In a talk titled “Pinpadpwn,” at the Black Hat conference last week, security researcher Rafael Dominguez Vega and the legendary hacker known only as Nils, explained that the attack surface for payment terminals has grown as usage has gone up. Nils is perhaps best known as the man that walked into the Pwn2own hacking challenge in 2009 and deftly hacked all three major Web browsers.
In setting the groundwork for their exploitation, Vega noted that payment terminals are essentially small computers, and as is the case with any other machine that takes in data, there are vulnerabilities.
The two researchers were able to acquire multiple payment machines from eBay. Vega commented that it’s now easy and cheap to buy payment terminals online as the current economic slowdown has forced a lot of businesses to close and sell their assets.
Among the exploits that Nils was able to demonstrate in front of the lively Black Hat audience, was how he could insert a malicious payment card into a payment card unit and get the system to do what he wanted. In the first demonstration, Nils got the payment card terminal to load his own custom code—much to the audience’s delight—and began to play a simple arcade game. Then to prove he had full control of the device, Nils printed out the game score with the payment terminal printer.