Hacking SAP POS systems with a $25 Raspberry Pi

A $25 Raspberry Pi or similar tiny PCs could be used to hack SAP POS systems due to a critical vulnerability.

SAP POS is client-server technology that belongs to the SAP for Retail line-up, it is widely adopted, it has been estimated that it is used by 80 per cent of the retailers in the Forbes Global 2000.

The discovery was made by researchers at firm ERPScan that presented the hack at the Hack in the Box hacking conference held in Singapore last week.

The attackers can exploit the vulnerability to steal customer’s card data and gain full control over the server.

“Once you are in, you have unlimited control over the backend and front-end of the POS system, as the tool can upload a malicious configuration file on the SAP POS Xpress Server without any authentication procedure.” reads a security advisory published by ERPScan.

“New parameters are limited by hackers’ imagination: they can set special price or discount, the time the discount is valid, the conditions under which it works – for example, when purchasing a specific product. In our case, we set up an incredible discount to a MacBook.”

Attackers can provide Xpress Server new settings and apply them by sending certain commands to the Xpress server so that it restarts a POS terminal. Then the PoS terminal downloads the attacker’s configurations and applies them.

The company reported the issue to SAP in April, according to the experts the SAP POS Xpress Server fails the authentication checks for critical functionality.

This means that privileged functions could be accessed without any authentication.

“The vulnerabilities enable remote starting and stopping POS terminals,” states the analysis from ERPScan. “An attacker can remotely turn off all POS terminals within a merchant. Such DoS attack can be very costly for big retailers.”

The vulnerability could be exploited to record credit card number data and send them directly to a hacker’s server.

Unfortunately, similar problems affect many POS systems with equivalent architectures.

All vulnerabilities in SAP POS Retail Xpress Server have been addressed by SAP, organizations need to install the appropriate patches (SAP Security Note 2476601 and SAP Security Note 2520064) as soon as possible to protect their systems.

[adrotate banner=”9″]
Pierluigi Paganini(Security Affairs – SAP POS, hacking)[adrotate banner=”12″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.