Varyon's POS System
to Increase Card Swipes
Information Technology
System Security
Germany
Varyon's POS System
to Increase Card Swipes
Information Technology
System Security
Germany
CEO
Client Since 2019
Oh the POSsibilities
Answering the 5 W's…
Varyon is a family-run service company that offers DACH* comprehensive support in the IT landscape, manages the cash register system, regularly checks the security technology, and ensures good sound with the latest audio systems. The company caters to a long list of gastronomical clients. Varyon deals in:
Cash
Audio
Video
IT
*The DACH region refers to the three Central European countries of Germany (D), Austria (A), and Switzerland (CH).
Varyon's Concerns
POS security affects the service industry as the system is not well encrypted.
Initial research revealed a number of high-profile security breaches resulting from the abundance of point-of-sale malware.
Lack of end-to-end security
Abundant point-of-sale malware
Slow payment processing
Taking Up the
Challenge
Core components are written in Java. Java is a “write once, run anywhere” (WORA) programming language that runs on a Java Virtual Machine (JVM).
The main application is started by a C++ launcher.
Includes Java 8 and MySQL utilities.
Not always encrypted
in transit
Data is partially
encrypted
Data is rarely encrypted
in memory
The product had an authentication override system- to authenticate a transaction, the system is required to contact the vendor to receive a proper override.
The problem was in its override code generation algorithm. This algorithm could be easily reverse-engineered to continually generate valid authentication codes to allow an on-site attacker to access the administrative functions of the POS.
Nothing Ventured,
Nothing Gained.
To develop a proof-of-concept to overturn the issues at hand,
we undertook a decompilation analysis.
Decompilation is a type of reverse engineering that performs
the opposite operations of a compiler.
Steps to Cover:
Hard-Coded Credentials
Override
Auto-update
Security Issues
Interoperability Issues
Error Correction
Step 1 Hard-coded Credentials
Findings:
- Identified root database credentials defined as a password constant in the application source.
- Several usages of the database password are constant within the application. User-Defined Functions (UDF) may be used to achieve code execution by the MariaDB root user.
- We are able to demonstrate an attack that leverages these components in order to achieve SYSTEM code execution against the database server.
Step 2 Override
Findings:
- Came across an override button on the employee login dashboard.
- Used the override code provided by the dialog to determine the correct override key. The override key is calculated using the override code.
- As there weren't any cryptographic operations involved, so we decided to write a keygen.
- Reimplemented the keygen in Python to generate valid override keys.
- This allowed us to bypass all login dialogs throughout the application.
Step 3 Auto-update
Findings:
- Used 'DBBackup.getSoftwareState()' to retrieve the version of the database's installation binary and its update.
- Pulled installer file using ‘installerFileName’.
- Discovered that we could exploit the auto-update “feature” by manually updating the database installation binary.
Applying Proof of Concept
Our Plan:
Way forward
Hitting
the Jackpot
With a new framework in place, Varyon IT witnessed an increase in successful card swipes, minimum transaction failures, a decrease in downtime, and much more.
Surpassing Daily Expectations
Senior IT Executive
6 Years of Experience
Associated with the client
for the past 2 years.
Applications:
Amadeus, Office 365, Team Viewer, Zendesk, Amadeus 360, Google applications, Digital Signage, Lightspeed G-series, and Menu Service
Aviation | .Net Development
Automobile | .Web Development