Security researcher sounds alarm over ATM NFC reader vulnerabilities

IOActive security researcher Josep Rodriquez has warned that the NFC readers used in many modern ATMs and point-of-sale systems are leaving them vulnerable to attacks, Wired reports. The flaws make them vulnerable to a range of problems, including being crashed by a nearby NFC device, locked down as part of a ransomware attack, or even hacked to extract certain credit card data.

Rodriquez even warns that the vulnerabilities could be used as part of a so-called “jackpotting” attack to trick a machine into spitting out cash. However, such an attack is only possible when paired with exploits of additional bugs, and Wired says it was not able to view a video of such an attack because of IOActive’s confidentiality agreement with the affected ATM vendor.

By relying on vulnerabilities in the machines’ NFC readers, Rodriquez’s hacks are relatively easy to execute. While some previous attacks have relied on using devices like medical endoscopes to probe machines, Rodriquez’ can simply wave an Android phone running his software in front of a machine’s NFC reader to exploit any vulnerabilities it might have.

In one video shared with Wired, Rodriquez causes an ATM in Madrid to display an error message, simply by waving his smartphone over its NFC reader. The machine then became unresponsive to real credit cards held up to the reader.

The research highlights a couple of big problems with the systems. The first is that many of the NFC readers are vulnerable to relatively simple attacks, Wired reports. For example, in some cases the readers aren’t verifying how much data they’re receiving, which means Rodriquez was able to overwhelm the system with too much data and corrupt its memory as part of a “buffer overflow” attack.

The second problem is that even once an issue is identified, companies can be slow to apply a patch to the hundreds of thousands of machines in use around the world. Often a machine needs to be physically visited to apply an update, and many don’t receive regular security patches. One company said the problem Rodriquez has highlighted was patched in 2018, for example, but the researcher says he was able to verify that the attack worked in a restaurant in 2020.

Rodriguez plans to present his findings as part of a webinar in the coming weeks to highlight what he says are the poor security measures of embedded devices.

Repost: Original Source and Author Link


Microsoft president sounds alarm on ‘ongoing’ SolarWinds hack, identifies 40 more precise targets

Microsoft president Brad Smith warned that the wide-ranging hack of the SolarWinds’ Orion IT software is “ongoing,” and that investigations reveal “an attack that is remarkable for its scope, sophistication and impact.” The breach targeted several US government agencies and is believed to have been carried out by Russian nation-state hackers.

Smith characterized the hack as “a moment of reckoning” and laid out in no uncertain terms just how large and how dangerous Microsoft believes the hack to be. It “represents an act of recklessness that created a serious technological vulnerability for the United States and the world,” Smith argues.

He believes that it “is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.” Though the post stops short of explicitly accusing Russia, the implication is very clear. “The weeks ahead will provide mounting and we believe indisputable evidence about the source of these recent attacks,” according to Smith.

To illustrate just how far-reaching the hack was, Smith included a map that used telemetry taken from Microsoft’s Defender Anti-Virus software to show people who had installed versions of the Orion software that contained malware from the hackers.

A map showing customers affected by the malware in SolarWinds’ Orion.
Image: Microsoft

Microsoft has also been working this week to notify “more than 40 customers that the attackers targeted more precisely and compromised through additional and sophisticated measures,” according to Smith. Approximately 80 percent of those customers are located in the US, but Microsoft also identified victims in Canada, Mexico, Belgium, Spain, the UK, Israel, and the UAE. “It’s certain that the number and location of victims will keep growing,” Smith said.

Investigations into the hack are ongoing. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) issued a joint statement on Wednesday to say that they were coordinating a “whole-of-government response to this significant cyber incident.” And Smith warned that “we should all be prepared for stories about additional victims in the public sector and other enterprises and organizations.”

Earlier on Thursday, Reuters reported that Microsoft had been hacked as part of the breach and that “it also had its own products leveraged to further the attacks on others.” But Microsoft denied that claim in a statement to The Verge:

Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.

Microsoft has been responding to the hack since December 13th, including blocking versions of SolarWinds Orion that contained the malware. Microsoft and a coalition of tech companies also seized control a domain that played a key role in the SolarWinds breach, ZDNet reported.

SolarWinds has also taken the step of hiding a list of high-profile clients from its website, perhaps to protect them from negative publicity. The list included more than 425 of the companies on the Fortune 500.

As for Microsoft, Smith used his post to call for a more organized, communal response against cyberattacks, both at a government level and amongst private institutions. “We need a more effective national and global strategy to protect against cyberattacks,” he writes. Microsoft is also looking for “stronger steps to hold nation-states accountable for cyberattacks.”

Repost: Original Source and Author Link