Mobile Point-of-Sale (mPOS) systems allow small businesses and drug dealers to accept credit card payments using their favourite iDevice (Disclaimer: other mobile devices are available). During our research, we had a look at the security of the leading solutions for mobile Chip&Pin payments. If you saw our previous PinPadPwn research, you won't be surprised to hear we discovered a series of vulnerabilities which allow us to gain code execution on these devices through each of the available input vectors. We will discuss the weaknesses of current solutions and have live demonstrations for multiple attack vectors, our favourite being a malicious credit card which drops a remote root shell on an embedded mPOS device.
Nils is a Security Researcher for MWR Labs. He likes to break and exploit stuff, which he demonstrated at Pwn2Own 2009, 2010, 2013 and mobile Pwn2Own 2012. He has spent a considerable amount of time researching different mobile platforms and how to evade the exploitation mitigations techniques in place on these platforms. His current area of interest is embedded payment systems.
Jon works at MWR InfoSecurity, heading up their independent research in the UK. He is interested in all aspects of vuln dev, and has used these skills to win recent Pwn2Own competitions against the Samsung Galaxy S3 and Google Chrome. He has presented at various conferences in the past on topics relating to browser security, reverse engineering C++ applications, and software exploitation on ARM platforms. His current research interests include sandboxing technologies, static binary analysis, and payment card security