| Recurring |
multiple_organization |
(a) The software failure incident related to hacking ATMs and point-of-sale terminals using NFC vulnerabilities has affected multiple organizations. The affected vendors include ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, and Nexgo [115571].
(b) The software failure incident has also been reported to have occurred at various organizations, including those providing point-of-sale systems and ATMs. The vulnerabilities in the NFC systems' firmware were found in millions of ATMs and point-of-sale systems worldwide, indicating a widespread impact across different organizations [115571]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident in the article is related to the design phase. The failure occurred due to vulnerabilities in the near-field communications (NFC) reader chips used in ATMs and point-of-sale systems worldwide. The researcher, Josep Rodriguez, discovered bugs in the NFC systems' firmware that allowed him to exploit flaws in the design of the systems. By using a custom app to send a carefully crafted application protocol data unit (APDU) from his NFC-enabled Android phone, Rodriguez triggered a "buffer overflow," a software vulnerability that corrupted the target device's memory and allowed him to run his own code [115571].
(b) The software failure incident is also related to the operation phase. The vulnerabilities discovered by Rodriguez could be exploited to crash point-of-sale devices, collect and transmit credit card data, change transaction values, display ransomware messages, and even force ATMs to dispense cash. These operations were possible by exploiting flaws in the NFC systems' firmware, indicating that the failure was also influenced by the operation or misuse of the systems [115571]. |
| Boundary (Internal/External) |
within_system |
(a) The software failure incident described in the article is primarily within_system. The failure was caused by a collection of bugs found by a researcher that allowed him to hack ATMs and point-of-sale terminals by exploiting vulnerabilities in the near-field communications reader chips used in these systems [115571]. The vulnerabilities in the NFC systems' firmware allowed the researcher to crash point-of-sale devices, collect and transmit credit card data, change transaction values, display ransomware messages, and even force ATMs to dispense cash [115571]. The failure originated from within the system itself, highlighting the importance of securing embedded devices that handle sensitive financial information. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in the article is primarily due to non-human actions, specifically the collection of bugs found by researcher Josep Rodriguez that allow him to hack ATMs and point-of-sale terminals by exploiting flaws in the NFC systems' firmware [115571]. These vulnerabilities, such as buffer overflows, are inherent in the software running on embedded devices and have been present for years, making the devices susceptible to exploitation without direct human involvement.
(b) However, human actions also play a role in this software failure incident as Rodriguez, the researcher, actively sought out and reported these vulnerabilities to the affected vendors between 7 months and a year ago [115571]. Additionally, the lack of consistent patching in some companies' devices, as highlighted by Rodriguez, demonstrates the impact of human actions on the security of these systems. |
| Dimension (Hardware/Software) |
hardware, software |
(a) The software failure incident reported in the article is primarily related to hardware vulnerabilities in ATMs and point-of-sale terminals. The vulnerabilities discovered by the researcher Josep Rodriguez involve exploiting flaws in the near-field communications (NFC) reader chips used in these devices. By triggering a "buffer overflow" through a custom app on his NFC-enabled Android phone, Rodriguez was able to corrupt the target device's memory and run his own code, demonstrating a hardware-related vulnerability [115571].
(b) The software failure incident also involves software vulnerabilities in the firmware of the NFC systems used in ATMs and point-of-sale terminals. Rodriguez's findings highlight that the software running on these embedded devices, particularly the firmware, contains vulnerabilities such as buffer overflows that have persisted for years. These software vulnerabilities allow attackers to crash point-of-sale devices, collect and transmit credit card data, change transaction values, display ransomware messages, and potentially even force ATMs to dispense cash [115571]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident described in the article is malicious in nature. The incident involves a researcher, Josep Rodriguez, who discovered and exploited vulnerabilities in the near-field communications (NFC) reader chips used in ATMs and point-of-sale systems to hack them in various ways, such as crashing devices, collecting credit card data, changing transaction values, displaying ransomware messages, and even forcing ATMs to dispense cash through a "jackpotting" hack [115571].
(b) The software failure incident is non-malicious in the sense that it was not caused by unintentional factors but rather by deliberate actions of the researcher to uncover and exploit vulnerabilities in the NFC systems' firmware. The vulnerabilities, such as buffer overflows, were intentionally triggered by sending crafted data packets to the NFC readers, allowing the researcher to corrupt the target devices' memory and run their own code [115571]. |
| Intent (Poor/Accidental Decisions) |
accidental_decisions |
[a115571] The software failure incident described in the article was primarily due to accidental decisions made by the vendors and manufacturers of the affected systems. The vulnerabilities exploited by the researcher were a result of flaws in the NFC systems' firmware, lack of validation of data packets, and the presence of buffer overflow vulnerabilities. The vendors' responses varied, with some acknowledging the issues and issuing fixes, while others downplayed the severity of the vulnerabilities or claimed to have already addressed them in the past. The incident highlights the lack of consistent patching and security measures in embedded devices handling sensitive financial information. |
| Capability (Incompetence/Accidental) |
development_incompetence, accidental |
(a) The software failure incident in the article is related to development incompetence. The incident involved a collection of bugs found by a researcher that allowed him to hack ATMs and point-of-sale terminals in a new way using near-field communications reader chips [115571]. The vulnerabilities in the NFC systems' firmware allowed the researcher to crash point-of-sale devices, collect and transmit credit card data, change transaction values, display ransomware messages, and even force ATMs to dispense cash. The vulnerabilities exploited in the incident highlight the lack of professional competence in securing these widely used devices, as simple vulnerabilities like buffer overflows have lingered in firmware for years, exposing sensitive financial information to potential attacks. The affected vendors were alerted to the findings months to a year ago, but the sheer number of affected systems and the lack of regular software updates for many devices leave them vulnerable [115571].
(b) The software failure incident can also be considered accidental as the vulnerabilities exploited by the researcher were discovered accidentally while he was exploring whether ATMs' contactless card readers could serve as an in-road to hacking them. By buying NFC readers and point-of-sale devices from eBay, the researcher found that many of them suffered from the same security flaw related to not validating the size of data packets sent via NFC, leading to a buffer overflow vulnerability that allowed him to run his own code on the target devices [115571]. The accidental discovery of these vulnerabilities highlights the potential risks posed by overlooked security flaws in commonly used devices handling sensitive financial information. |
| Duration |
temporary |
The software failure incident described in the article is more aligned with a temporary failure rather than a permanent one. The vulnerabilities discovered by the researcher, Josep Rodriguez, allowed him to exploit flaws in the NFC systems' firmware to crash point-of-sale devices, collect and transmit credit card data, change transaction values, and even display ransomware messages. These vulnerabilities were due to specific circumstances such as the lack of validation of data packet sizes, triggering a buffer overflow, and running unauthorized code on the target devices [115571]. The temporary nature of this failure is evident in the fact that the vulnerabilities can be patched by implementing fixes issued by the affected vendors, although the process of physically updating hundreds of thousands of ATMs poses a significant challenge [115571]. |
| Behaviour |
crash, value, other |
(a) crash: The software failure incident described in the article involves crashing point-of-sale devices and ATMs by exploiting vulnerabilities in the NFC systems' firmware. The researcher, Josep Rodriguez, was able to crash point-of-sale devices, lock them with a ransomware message, and even cause ATMs to display error messages by waving his smartphone over the NFC reader [115571].
(b) omission: The software failure incident does not specifically mention any instances where the system omitted to perform its intended functions at a particular instance.
(c) timing: The software failure incident does not involve timing issues where the system performed its intended functions either too late or too early.
(d) value: The software failure incident includes instances where the system performed its intended functions incorrectly. For example, Rodriguez was able to exploit bugs to change the value of transactions, modify firmware to change prices, and collect and transmit credit card data [115571].
(e) byzantine: The software failure incident does not exhibit behaviors of inconsistent responses or interactions that would classify it as a byzantine failure.
(f) other: The software failure incident involves various behaviors not explicitly covered in the options provided, such as exploiting buffer overflows, corrupting memory, running custom code, and potentially gaining control over the ATM's cash dispenser [115571]. |