So, you’ve (accidentally) hacked a POS terminal?

A couple of days ago I was shopping at a particular UK retailer and whilst there I used a certain type of one of their POS terminals. During the transaction I managed to (accidentally!) interrupt the machine’s process which resulted in the front end GUI crapping out… To reveal a completely unprotected and bog standard Windows 7 environment running the show in the background.

To my utter astonishment, there was no additional security and by simply opening the onscreen keyboard I was immediately able to open a command prompt with administrator rights. I should of course at this point add that I did *nothing* illegal or malicious in any way at all. In fact, I restored the machine after its ‘hiccup’ so it was in a fully functioning state for the next user.

badpos

Now, I’m certainly no security expert, however – I am thorough. So, to ensure that this was not a one-off I visited further locations and this vulnerability exhibited itself on 80% of the machines I tested. It’s pretty obvious to me that this is a fairly major failing in the security of these machines. There are literally hundreds if not thousands of these machines currently in use in the UK.

I therefore alerted the retailer about my concerns and asked that they inform me what they intend to do about it.

I am yet to receive any sort of response or recognition that they have a problem. Now, one would *hope* the retailer involved would take this rather seriously. At the moment, it would appear not.

If anyone has any ideas of what to do next – ping me on Twitter @DaveJaVuPride

I’ll let you know what happens. :-)

 

Read More