Researchers Find Way to Break Into “Ingenico” Telium 2 POS Terminals

• A large number of “Ingenico” Telium 2 POS terminals could be vulnerable to severe attacks.
• Researchers have figured out numerous ways to chain known flaws and get amazing results.
• Updating POS software isn’t very straight-forward, so replacing them with new models may be better.

Researchers from the “Positive Technologies” team have found a way to exploit a lengthy chain of vulnerabilities and obtain full control over an “Ingenico” Telium 2 POS terminal. The attack enables an actor to intercept card PIN codes and magnetic strip data, which makes cloning possible. Moreover, the attacker can send money withdrawal requests to a bank account and practically empty it before the victim is given a chance to realize what's happening.

As the researchers detail, some of the flaws could be exploited remotely, but most would require physical access. Below are the vulnerabilities relevant to the Telium 2 POS terminals.

• CVE-2018-17767, CVE-201817771 – Hardcoded credentials allowing access to dev menu.
• CVE-2018-17765 – Allows activation of the TRACE protocol and the launching of a command console.
• CVE-2018-17772 – Restriction bypass, which enables the terminal to run any command.
• CVE-2018-17776, CVE-2018-17768, CVE-2018-17774 – Restriction circumvention via the NTPT3 protocol.
• CVE-2018-17769, CVE-2018-17770, CVE-2018-17773 – Buffer overflow vulnerabilities

Ingenico, being one of the largest electronic transactions company in the world, has already pushed fixing updates for the above flaws. More specifically, they were all addressed in the “Telium 2 SDK v9.32.03 patch N,” which is to be installed directly on the POS terminals. However, it is very likely that many of the 32 million terminals of the French POS maker that are in circulation worldwide have not applied the patch.

Those who haven’t updated their POS terminals are urged to reach out to the vendor, or bank, or service providers, for instructions on how to deal with the associated risks. Many of the affected models are reaching their end of service life soon anyway, so it could be preferable that the equipment is replaced with a new and more secure model.

Merchants should always pay attention to maintaining a patch management program, implement network segmentation, monitor their traffic for suspicious connections, and provide each admin user with their own user credentials. Also, enabling EMV tech and activating heuristics on anti-malware should be considered standard practice.

As for the consumers, if you can pay in cash, prefer that way. You can never be absolutely certain about what’s running inside a POS network, and we’ve seen card-stealing malware finding its way in entire chains more than once. Paying through POS is convenient, and during the pandemic, it is also a way to keep infection rates low - but unfortunately, it sometimes comes with cybersecurity risks.