Saturday, September 2, 2017

SAP point-of-sale systems were totally hackable with $25 kit


Researchers able to hijack server and steal card details


Point-of-Sale systems from SAP had a vulnerability that allowed them to be hacked using a $25 Raspberry Pi or similar device, according to research unveiled at the Hack in the Box conference in Singapore last week.

Critical vulnerabilities in SAP's POS – since resolved – created a means for hackers not only to steal customers' card data but to gain unfettered control over the server, enabling them to change prices of goods with the help of a simple device, according to ERPScan.

SAP developed a patch after being alerted to the problem by ERPScan in April, allowing the enterprise app security specialists to go public with their discovery last week.

The root cause of the problem was that pre-patch SAP POS Xpress Server systems failed to perform any authentication checks for critical functionality that requires user identity. As a result, administrative and other privileged functions could be accessed without any authentication.
Read the full article at The Register.