Buyer beware: the mobile apps you use aren’t as benign as you think. In fact, some apps and iOS services may be wrought with security vulnerabilities.
That’s what Mike Park, managing consultant at online security company Trustwave told me earlier this week. Park has spent more than a year looking into security weaknesses in mobile point-of-sale (POS) devices.
This came about because he was hired last year to do penetration tests into several clients’ POS systems, looking into how secure they were. His findings were pretty shocking. “We found that [these mobile POS devices] are rather dangerous,” he told me. That’s what led him to look into this problem further, and why he’s presenting his case studies at the AppSecUSA conference tomorrow.
How dangerous are they? In short, when businesses implement a POS system on a mobile device like Shopify or Square, they are likely using a potentially vulnerable payment platform.
Park looked closely into three different mobile POS providers (which, of course, he couldn’t name due to nondisclosure agreements) that use iOS to see what kind of vulnerabilities they contained. He found one that was safe for vendors to use on the whole. The other two, however, didn’t get his seal of approval. One was vulnerable to attacks, but not yet released to the public. The company, however, was aware and claimed it is working on a solution. The third, however, was just plain horrible. “There were so many bad things that were happening,” he said. Primarily, these bad things were improper security measures.
This made Park wonder how widespread these vulnerabilities were: are most iOS POS systems susceptible? Unfortunately, Park thinks that may be the case. He looked into more devices on the market and was “seeing the same problems over and over again.”
A phone or tablet, he says, can be jailbroken, these POS devices can be hacked, and customer information is at a hacker’s fingertips. These problems, for the most part, arise in the development stage. Park found that developers were implementing encryption methods that were downright lazy. “The people who design and make the decisions [for these devices] need to know the impact of what their decisions are going to be.” Essentially this lack of a strong encryption system means that customers risk having their identities stolen.
The big issue is that the encryption is taking place inside the software. Instead, it should be happening in the hardware. There is a brief moment when identifiable information is unencrypted, he explained. If it happens in the software that amount of time is much longer. This makes it easier for a hacker to gain access to this information. Conversely, if the encryption occurs in the hardware, the problem is somewhat mitigated.
So how does a consumer or vendor know which device to use? In all honesty, as things are now, it’s always going to be a gamble. Given Park’s nondisclosure agreement, he is unable to name names, but still thinks people should be aware. The only advice he was able to give me for consumers was that if a mobile POS system is able to manually put in customer information — that is, a user can type in a credit card number rather than swipe — then that system is inherently not safe. Park’s real message, however, is directed at developers.
According to one report, mobile POS terminals increased by 111 percent from 2011 to 2012. But with this rush, developers have to be aware of what they are creating. According to Park, they have to “be prepared to make the hard decisions up front.” This may mean it will take longer to develop a solid, secure payment system.
But, if that’s what it takes to maintain security, then by all means, developers, take your time.
Yet POS systems aren’t the only security problem with mobile devices. Another Trustwave security consultant, Bruno Oliveira, found a separate mobile vulnerability. He was hired to look into file-sharing apps that use bluetooth and found that many of these apps contained no encryption whatsoever while some were bereft of authentication. “They don’t have any security features enabled,” Oliveira told me. He, too, will be presenting at AppSec.
With these apps containing meager security measures, he found he was able to hack into these apps and gain complete access to the files. “I could delete files, I could upload files, and I could leak the files,” he said.
All of this was simply due to app developers not implementing security and encryption measures into the programs.
“The problem,” he said, “is that the software designers don’t care about security. They want to sell applications.”
And, much like Park’s discovery, this wasn’t just one isolated instance or various different flaws. Most of the file-sharing apps shared the same problems that could have been fixed relatively easily in the development stage.
It’s only a matter of time until hackers start to capitalize on mobile devices. We’ve seen numerous hacking instances via phishing campaigns, over the years. Meanwhile, hackers have been known to equip ATMs with “skimming” technologies to physically read debit card numbers.
It seems like mobile POS and other apps are a logical extension of this kind of behavior.
So the next time someone uses an iPad to swipe or card or asks to share a file on your iPhone, you may want to think twice. Or at least be aware of the potential risk.
[Image via Thinkstock]