Press Release

MWR InfoSecurity Creates First Fully Automated EMV Fuzzing Solution

Automated security evaluation helps eliminate potential vulnerabilities from terminal-smartcard authentication procedures.

Cyber security consultancy MWR InfoSecurity today confirmed its research team has taken the first step towards creating a fully automated EMV fuzzing solution for POS and ATM transactions. As vulnerabilities can be introduced into the terminal-smartcard authentication procedure [during development], there is a need for structured and formal security evaluation to eliminate unexploited threats that exist in current devices used world-wide.

The Europay, MasterCard and Visa (EMV) standard – more commonly known as ‘Chip and Pin’, is used primarily by banks across the globe as the industry de-facto standard for authenticating smartcard transactions. MWR Labs PinPadPwn research in 2012 demonstrated that many EMVpayment terminals can easily be compromised with malicious payment cards, casting serious doubts on the security integrity of modern EMV-enabled devices. At that time, the process of identifying these vulnerabilities was cumbersome, time-consuming and extremely difficult to repeat for developers, security testers and customers of card payment equipment.

Building on this previous research, MWR Labs’ latest EMV protocol fuzzer combines both hardware and software to evaluate the security integrity of a device under test (DUT):

  • Hardware has been designed that includes a robotic arm, that automates insertion and retraction of the emulated smart card by means of a linear actuator, that interfaces with a computer via USB and provides abstraction to the EMV communication stream
  • A Python interface has been developed to facilitate control of the EMV fuzzer, in effect allowing on-the-fly monitoring and emulation of an EMV stream with the DUT
  • Various predefined security tests formalise the security evaluation procedure

The proposed design is ready to be interfaced with a fuzzing algorithm to create a fully automated EMV fuzzing solution.

“Although the standard-defining EMV is in principal secure, our previous research proved that vulnerabilities can be introduced into the terminal-smartcard authentication procedure. So there is an urgent need to develop a structured and formal security evaluation approach to eliminate these potential vulnerabilities”, explains Nils – Security Researcher at MWR InfoSecurity, who undertook the orginal 2012 PinPadPwn research at MWR InfoSecurity.

He continues “In order to ensure the security integrity of an EMV-enabled terminal, we need to test it against a multitude of response vectors which have not been accounted for in the design stages. My colleague, Piotr, put a lot of effort into addressing the shortcomings from our 2012 research to help create this exceptionally-complex, yet automated EMV fuzzing solution. It can test target terminals, without knowing the source code of the EMV kernel, for potential vulnerabilities in a fast, controlled and reproducible manner – ensuring the security of a device before it is released. I am excited by the potential impact this research will have on the security ofEMV protocol implementations which are key to the security of card payment systems all over the world.”

As EMV is based on the ISO 7816 standard, which secures inter-operation between smartcards and associated terminals, this fuzzing research can also be applied to other implementations where smartcards are used – such as subscriber identity modules (SIMs) and DTV decoders.

Download this press release

Read more about the research on MWR Labs



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.