'Tamper-proof' chip and PIN terminals hacked

Researchers from Cambridge University have succeeded in capturing both PIN numbers and card details from supposedly tamper-proof PIN terminals.

Saar Drimer and Steven Murdoch, overseen by Professor Ross Anderson, managed to hack two widely used PIN terminals: the Ingenico i3300 and the Dione Xtreme.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

In a research paper seen by silicon.com's sister site ZDNet UK, the researchers outline the hack. Both terminals have tamper-proof mechanisms inside, but both can be circumvented by tapping the data line of the PIN Entry Device/smartcard interface. The data exchanged on this line is not encrypted.

The Ingenico i3300 has a tamper-response switch inside which is tripped if the terminal is forced open, and also has its innards wrapped in a tamper-proof mesh to detect drilling.

However, there is a user-accessible compartment to insert SIM cards that is not intended to be tamper-proof. The PCB has various holes that an attacker can use to insert a conductor into the serial data line, to tap both the PIN and card details. The researchers used a paper clip as the conductor, linked to the data line.

The Dione Xtreme also has a tamper-response switch but no mechanisms to detect drilling from the rear. The main keypad and processor are "potted together", making it more difficult to incept the signal passing between them. However, by drilling a 0.8mm hole from the rear, the researchers inserted a 4cm needle into a flat ribbon connector socket and tapped the data.

In both cases, the conductors were connected to a thin wire connected to a logic board containing a field programmable gate array, which translated the data and sent it to a laptop.

Both devices were Visa-certified to be secure, which requires that defeating the tamper detection would cost more than $25,000 per PIN-entry device; or that inserting a PIN-stealing bug would be detected, or take more than 10 hours.

Neither terminal meets any of these requirements, said the researcher paper.

The paper said: "What should have required $25,000 needed just a bent paperclip, a needle, a short length of wire and some creative thinking; attaching them to the data line takes minutes with some practice."

Professor Anderson, talking about the research, said: "What this shows is that PIN entry devices in the UK are very insecure. What's more, the [device] certification process is completely defective. Certified devices are easy to breach. That's bad news for retailers and bad news for customers."

Ingenico admitted the hack was successful but said its device "still remained one of the safest on the market".

A spokesman for Ingenico Northern Europe said: "The method identified by the Cambridge University paper requires specialist knowledge and has inherent technical difficulties. This method is therefore not reproducible on a large scale, nor does it take into account the fraud monitoring used throughout the industry."

Dione, which is manufactured by Verifone, had not responded to a request for comment at the time of writing.

Original article: Researchers hack 'tamper-proof' PIN terminals from ZDNet UK