SAP and Oracle point-of-sale system face vulnerabilities?

Stingray III (JS-970) Fixed POS Workstation
SAP and Oracle point-of-sale systems are facing vulnerabilities, according to ERPScan researchers Dmitry Chastuhin and Vladimir Egorov.

Vulnerabilities in point of sale systems developed by business technology majors SAP and Oracle affect allow attackers to compromise customers’ data and gain control over the POS server.

SAP POS is a part of the SAP for Retail solution, which serves 80 percent of the retailers in the Forbes Global 2000.

ERPScan researchers Dmitry Chastuhin and Vladimir Egorov said SAP POS system’s server (Xpress server) suffers from missing authorization checks. The security drawbacks allowed attackers to spy and steal credit card numbers. Attacker can get access to every legitimate function of the system, such as changing prices or remotely start and stop terminals due to the vulnerabilities.

A video prepared by ERPScan demonstrates that using Raspberry Pie, a tool which costs only $25, a hacker can access the network where the POS terminal is located and install a malware designed to set a significant discount.

ERPScan reported the vulnerabilities to the vendor in April 2017. SAP released the first patch in July according to its release schedule.

ERPScan researchers examined the fix and found out that newly implemented authorization check could be bypassed by using another vulnerability. ERPScan works tightly with SAP and notified the software maker about the failed patch on August, 15. SAP issued a patch in less than a week, on August, 18.

ERPScan also examined other POS solutions including MICROS from Oracle.

“Many POS systems have similar architecture and thus same vulnerabilities. POS terminals used to be plagued with vulnerabilities as myriads of them were found and, unfortunately, exploited, so their security posture has improved significantly,” said Dmitry Chastuhin, one of the researchers who identified the vulnerabilities.

ERPScan said the connections between POS workstation and the store server turn out to be the weakest link. They lack the basics of cybersecurity – authorization procedures and encryption, and nobody cares about it.

The image is for illustrative purpose only.