Shenzhen HCC Technology MPOS M6 PLUS Cleartext Transmission of Cardholder Data Vulnerability

A vulnerability exists in the Shenzhen HCC Technology MPOS M6 PLUS version 1V.31-N, where the device's Cardholder Data Handler component transmits complete cardholder information in cleartext over Bluetooth. This unencrypted data includes the full Primary Account Number (PAN), Track 2 equivalent data, cardholder name, and expiration date. Such a transmission violates multiple PCI-DSS requirements and allows for passive data collection, potentially leading to card cloning and fraud. The vulnerability requires access to the local network and is considered complex to exploit, although an exploit is available.

Impact

Exploitation of this vulnerability allows for the interception of sensitive cardholder data, including full PAN, Track 2 data, cardholder name, and expiration date, all transmitted in cleartext. This exposure facilitates card cloning, online fraud, and identity theft.

Reproduction

The vulnerability can be reproduced by sending transaction commands to the MPOS M6 PLUS terminal via Bluetooth. The terminal will respond by transmitting unencrypted cardholder data, including the full PAN, Track 2 equivalent data, cardholder name, and expiration date, in cleartext hexadecimal format.

Remediation

It is recommended to implement application-layer encryption for Bluetooth communications, removing sensitive data tags from responses, and masking the PAN by transmitting only the last four digits. However, the best practice would be to apply end-to-end encryption, ensuring full PCI-DSS compliance.