Black Hat 2014: Chip and PIN is not Hacker Proof

Today we saw a mobile point of sale device (MPOS) compromised by a malicious credit card. Yes, I did get that the right way round. In a wonderful through-the-looking-glass exploit, Jon Butler and Nils (who like many hackers has no last name) demonstrated how the chip on a chip and PIN credit card could be used to take over a hand held mobile card reader, and turn it into a video game machine! Chip and PIN credit cards (also known as EMV smart cards) are widely used everywhere except the United States. A chip embedded in the card uniquely identifies it, as well as potentially holding multiple applications. The chip is combined with the owner having to enter a Personal Identification Number (PIN) for added validation. The card can be read either by a fixed point of sale device, or a mobile one. The mobile ones are typically small hand held units which communicate by bluetooth to a dedicated mobile phone or tablet. This in turn communicates over the Internet with the credit card processing company.

Jon and Nils found that 75% of the devices on the market from different vendors shared the same internal hardware and software, so they set out the compromise this. The devices had a micro USB port for recharging the battery. However it can also be used for software updates and for a determined hacker to get root shell access. It would be a little difficult to manage this exploit in the store as you have to plug, unplug, and plug in the USB connecter again to complete it. They went on looking. If you have already compromised the mobile device that is paired by bluetooth to the MPOS, then they found a way to also get root shell access that way. However, that would also be difficult to manage in the real world, so they started exploring the EMV protocol that lets the card communicate with the card reader. They found that by sending malformed messages they were able to upload a program from the card to the card reader and execute it there. However, shell access would not have been much use, as there aren't many unix commands you can enter with just a numeric keypad. Instead the implemented a simple video game on the tiny screen. Of course, that level of access would allow a criminal to program the MPOS to collect PINs from unsuspecting users, or to program the device to accept canceled or forged credit cards, so that an accomplice could make expensive purchases. Following ethical hacking guidelines, Jon and Nils disclosed these vulnerabilities to the manufacturer of the underlying hardware and software, which had now been patched. However these patches may not have been applied to all the MPOS devices in the field, so they withheld some details of the exploit. One of the other presentations made the point that adding to a system to improve security also opens up new attack surfaces. While Chip and PIN is substantially more secure than the magnetic stripe cards used in the United States, it also exposes new vulnerabilities. This was the last day of Black Hat, but it is also the first day of Defcon, so let me close with a thought from Defcon's founder, The Dark Tangent: "For me the way forward is clear. Radical simplicity around what you must trust. Accept less feature for more reliability. Demand less to get more." This philosophy is embodied in the Defcon FAQ:

Q: How much is admission DEF CON, and do you take credit cards? A: DEF CON 22 costs $220 USD cash. Do we take credit cards? Are you JOKING? No, we only accept cash...