This tiny device can infect point-of-sale systems and unlock hotel rooms

The new device generates an electromagnetic field that tricks card readers

Millions of point-of-sale systems and hotel room locks can be hacked by temporarily placing a small, inexpensive device several inches away from their card readers.

The device, due to be presented Sunday at the DEF CON conference in Las Vegas, is the creation of Weston Hecker, a senior security engineer at Rapid7. It was inspired by MagSpoof, another device created last year by security researcher Samy Kamkar.

MagSpoof can trick most standard card readers to believe a certain card was swiped by generating a strong electromagnetic field that simulates the data stored on the card's magnetic stripe. Kamkar presented it as a way to replace all your cards with a single device, but Hecker took the idea and investigated what else could be done with it.

He started by looking at point-of-sale systems and found that many of them treat the card readers as standard USB human input devices and would therefore also accept keyboard input through them.

Hecker created a device that's similar to MagSpoof and which, when placed near a card reader, will send malicious keyboard commands that will be executed on the point-of-sale system. This means an attacker could use such a device to remotely open a command prompt on the system and then use it to download and install memory scraping malware through the necessary keyboard commands.

magnetic card spoofer hotel point-of-sale Weston Hecker/Rapid7

This magnetic card spoofer device can trick card readers from several inches away.

The vulnerability is not vendor specific, the attack affecting most PoS systems that run Windows and are designed to work with a keyboard, according to Hecker. This design is popular and such payment systems are widespread.

An attacker would need to place the device within four-and-a-half inches of the reader in order to ensure that there is no interference and packet loss. However, because the device is about the size of a deck of cards, it can be easily hidden in the attacker's sleeve or in an empty phone case. Then it's only a matter of creating a situation where the PoS remains unattended for a few seconds, like asking the cashier to summon the manager.

Rapid7 reported the design flaw to US-CERT, which is in the process of identifying and notifying affected vendors. Unfortunately, the flaw will take a long time to fix even if vendors develop a software patch because many PoS devices require manual updating by a technician.

Hecker also found a way to use his device on electronic hotel door locks, which also typically work with magnetic cards. Unlike the PoS attack, where the goal was to infect the system, in the case of hotel door locks, the goal is to brute force the data encoded on the associated key card.

The data on room access cards are not encrypted and consist of a record ID generated by the hotel when a guest checks in, the room number and the check-out date.

The date can be determined or guessed easily because a hotel stay is usually limited to a few days, and the record ID, or folio number, can be brute-forced using Hecker's device because it's typically short and is increased sequentially with each new guest. This means that an attacker can have a pretty good idea about the range of numbers to test by reading data of another card -- for example, his own.

Hecker estimates that brute forcing a typical room lock in a hotel with 50 to 100 rooms would take around 18 minutes. Brute forcing a special key, like those used by maids and staff, would take around a half an hour.

The nice part, for the attacker, is that he can even leave the device working on the door and be notified on his mobile phone when the correct data combination has been found.

This is another design flaw that seems to affect many vendors, Hecker said. The best fix would be for folio numbers to be made larger and to be assigned randomly to new guests. Adding encryption to the process would be better, but would almost certainly require replacing the existing system with new encryption-capable locks, he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?