Our work presents a re-vamped Point-of-Sales (POS) attack targeting the transportation sector and focusing mainly on the international aviation industry. Through a real-life attack and while exposing serious security issues at an International Airport, we are re-introducing the popular PoS attack, focusing on the compromise of sensitive personal data such as travelers' identities and trip information. We will disclose all the technical details and proof-of-concepts of the attack we have performed on a real, widely used system: the WiFi time purchase kiosks located inside an International Airport. We will analyze the repercussions of the attack, focusing on the exposure of sensitive traveler information, along with the ability to perform privileged actions such as cashing out money from the kiosks. Our experience with contacting the airport's security will also be discussed.
Utilizing this attack, our team seized the opportunity to recreate the environment on which it took place in order to test a proof-of-concept malware targeting such PoS infrastucture. A step by step guide of the way our malware, named the "Travelers' Spy", exploits the available kiosk modules will be provided. The web camera and the barcode scanner are some of the modules exploited in a combination with memory scrapping to create a unique targeted malware that attacks travelers. Furthermore, a unique command channel for our malware will be introduced through specially crafted Aztec Code images posing as e-tickets. We will also release a newly developed barcode cloning and fuzzing mobile app for Android devices (the "Aztec Revenge" tool).
The tool implements a number of attacks, from simply cloning stolen e-tickets to issuing commands to our malware. "Aztec Revenge" can also be used by security researchers and penetration testers in order to fuzz barcode scanners and the web services behind them to expose security bugs. Finally, a combined attack using both the "Travelers' Spy" malware and the "Aztec Revenge" tool will be presented.