Menu
This tiny device can infect point-of-sale systems and unlock hotel rooms

This tiny device can infect point-of-sale systems and unlock hotel rooms

The new device generates an electromagnetic field that tricks card readers

Millions of point-of-sale systems and hotel room locks can be hacked by temporarily placing a small, inexpensive device several inches away from their card readers.

The device, due to be presented Sunday at the DEF CON conference in Las Vegas, is the creation of Weston Hecker, a senior security engineer at Rapid7. It was inspired by MagSpoof, another device created last year by security researcher Samy Kamkar.

MagSpoof can trick most standard card readers to believe a certain card was swiped by generating a strong electromagnetic field that simulates the data stored on the card's magnetic stripe. Kamkar presented it as a way to replace all your cards with a single device, but Hecker took the idea and investigated what else could be done with it.

He started by looking at point-of-sale systems and found that many of them treat the card readers as standard USB human input devices and would therefore also accept keyboard input through them.

Hecker created a device that's similar to MagSpoof and which, when placed near a card reader, will send malicious keyboard commands that will be executed on the point-of-sale system. This means an attacker could use such a device to remotely open a command prompt on the system and then use it to download and install memory scraping malware through the necessary keyboard commands.

magnetic card spoofer hotel point-of-sale Weston Hecker/Rapid7

This magnetic card spoofer device can trick card readers from several inches away.

The vulnerability is not vendor specific, the attack affecting most PoS systems that run Windows and are designed to work with a keyboard, according to Hecker. This design is popular and such payment systems are widespread.

An attacker would need to place the device within four-and-a-half inches of the reader in order to ensure that there is no interference and packet loss. However, because the device is about the size of a deck of cards, it can be easily hidden in the attacker's sleeve or in an empty phone case. Then it's only a matter of creating a situation where the PoS remains unattended for a few seconds, like asking the cashier to summon the manager.

Rapid7 reported the design flaw to US-CERT, which is in the process of identifying and notifying affected vendors. Unfortunately, the flaw will take a long time to fix even if vendors develop a software patch because many PoS devices require manual updating by a technician.

Hecker also found a way to use his device on electronic hotel door locks, which also typically work with magnetic cards. Unlike the PoS attack, where the goal was to infect the system, in the case of hotel door locks, the goal is to brute force the data encoded on the associated key card.

The data on room access cards are not encrypted and consist of a record ID generated by the hotel when a guest checks in, the room number and the check-out date.

The date can be determined or guessed easily because a hotel stay is usually limited to a few days, and the record ID, or folio number, can be brute-forced using Hecker's device because it's typically short and is increased sequentially with each new guest. This means that an attacker can have a pretty good idea about the range of numbers to test by reading data of another card -- for example, his own.

Hecker estimates that brute forcing a typical room lock in a hotel with 50 to 100 rooms would take around 18 minutes. Brute forcing a special key, like those used by maids and staff, would take around a half an hour.

The nice part, for the attacker, is that he can even leave the device working on the door and be notified on his mobile phone when the correct data combination has been found.

This is another design flaw that seems to affect many vendors, Hecker said. The best fix would be for folio numbers to be made larger and to be assigned randomly to new guests. Adding encryption to the process would be better, but would almost certainly require replacing the existing system with new encryption-capable locks, he said.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments