Artema Hybrid point-of-sale devices can be hacked remotely, researchers say

Vulnerabilities in Artema Hybrid PoS terminals allow hackers to steal payment card data over the network, German researchers say

Artema Hybrid, a point-of-sale (PoS) terminal manufactured by U.S.-based VeriFone Systems, is vulnerable to attacks that could allow cybercriminals to steal payment card data and PIN numbers or alter transactions, according to security researchers from German security research firm Security Research Labs (SRLabs).According to VeriFone, the Artema Hybrid devices are primarily distributed on the German market and have been designed to meet the security requirements of the Deutsche Kreditwirtschaft (DK) -- the organization that represents the interest of the German banking industry.The software running on the device -- commonly referred to as the firmware -- contains buffer overflow vulnerabilities in the network stack -- the set of libraries that handle network communications, Karsten Nohl, the founder and chief scientist of SRLabs, said on Thursday.An attacker could exploit these vulnerabilities to execute arbitrary code on the device. The SRLabs researchers even altered their test unit to run PONG -- an old arcade game, Nohl said.However, attackers could use this kind of unauthorized access to record the magnetic stripe data of payment cards inserted into the device, as well as the corresponding PIN number inputted by the customer.Under normal device operation, the PIN numbers should be encrypted with an encryption key stored in a protected hardware security module inside the device.However, there are different modes of operation, some that encrypt the PIN number and some that don't, Nohl said. An attacker could alter the device to trick users into exposing their PIN numbers when encryption is not used.In addition to capturing payment card data and PIN numbers, attackers can also alter transactions, can report transactions that never happened to the payment processing server and, more interestingly, can generate transactions for future points in time, Nohl said. All of this is possible for the EMV cards that are widely deployed in Europe, he said.

EMV cards are also known as chip-and-PIN cards because they have a chip built into them for additional security. An EMV-enabled ATM or PoS will verify the authenticity of both the PIN number and the data stored on the card's chip before authorizing a transaction.Hackers can either attack a vulnerable Artema Hybrid PoS device from the network -- for example, after hacking into a computer located on the same network -- or locally, through their serial or debugging (JTAG) interfaces.In theory, the probability of network-based attacks can be limited by deploying the PoS terminals on a network segment that's separated from the main network through firewalls. However, this is rarely done in practice, because devices like Artema Hybrid are marketed as being secure even if the network is compromised, Nohl said.Nohl noted that VeriFone was notified about the vulnerabilties months ago. However, the declined to discuss the private communication between the two companies, citing responsible disclosure practices."VeriFone has been informed that a commercial, independent security firm has conducted laboratory tests to attempt to breach the application integrity of the Artema Hybrid payment devices deployed in Germany," Dave Faoro, VerifFone's vice-president and chief payment security officer, said in a statement sent via email. "Since the first indication, we have been working closely together with an approved DK Laboratory to investigate this but have not been able to replicate the attack scenario.""The Artema Hybrid devices were designed and tested to meet the DK security requirements," Faoro said. "At no point was the security module or encrypted PIN compromised in this reported attack scenario."VeriFone has also retained independent penetration testing firms to assess the implications of the breach scenarios proposed by SRLabs. However, the German researchers have been unwilling to share details that would allow independent verification of the purported issues, Faoro said.The German banking industry takes this new form of attack seriously, even if it's only theoretical, the Deutsche Kreditwirtschaft said in a statement posted on its website on Thursday. Even if attackers manage to obtain credit card data and the PIN number, it can't be misused because they also need the chip data from the original card, the organization said.However, the EMV technology was designed to be backward-compatible with ATMs located in countries where the technology hasn't been implemented yet. There have already been cases where cybercriminals created counterfeit cards using magnetic stripe data copied from EMV cards and used them to withdraw funds from countries like the U.S. where the chip information is not checked by ATMs.The Deutsche Kreditwirtschaft acknowledged this possibility and noted that credit card owners are not liable for damages that result from an EMV card being cloned and misused outside of the Girocard system -- the interbank network that connects all ATMs in Germany.Nohl declined to speculate whether other devices from VeriFone or different manufacturers are likely to be vulnerable to similar attacks. However, this case shows that serious vulnerabilities in PoS devices can pass unobserved during the current security certification processes used by the banking industry, he said.The SRLabs researchers will demonstrate their attacks during a show that will air Thursday evening on German television, Nohl said.The Artema Hybrid PoS terminal that will be hacked during the show hasn't been touched by the researchers in advance and will be part of a configuration set up by independent professors that will mimic a supermarket's payment infrastructure, he said.After the credit card data and PIN number will be captured, the researchers will create a counterfeit card, will take it to an ATM and withdraw money with it, Nohl said. "At that point, I don't think anyone can claim that this is just a theoretical attack anymore."

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?