DEF CON 31 - Contactless Overflow Code Execution in Payment Terminals & ATMs - Josep Rodriguez
We conducted a research to assess the current security of NFC payment readers that are present in most of the major ATM brands, portable point of sales, gas stations, vending machines, transportation and other kind of point of sales in the US, Europe and worldwide. In particular, we found code execution vulnerabilities exploitable through NFC when handling a special application protocol data unit (APDU) that affect most NFC payment vendors. The vulnerabilities affect baremetal firmware devices and Android/Linux devices as well. After waiting more than 1 year and a half once we disclosed it to all the affected vendors, we are ready to disclose all the technical details to the public. This research was covered in the media by wired.com but without the technical details that we can share now https://www.wired.com/story/atm-hack-... Some of the affected vendors are: IDtech - https://idtechproducts.com/ Ingenico - https://www.ingenico.com/ Verifone - https://www.verifone.com/ CPI - https://www.cranepi.com/ BBPOS - https://www.bbpos.com/ Wiseasy - https://www.wiseasy.com/ Nexgo - https://www.nexgoglobal.com/ In this presentation we will describe the vulnerabilities and also demo how the readers can be compromised, using a special Android app we created, by just tapping an Android phone to the reader. We will discuss the consequences such as financial impact in reader’s users/owners and card data stealing once the firmware is compromised. Also, we will show how to compromise the host that is connected to the reader through USB by manipulating the reader’s firmware, chaining stack buffer overflow vulnerabilities in the SDK provided by the vendor that is running in the host machine. Finally, since one of the affected vendors (IDtech) is present in most ATM brands in the world, the talk will cover different scenarios of how possible can be jackpotting ATMs just tapping a smartphone into the reader of the ATM. We have many years of experience jackpotting all brands of ATMs in multiple different ways and we will show how this is technically possible.
DEF CON 31 - How Vulns in Global Transportation Payment Systems Cost You - Omer Attias
DNS Remote Code Execution: Finding the Vulnerability 👾 (Part 1)
Jackpotting ATM's (Automated Teller Machines) - Its easier than you might think - Alexander Forbes
DEF CON 33 - Cash, Drugs, and Guns - Why Your Safes Aren't Safe - Mark Omo, James Rowley
Hardware Hacking: Tools, Tips and Tricks for Total Domination
DEF CON 33 - Kill List: Hacking an Assassination Site on the Dark Web - Carl Miller, Chris Monteiro
Exposing The Solid State Donut Battery. It's Over.
how is this hacking tool legal?
Attacking AI - Jason Haddix - NDC Security 2026
Inside the Secret World of DEF CON Hackers | VICE: Motherboard | Blueprint
Sarah Paine - Why Putin and Xi can't escape geography
Passkeys Explained: Are They Actually Better Than Passwords?
DEF CON 31 - certmitm Automatic Exploitation of TLS Certificate Validation Vulns - Aapo Oksman
DEF CON 31 - Vacuum Robot Security & Privacy Prevent yr Robot from Sucking Your Data - Dennis Giese
DEF CON 31 - Smashing the State Machine the True Potential of Web Race Conditions - James Kettle
DEF CON 33 - China's 5+ year campaign to penetrate perimeter network defenses - Andrew Brandt
DEF CON 31 - Ringhopper - How We Almost Zero day’d the World - Benny Zeltser, Jonathan Lusky
DEF CON 31 - Using SIM Tunneling to Travel at Light Speed - Adrian Dabrowski, Gabriel Gegenhuber
Why Filipino Women Are Choosing to Stay Single Forever | AB Explained
