The researchers have not yet fully investigated all attack vectors, but they believe it could also be possible to compromise mPOS devices from a smart phone infected with malware. In at least one case they found issues with a vendor's mobile application that suggest such an attack is possible.
It might also be possible to attack the smart phone from a compromised mPOS device and then upload the captured data over the phone's Internet connection. However, testing this could affect the vendor's back-end systems, so because of legal reasons the researchers didn't look further into it.
Despite the issues found, Butler thinks that mobile POS devices like the ones his team tested have the potential to be more secure than traditional POS devices. They're simple devices and there's not much that can go wrong if the implementation is done right, following security best practices.
One of the advantages they have is that they are theoretically easy to update. The vendor can push an update through the mobile app which then pushes it to the paired mPOS device over Bluetooth. The updates are digitally signed, so they cannot be tampered with.
However, vendors should stop viewing chip-enabled cards as part of a trusted system, Butler said. It's not like every card that can be inserted into one of these devices has been freshly issued by a bank, he said.
Sign up for Computerworld eNewsletters.