PIN Pad Pong: Is Verifone Playing Games With German POS Security?

The most popular PIN pad in Germany may have a major security hole—at least that's what a German security lab says. Verifone insists it can't reproduce the problem. In response, the researchers on July 12 went public with a demonstration on German TV in which a PIN pad was hacked to turn it into a Pong game. Yes, it looks like this started by being about security, and then about money—now, it's personal.

The problem with this needle match is that what sticks in the minds of consumers is a PIN pad playing Pong—and with that image, who can take payment security seriously?

The PIN pad in question, the Artema Hybrid Terminal, is one that Verifone acquired when it bought all of Hypercom's business outside the U.S. It handles both Chip-and-PIN and magstripe cards with a single slot, which explains both the Hybrid name and why it's so popular in Germany—about 300,000 are in use by retailers in Germany and Austria. Naturally, the device has passed muster with the German equivalent of PCI.

But last week, Security Research Labs (SRL) in Berlin claimed the PIN device has both software and hardware vulnerabilities. SRL researchers say the device's network stack is subject to buffer overflows, the serial-port interface also enables code execution through a buffer overflow and a diagnostic port is accessible from outside the device, making it possible to get full debugging control over the device without opening it.

"These attacks target the terminal's application processor," the two-man research team wrote. "The security of the cryptographic module (HSM) has not yet been investigated as far as key extraction attacks are concerned. However, a design or implementation shortcoming in the HSM enables control over display and PIN pad from the application processor."

In other words, even if the security module is safe, what customers (and retailers) see can still be controlled by malware, which could enable PIN capture or other attacks.

At least, that's what the researchers say. Verifone, for its part, insists the PIN pad is secure. "At no point was the security module or encrypted PIN compromised in this reported attack scenario; neither was the integrity of the EMV transaction violated," responded Verifone payment security VP Dave Faoro. "As the security module is not affected by the attack scenario, it is not possible using an amended application program to modify the security module's PIN processing of a successful card payment transaction."

That is, transactions on the Artema Hybrid are safe—but no word on whether PINs or card data can be grabbed.

Faoro also said Verifone hired its own security lab, which couldn't reproduce the attack scenario, and hired two more penetration testing firms to work on the problem. He complained that the German researchers haven't given Verifone enough information to understand the attack. The researchers say they notified Verifone about the vulnerability more than six months ago, and Verifone's inaction is why they went on TV.

This all sounds like some strange passive-aggressive security dance, with the researchers saying, "You have a security hole but we won't tell you what it is," and Verifone responding, "How can we know what's wrong if you won't tell us?"

What neither side is saying is that this is probably about money.What neither side is saying—except for a brief reference by Verifone to the researchers as a "commercial" security firm—is that this is probably about money. The researchers want to be hired to fix the problem they found. Verifone doesn't want to pay their price.

And after the researchers went on TV last week, it's likely Verifone sees this as war. How dare these hackers publicly embarrass Verifone by showing how easily the PIN pad can be taken over—even if they didn't actually reveal enough details for Verifone or anyone else to figure out how it was done.

Meanwhile, the researchers are publicly lamenting the state of PIN pad security and the fact that German retailers will be saddled with insecure PIN pads for years, even after their TV appearance, because Verifone and retailers aren't likely to replace hundreds of thousands of PIN pads with versions that don't have the hardware diagnostic port exposed.

Yes, it has all descended into the realm of the personal, which is the least useful place for a security problem to be.

The irony, of course, is that after all the huffing and puffing, it may not matter much. A security hole that's so obscure—and apparently never been exploited in the wild—is very nearly the equivalent of an unknown bug. Except that if a retailer is ever actually breached, the retailer can point to Verifone as the source of the problem.

Yes, there probably is a risk, and it should be fixed. But until someone else figures out the details of the problem, it looks like it'll be the security researchers' little secret.

Beyond that, German retailers aren't likely to care—they're worried about their own businesses and assuming PIN pad security is someone else's problem (specifically Verifone's). Consumers won't care either, because what they're most likely to remember is that two guys on TV managed to play Pong on the same device they use to pay for groceries.

That's not going to encourage consumers to take payment-card security seriously. As one commenter on the tech-news site Ars Technica described an imaginary scenario: "You plug your card into the machine to make a transaction [and] Pong appears on the screen. You know your card security has been breached, but you're compelled to make it to level 10."

Then again, it may mean there's an opportunity for Verifone. If the vendor ever does track down those alleged buffer-overflow problems and issue a software to fix them, maybe it could include a screen-saver option for when the PIN pad isn't being used for transactions. Tetris, anyone?