Positive Technologies experts have revealed dangerous vulnerabilities in Ingenico Telium 2 POS terminals. The errors allowed attackers to obtain full control over a terminal, intercept a PIN code and data needed to clone the magnetic strip of a bank card, send requests for withdrawing any amount of money to an acquiring bank, and conduct other attacks. The manufacturer released software updates for the vulnerable devices. Ingenico is a leading global manufacturer of POS terminals. The company releases over 9 million POS terminals annually, and the number of Ingenico payment card readers exceeds 32 million worldwide.
Timur Yunusov, banking security expert at Positive Technologies, said: "Some of these vulnerabilities could be exploited remotely. Although most of the vulnerabilities require physical access to a terminal to be exploited, obtaining such access is not a big deal for an attacker. POS terminals are usually owned by banks but can be easily accessed by third parties, such as employees of trade or service companies. An attacker could modify a terminal by exploiting its vulnerabilities and attack clients of a trade company by sending arbitrary authorization commands to acquiring banks or cloning the magnetic strip of a bank card to be used in a region with less stringent card verification requirements."
To obtain full control over the terminal, attackers need to exploit the whole chain of vulnerabilities. The vulnerable terminals have hardcoded credentials (vulnerabilities CVE-2018-17767, CVSS v3.1 score 5.1, and CVE-2018-17771, score 4.9), which allows attackers with physical access to a terminal to access a special menu. The vulnerability CVE-2018-17765 (score 3.8) allows activating the TRACE protocol and opening a console that permits to execute a limited number of commands. To develop an attack, hackers can bypass this restriction by exploiting the vulnerability CVE-2018-17772 (score 7.6). In addition, vulnerabilities CVE-2018-17766 (score 2.4), CVE-2018-17768 (score 5.1), and CVE-2018-17774 (score 4.9) allow hackers to circumvent restrictions on reading files via the NTPT3 protocol and read binary files needed to continue the attack. The buffer overflow vulnerabilities CVE-2018-17769 (score 4.9), CVE-2018-17770 (score 4.9), and CVE-2018-17773 (score 8.3) allow obtaining maximum privileges in a POS terminal system.
Hackers can also use vulnerable terminals to bruteforce information about payment cards by performing a distributed guessing attack. For example, an attacker can bruteforce an unknown field, such as a three-digit CCV2 security code, by simultaneously attempting to perform payment in hundreds of online stores using different CVV2 values until working out a true three-digit code.
The vulnerabilities were fixed in Telium 2 SDK v9.32.03 patch N software to be installed on the terminals. To get and install the software, reach out to the vendor, your bank or a service provider. Since the lifetime of several models is nearly over, you can contact the vendor, your bank, or service provider to require replacement of the equipment, which will be an easy way to protect from the vulnerabilities.
The research was conducted by Positive Technologies experts Dmitry Sklyarov, Vladimir Kononovich, Alexey Stennikov, Georgy Zaytsev, and Maxim Kozhevnikov. Alexey Stennikov and Georgy Zaytsev currently work as independent experts.