Limits,merchantbanner,…Swapbanner
StayMITM,changeport
Ifterminalwasalreadyconfiguredtotherightport:
TransactionsaredoneundernewterminalID,moneygoestoattackerTransactionhijacking
Requiresstaticpassword,whichisthesameforallterminalsofaprocessor
Otherwise:
8
RedirectmerchanttransactionstoattackeraccountviaZVT
Demo2
Smallcomplication:Attackersneedtheirownmerchantaccounts
9
Agenda
§ Localpaymentabuse
§ Poseidonshopshifting
§ Evolutionneed
10
Poseidon’sauthenticationmodelissimplywrong
Poseidonprotocol§ DialectofglobalpaymentstandardISO8583
§ De-factostandardinGermany
§ Strongmonoculture:Onlyonebackendimplementation,usedbyallprocessors
§ ApparentlyalsousedinFrance,Lux,andIceland
Paymentterminal
Paymentprocessor
11
TerminalID
Terminalconfiguration,encryptedwithterminalkey
Poseidoninitialization:
Poseidonauthenticationusespre-sharedkeys,similartoVPNs.However, thekeyisthesameformanyterminals!Thiscannotbesecure.
FewparametersareneededforPoseidoninitialization
Orbrute-forceoverZVT,orreadthroughJTAG,…
TASK Technology GmbH
RETAIL AUTOMATION SYSTEMS
Kurt Kastner
Seite 1 / 2
TASK Technology GmbH, Nobelstraße 9 - 13, 76275 Ettlingen, Germany
Inbetriebnahme Artema hybrid TeleCash TA 7.0
Version 0,8 (vorläufig) – 3. Dezember 2009
Vertraulich – nur für internen Gebrauch
Versionen
Für den Betrieb an der Tankstelle ist zumindest die Version 55.03 der Terminalsoftware nötig.
TaskSTAR POS benötigt mindestens V3.05.00 SP2 Hotfix TA 7.0.
Kennwörter
Kassierer: 000000
Servicetechniker: 210888
IP-Adressierung
Sofern durch den DSL-Anschluss oder das vorhandene Hausnetz nichts anderes erzwungen wird, werden feste IP-Adressen mit Subnetzmaske 255.255.255.000 verwendet. Die Terminals bekommen dann folgende Adressen:
Terminal 1: 192.168.001.101,
Terminal 2: 192.168.001.102,
Terminal 3: 192.168.001.103,
usw.
DHCP: in der Regel NEIN.
Die IP-Adressen für DSL-Zugang TeleCash-Zahlungshost lauten 217.073.032.104 und 217.073.032.105. Die Portnummer ergibt sich bei Hypercom-Geräten aus folgender Formel:
51500 + PU-Nummer.
Beispielsweise lautet die Port-Nummer der PU 16 : 51516. Bitte beide Hosts eintragen, damit beim Ausfall eines der Hosts der andere erreicht werden kann.
Einen DSL-Zugang zum Testhost (PU 99) gibt es Stand 3.11.2009 nicht.
Das Terminal fragt bei der Inbetriebnahme, ob ein IP-Längenbyte verwendet werden soll. Im Normalfall ist das nicht sinnvoll. Sollte die Initialisierung nicht klappen, bitte auch mal mit Längenbyte versuchen.
Die IP-Adressen des TeleCash-Wartungshosts sind Stand 19.11.2009 nicht bekannt. Im Gerät verbleiben die werksseitig eingestellten Werte. TeleCash wird diese im Laufe 2010 per TKM-Update automatisiert überschreiben.
1.Google
12
FewparametersareneededforPoseidoninitialization
2.Goshopping
OrsimplyguessTIDs:Theyareassignedincrementally.
13
FewparametersareneededforPoseidoninitialization
3.BruteforceTCPport
14
ShopshiftingovertheInternet:Issuingarefundtransaction
Demo3
15
Shopshiftingattackputsmerchantsatsignificantfraudrisk
Worstcasescenario
1. AttackerguessesterminalIDs.(Theyareassignedincrementally)
2. Shopshifts terminals,anonymously overtheinternet
3. Receivesinbound banktransactions(ortop-upvouchers)fromuptohundreds ofthousandsofmerchants
4. (PerhapsextendsattacktootherISO8583dialectstoscaleglobally)
Shop-shifting
Merchantterminal
Poseidonbackendatpaymentprocessor
MerchantBank
Registers
Alsoregisterswithspoofed terminalID
CreatesSIMcardtop-upvouchersIssuesrefunds toarbitrarybankaccountsAttacker
terminal
16
Customersandmerchantsarevulnerabletovariouspaymentabusescenarios
AttackvictimCustomer Merchant
FromLAN
§ MagstripeandPINtheftthrough ZVT
§ MerchanttransactionredirectthroughZVTMITM
§ (VariantofZVTabusewithoutMITMagainsthundreds ofInternet-exposedterminals)
§ Shopshifting overPoseidon
Overtheinternet
Commonvulnerabilitycause:Missingauthenticationorauthenticationwithsymmetricsystem-widekeys(inHSM)
17
Agenda
§ Localpaymentabuse
§ Poseidonshopshifting
§ Evolutionneed
18
19
HSMHackingChallenge–Secretsarestoredinabattery-backedRAMunderaplasticcover.
Whenametalmeshinthisplasticcoverisbreached,thesecretsareerased.
Toolofchoice–TheHackingNeedle
Needlefitsunderneathmesh,overwritesmeshcheck
20
Withsecuritycheckdeactivated,RAMinsideHSMcanberead
21
Flash content is read with Arduino
22
ActiveJTAGinHSMallowsfordebugging
23
HSMcompromiseaffectskeysforZVT,Poseidon,EMVandothers
24
ZVTMACcomputationinsideHSM:
Agenda
§ Localpaymentabuse
§ Poseidonshopshifting
§ Evolutionneed
25
ZVTandPoseidonarenotsecurebydesign
26
Vulnerabilityrootcauses
ZVT Poseidon
Usedwithsymmetriccrypto
System-widesignaturekeys
System-wideauth keys
Also,butnotmakingmattersworse:
StoredininsecureHSMs
StoredininsecureHSMs
Bothprotocolsmix“securitythroughobscurity”(system-widekeys)with“securitycertification”(HSMs).Neitherimplements“securitybydesign”
Heuristicdefensesareneededintheshortterm
27
Deactivateunnecessaryfunctions
ZVT
§ Remotemanageabilitywithstaticpassword– Shouldrequireaconfirmationonterminalinstead
§ MagstripetransactionfromEMV- capablecard(mustbecheckedonlinesincecarddatacannotbetrusted)
Poseidon
§ Refund(activatedbydefault!)§ SIMcardtop-up(deactivatedbydefault)
§ TerminalIDsconnecting towrongport(alreadyimplemented insomeplaces)
§ SerialnumberchangesforaterminalID(noteffectivewhenHSMishacked)
§ Refundsthatdonotcorrespond totransactionincashregister(double-entry accounting)
Detectsuspiciousbehavior
Paymentsystemneedbetterprotocolsandmoresecurehardware!Whilethesearebeingdeveloped,afewstop-gapmeasuresareavailable:
Otherpaymentstandardsappearequallyvulnerable
28
§ OpenPaymentInitiativeprotocol ismoremodern thanZVT:XML-based,2003
§ Stilllacksauthenticationandencryption
§ Missessomeofthefunctionality thatcanbeabused inZVT(good!)
§ Vendorsuseproprietaryextensionstobringbacksuchvulnerablefunctionality inOPI(bad!), includingremotemaintenance
MainZVTalternative:OPI
§ Poseidon isoneofmanyISO8583dialects
§ System-widesymmetrickeys,Poseidon’sAchillesheel,arenotmandatory inISO8583
§ Itdoesnotappearthatcurrentterminalsgothrough keyexchangesaspartoftheirinitialization, suggesting thatother ISO8583dialectsalsosufferfromPoseidon’s securityissues
§ Internationalsecurityresearchcommunity:Yourhelpisneeded
Poseidon’sfamily:ISO8583
Takeaways
Questions?
FabianBräunlein<[email protected]>PhilippMaier<[email protected]>KarstenNohl<[email protected]>
§ Paymentsystemsallowformagstripe/PINtheftandremoteattacksonmerchants
§ Victimsofcardabuseshouldfighttheirbanks,researchersshouldhelp
§ Paymentprotocolsneedactualauthenticationusingindividualkeys
29