Shenzhen HCC Technology MPOS M6 PLUS Bluetooth Authentication Replay Vulnerability

A vulnerability exists in the Shenzhen HCC Technology MPOS M6 PLUS version 1V.31-N, specifically within the Bluetooth Handler component. This vulnerability allows for authentication bypass through capture-replay attacks, where legitimate Bluetooth commands can be intercepted and replayed to the terminal as new transactions. The lack of proper temporal validation mechanisms, such as nonces or timestamps, enables this replay attack. The vulnerability requires access to the local network and is considered to have high complexity, making exploitation difficult.

Impact

Exploitation of this vulnerability leads to unauthorized multiplication of transactions, allowing a single approved transaction to be replayed multiple times without detection, potentially causing significant financial loss.

Reproduction

To reproduce this vulnerability, capture a legitimate Bluetooth transaction using a device within close proximity to the MPOS terminal. Once the transaction is captured, it can be replayed to the terminal, which will process it as a new transaction. This can be done repeatedly, taking advantage of the terminal's lack of replay protection.

Remediation

It is recommended that the manufacturer implement cryptographic nonces, timestamp validation, and other standard anti-replay mechanisms to protect against this type of vulnerability.