Researchers from security firm ERPScan uncovered critical authorisation vulnerabilities in SAP POS, part of the SAP for Retail solution portfolio, enabling hackers to gain full access to all backend and frontend server functions, including full credit card numbers as well as the ability to implement price changes and to remotely start and stop terminals.
The SAP for Retail solution portfolio serves 80 per cent of the retailers in the Forbes Global 2000.
Working closely with SAP, ERPScan initially reported the vulnerabilities to SAP in April and SAP issued its first patch on 11 July according to its release schedule. ERPScan then found the newly implemented authorisation check could be bypassed using another vulnerability, which it reported to SAP on 15 August, with SAP moving quickly to issue a new patch in just three days.
The SAP POS system’s server, Xpress server, suffered from numerous missing authorisation checks but the vulnerabilities are not restricted to the SAP design. While banks adhere to strict compliance standards, the weak link in the chain is the connection between store servers and POS systems which lack basic authorisation and encryption procedures, according to ERPScan researchers Dmitry Chastuhin and Vladimir Egorov.
“Broadly speaking, it’s not a problem of SAP. Many POS systems have similar architecture and thus the same vulnerabilities,” said Chastuhin.
ERPScan developed a video to illustrate how a hacker can use a $25 tool called Raspberry Pi to access the network where the POS terminal is located and install malware that can create a massive discount.