Karsten Nohl and Thomas Roth of Security Research Labs recently uncovered vulnerabilities in VeriFone's Artema Hybrid point-of-sale systems.
"The most serious problem with the devices, Nohl found, is that the network stack for the system contains multiple buffer overflow vulnerabilities," writes Threatpost's Dennis Fisher. "Those flaws can be used by attackers to compromise the systems remotely. There also are two local interfaces through which an attacker could gain entry to a vulnerable system: the serial interface and the JTAG debugging interface."
"The hacks, Nohl and Roth say, could potentially allow an attacker to gain full control of the banking terminal, which would allow a change in transactions in value or for potentially spoofing transactions," writes Ars Technica's Cyrus Farivar. "They even demoed how to play Pong directly on the card terminal."
"Nohl declined to speculate whether other devices from VeriFone or different manufacturers are likely to be vulnerable to similar attacks," writes PCWorld's Lucian Constantin. "However, this case shows that serious vulnerabilities in PoS devices can pass unobserved during the current security certification processes used by the banking industry, he said."
In a statement on VeriFone's Web site, company vice president Dave Faoro said, "As no point was the security module or encrypted PIN compromised in this reported attack scenario; neither was the integrity of the EMV transaction violated. As the security module is not affected by the attack scenario, it is not possible using an amended application program to modify the security module’s PIN processing of a successful card payment transaction."