Shenzhen HCC Technology MPOS M6 PLUS Bluetooth Missing Authentication Vulnerability

A vulnerability exists in the Shenzhen HCC Technology MPOS M6 PLUS version 1V.31-N, specifically within the Bluetooth component. This vulnerability arises from a complete lack of cryptographic authentication, allowing any Bluetooth device to inject arbitrary transaction commands. The only integrity check available is a simple single-byte XOR checksum, which can be easily manipulated. Exploitation of this vulnerability requires access to the local network and involves complex attack vectors.

Impact

Exploitation of this vulnerability allows unauthorized financial transactions to be processed on the affected device. It bypasses all authentication requirements, leading to a complete compromise of the device's transaction integrity. Additionally, the vulnerability allows for the extraction of sensitive data, including full cardholder information.

Reproduction

The vulnerability can be reproduced by connecting a Bluetooth adapter to a device within 10 meters of the target terminal. After establishing a connection, the attacker can craft a malicious command, calculate the necessary XOR checksum to bypass the integrity check, and send the command to the terminal. This process can be automated with a proof-of-concept exploit available on GitHub.

Remediation

It is recommended to implement HMAC-SHA256 for message authentication, migrate to TLS 1.3 for mutual authentication and encryption, or add device pairing validation, although the latter is weaker than cryptographic authentication.