New attacks against point-of-sale systems to be demoed at Black Hat

Rapid7's Weston Hecker to demonstrate keystroke-injection attacks on retail systems

Point-of-sale systems, which have been the subject to multiple different attacks in recent years, remain vulnerable to various techniques that can also be deployed against hotel-room electronic keys.

The attacks build on the work of MagSpoof researcher Samy Kamkar, who created his own ‘wireless' credit card and magstripe spoofing tool that could disable chip-and-pin.

Kamkar showed off his work last year, but the latest exploits against point-of-sale systems and hotel key systems will be demonstrated by Rapid7 senior security consultant Weston Hecker at the Black Hat security conference on Sunday.

Using a modified multi-slotted token (MST) injection method, Weston claims he can compromise PoS and hotel keys in several different attacks, including brute forcing other guests' keys. Hecker claims that information from expired keys and re-issued keys - most hotel door systems use magnetic stripe keys rather than smart cards - provides all the data required to put together the attacks.

"Break the complex encryption of hotel keys? Oh, it's simple encoding, so never mind," comments Hecker.

In the same session, Hecker will also demonstrate methods of injecting keystrokes into PoS systems as if a keyboard were plugged into the system. This includes injecting keystrokes to open the cash drawer and abusing magnetic stripe-based rewards programmes.

This research is also based on insecure magnetic stripe cards, and especially the weaknesses of magnetic stripe card readers often attached to retail systems, especially in the US.

Attacks include a ‘cash tend' attack, in which the PoS can be fooled into thinking that a transaction has taken place and the till opened accordingly.

Of course, in an increasingly cashless world, the rewards of such attacks are becoming less and less valuable, especially against the risks of getting caught. However, they are just the latest in a string of vulnerabilities that have been uncovered - with many being exploited in the wild - in recent years.

However, Hecker warns that such vulnerabilities in retail systems could be exploited in order to drop malware onto them.

Hecker's demo on Sunday will be his second of the week, following a presentation in which he showed how cash machines could be milked of $50,000 in just 15 minutes - even chip-and-pin secured machines.