Menu
This tiny device can infect point-of-sale systems and unlock hotel rooms

This tiny device can infect point-of-sale systems and unlock hotel rooms

The new device generates an electromagnetic field that tricks card readers

Millions of point-of-sale systems and hotel room locks can be hacked by temporarily placing a small, inexpensive device several inches away from their card readers.

The device, due to be presented Sunday at the DEF CON conference in Las Vegas, is the creation of Weston Hecker, a senior security engineer at Rapid7. It was inspired by MagSpoof, another device created last year by security researcher Samy Kamkar.

MagSpoof can trick most standard card readers to believe a certain card was swiped by generating a strong electromagnetic field that simulates the data stored on the card's magnetic stripe. Kamkar presented it as a way to replace all your cards with a single device, but Hecker took the idea and investigated what else could be done with it.

He started by looking at point-of-sale systems and found that many of them treat the card readers as standard USB human input devices and would therefore also accept keyboard input through them.

Hecker created a device that's similar to MagSpoof and which, when placed near a card reader, will send malicious keyboard commands that will be executed on the point-of-sale system. This means an attacker could use such a device to remotely open a command prompt on the system and then use it to download and install memory scraping malware through the necessary keyboard commands.

magnetic card spoofer hotel point-of-sale Weston Hecker/Rapid7

This magnetic card spoofer device can trick card readers from several inches away.

The vulnerability is not vendor specific, the attack affecting most PoS systems that run Windows and are designed to work with a keyboard, according to Hecker. This design is popular and such payment systems are widespread.

An attacker would need to place the device within four-and-a-half inches of the reader in order to ensure that there is no interference and packet loss. However, because the device is about the size of a deck of cards, it can be easily hidden in the attacker's sleeve or in an empty phone case. Then it's only a matter of creating a situation where the PoS remains unattended for a few seconds, like asking the cashier to summon the manager.

Rapid7 reported the design flaw to US-CERT, which is in the process of identifying and notifying affected vendors. Unfortunately, the flaw will take a long time to fix even if vendors develop a software patch because many PoS devices require manual updating by a technician.

Hecker also found a way to use his device on electronic hotel door locks, which also typically work with magnetic cards. Unlike the PoS attack, where the goal was to infect the system, in the case of hotel door locks, the goal is to brute force the data encoded on the associated key card.

The data on room access cards are not encrypted and consist of a record ID generated by the hotel when a guest checks in, the room number and the check-out date.

The date can be determined or guessed easily because a hotel stay is usually limited to a few days, and the record ID, or folio number, can be brute-forced using Hecker's device because it's typically short and is increased sequentially with each new guest. This means that an attacker can have a pretty good idea about the range of numbers to test by reading data of another card -- for example, his own.

Hecker estimates that brute forcing a typical room lock in a hotel with 50 to 100 rooms would take around 18 minutes. Brute forcing a special key, like those used by maids and staff, would take around a half an hour.

The nice part, for the attacker, is that he can even leave the device working on the door and be notified on his mobile phone when the correct data combination has been found.

This is another design flaw that seems to affect many vendors, Hecker said. The best fix would be for folio numbers to be made larger and to be assigned randomly to new guests. Adding encryption to the process would be better, but would almost certainly require replacing the existing system with new encryption-capable locks, he said.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments