There are many ways hackers can exploit vulnerabilities to get the information they want. Flaws in Point-of-Sale (PoS) systems is on this list, and ERPScan researchers recently found that PoS software distributed by German vendor SAP is missing crucial checks that leave it vulnerable to unauthorized access and modification.
A video demonstration by the research team shows a terminal running SAP software being infiltrated via Raspberry Pi connected to the same network. It was then modified to change prices and forward sensitive data like credit card numbers to the hacking device.
In a paper presented at the recent Hack in the Box security conference in Singapore, ERPScan researchers revealed some technical details of the exploit, which allows access through an unobstructed port. It also gives an unauthenticated user access to certain critical functions of the PoS back-end.
“Many POS systems have similar architecture and thus same vulnerabilities,” ERPScan’s Dmitry Chastuhin, one of the researchers who found the vulnerabilities, told Security Week. “POS terminals used to be plagued with vulnerabilities as myriads of them were found and, unfortunately, exploited, so their security posture has improved significantly. On the other hand, banks must adhere to different compliance standards. So, the connections between POS workstation and the store server turn out to be the weakest link. They lack the basics of cybersecurity – authorization procedures and encryption, and nobody cares about it. So, once an attacker is in the Network, he or she gains full control of the system.” Chastuhin said that a similar vulnerability was found in PoS software from Oracle.
According to Gaurav Banga, founder and CEO of Balbix, it’s not uncommon for enterprises to struggle with managing risk from third-party unmanaged assets on their network that are vulnerable, just like PoS systems, he said. However, these devices are needed for business processes and they have a significant breach impact, he added.
“What is needed is complete visibility of third-party and unmanaged assets on the network along with automatic calculation of business impact to identify threats such as vulnerable PoS systems – before they get breached,” said Banga.
As for the vulnerabilities discovered in SAP, researchers reported them to the company back in April and a patch was pushed out in July. An additional patch was released on August 18th after the other was circumvented. SAP urges customers, which includes 80 percent of the Forbes Global 2000 retailers, to update immediately.