SEATTLE, June 6, 2016 /PRNewswire/ --
- Researchers identified major vulnerabilities in EMV terminals through their use of Peach Fuzzer.
- Peach Fuzzer combined with malicious spoofed credit cards was able to create memory corruptions, denial of services, and arbitrary code execution.
- Findings allow credit card issuers and POS terminal manufacturers with tools to help secure their products prior to shipment.
Testing the security of chip-enabled (EMV) solutions is business critical for many organizations. Researchers, using Peach Fuzzer, were able to find multiple cases in which malicious credit cards were able to compromise EMV terminals. Discovering these exploitable vulnerabilities enabled solution providers to mitigate their vulnerabilities quickly and cheaply, before they became a hacker's attack vector.
Researchers from a collaboration between Deja vu Security and Peach Fuzzer, used two different setups during their testing. First, they tested physical terminal hardware using a malicious credit card, Smart Card Reader, and a FPGA Simulating EMV Protocol Bridge. Second, they tested software integrity using multiple EMV terminal emulators.
Throughout testing of the EMV terminals, Peach Fuzzer found that malicious credit cards could be used to compromise EMV terminals. Three major categories of vulnerabilities were discovered:
- Memory Corruption – Allows attackers to read and write memory and crash the reader
- Denial of Service – Renders the unit unusable to POS vendors or their customers
- Arbitrary Code Execution – Enables attackers to define and run their own code on the terminals
In one test case, a spoofed card was created to match all of the physical specifications of an EMV card. This card was put into an EMV terminal, connected to a field programmable gate array (FPGA) which simulated the EMV protocol, and then connected to Peach. This allowed Peach Fuzzer to trick the terminal into thinking a real card was being used, granting access to its systems.
Compared to alternate methods of security assessment, Peach Fuzzer had three primary advantages:
- Speed and Coverage – Over half a million test cases run quickly, which would take months using manual testing
- Complexity of Findings – Custom monitors allowed for valuable data capture
- Repeatability – Scalability of testing and integration with Jenkins enabled testing of each new software build
The security of EMV transactions are crucial to many solutions' viability, reputation, and competiveness. This project successfully demonstrated the flexibility and effectiveness of Peach Fuzzer as a security testing platform for EMV solutions. The Peach Fuzzer platform can help solution providers ship secure EMV solutions.
For more information about these findings please visit http://www.peachfuzzer.com/wp-content/uploads/EMV-Spotlight-FF.pdf
What is Peach Fuzzer?
Peach Fuzzer is a Seattle-based security testing company that provides advanced and extensible enterprise testing solutions. Through leading-edge products, including its robust fuzzing platform, Peach Fuzzer offers customizable testing strategies for software developers, consultants, enterprise QA teams, and other clients involved in the testing phase of the security development lifecycle.
Who is Deja vu Security?
Deja vu Security is a trusted provider of information security research and consulting services to some of the world's largest and most-esteemed technology companies. It is a leading source of security research in payments systems, blockchain technologies, and embedded systems. Deja vu Security is a Platinum partner of Peach Fuzzer.
What is fuzzing?
Rather than looking for known issues, fuzz testing uncovers new, previously undetected bugs and system faults in an automated and intelligent fashion. It goes beyond mere vulnerability scanning or canned test cases and discovers the kind of back-door flaws malicious attackers look for. Fuzzing works by sending unexpected, malformed data that can cause unintended system consequences. Relevant results are captured, analyzed, and evaluated to report potential vulnerabilities. Peach Fuzzer delivers a bleeding-edge fuzzing solution for security testing across a multitude of critical industries.
To view the original version on PR Newswire, visit:http://www.prnewswire.com/news-releases/peach-fuzzer-finds-security-flaws-in-emv-terminals-300280191.html
SOURCE Peach Fuzzer