A vulnerability discovered by security researchers in a popular point of sales system allows attackers to steal credit card and payment information, alter vital files within the system and change the prices for any item.

Researchers at cybersecurity firm ERPScan first discovered the vulnerability, which affects the SAP POS Xpress Server and SAP point-of-sale clients, the system customers interact with when they pay a retailer.

"Enterprises struggle with managing risk from third-party unmanaged assets on their network that are vulnerable, such as PoS systems. These devices are a part of critical business processes and have a significant breach impact,” Gaurav Banga, the founder and CEO of Balbix, a firm that specializes in data breach resistance, told International Business Times.

STRUCTURE SECURITY -- USE THIS ONE
Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Newsweek Media Group

The root of the security vulnerability stems from a shortcoming in the Xpress Server authentication process. The researchers found the server doesn’t perform an authentication check to ensure it is communicating with an authorized device, which allows hackers the opportunity to connect with the server without providing any sort of credentials to gain access.

If an attacker manages to successfully connect to the server, they would gain full access to every function of the system. That includes full access to payment information and credit card data, information on payment operations, the ability to remotely start and stop check out terminals within the store and change the prices on any product.

The vulnerability presents a real and present threat for many retailers who rely upon the SAP POS Xpress Server for their daily operations. As a firm, SAP provides its services to 80 percent of retailers in the Forbes Global 2000.

There is one hitch for hackers who may want to exploit the attack. In order to do so, they must be connected to the same network the Xpress Server is communicating with. If the server is connected to the internet, the attack can be executed remotely.

If the system is air-gapped—kept from having a direct connection to the internet—then the attacker would have to build a specialized device that could automatically run the necessary malicious commands to connect to the server and execute those commands from inside the store itself.

That obstacle doesn’t carry much of a price tag for a potential hacker. The researchers at ERPScan built a proof-of-concept device using a Raspberry Pi, an inexpensive and small single-board computer. The device cost about $25—an amount the hackers could quickly make up for by changing the prices of items in the store in their favor. In a demonstration of the attack, the researchers changed the price of a MacBook Pro to $1.

The Raspberry Pi-based device scans for open ports and connects to the server once it finds it. At that point, it begins automatically executing malicious commands and uploads a new server configuration file to the Xpress Server, giving the attacker control over the system.

The researchers at ERPScan reported the vulnerability to SAP in April 2017, and the company issued patches to solve the issue. Retailers are advised to make sure they have installed SAP Security Note 2476601 and SAP Security Note 2520064.

“What is needed is complete visibility of third-party and unmanaged assets on the network along with automatic calculation of business impact to identify threats such as vulnerable PoS systems—before they get breached," Banga said.