Josep Pi Rodriguez, IOActive Principal Security Consultant, will be presenting: ‘CFP Contactless Overflow: Code execution in payment terminals and ATM’s over NFC’ at DEF CON 31.
We conducted research to assess the current security of NFC payment readers that are present in most of the major ATM brands, portable point of sales, gas stations, vending machines, transportation and other kind of point of sales in the US, Europe and worldwide. In particular, we found code execution vulnerabilities exploitable through NFC when handling a special application protocol data unit (APDU) that affect most NFC payment vendors. The vulnerabilities affect bare metal firmware devices and Android/Linux devices as well.
After waiting more than a year and a half after we disclosed it to all the affected vendors, we are ready to disclose the technical details to the public. This research was covered in the media by wired.com but without the technical details that we can share now.