Advisory: Potential vulnerabilites in PayPal Beacons

Overview

Hardware beacons made by PayPal have some potential vulnerabilities. However, because we have been unable to obtain a physical beacon for testing, these remain theoretical.

Background

Paypal offers a hardware Bluetooth LE device called “Paypal Beacon” that communicates with the PayPal apps running on users’ devices to support things like sending deals and coupons when customers visit stores.

Card.io, one of PayPal subsidiary companies operates several servers which provide firmware and firmware updates for these beacons. These are indexed in search engines and include the following URLs:

http://beaconlog.card.io/

http://beaconpkg.card.io/

UPDATE (2015–12–07): These have moved to:

http://beacon-packages.ebaystratus.com/

Details

Our analysis of the firmware packages made available at the firmware server points to some potential vulnerabilities. However, because we lack access to a physical beacon for testing, these remain theoretical and unconfirmed.

Issue #1 — firmware update process is using HTTP, and not HTTPS

The firmware update script is located here:

http://beaconpkg.card.io/images/reberry.sh

The script is using HTTP, and not HTTPS to download firmware images. With DNS or domain spoofing, it would be possible to have malicious hardware being downloaded and replaced on the beacons. Excerpt as follows:

fi wget http://beaconlog.card.io/images${IMAGES_TYPE}/ppbeacon-latest.zip if [ $? != 0 ]; then abort “cannot download image, exiting” fi

However, it is unclear whether this script is used for development purposes only or for production.

Issue #2 — firmware update process did not verify signatures

The firmware update script is located here:

http://beaconpkg.card.io/images/reberry.sh

The analysis of the script shows that it does not verify signatures of the download firmware images, resulting in a possibility of malicious firmware being installed on the beacons. HOWEVER, it is unclear whether this is actually used in production.

Furthermore, the same servers provide two directories with encrypted and digitally signed images that are used for releases later than r129. Those potentially mitigate this issue. The directories are located here:

http://beaconpkg.card.io/ppbeacon-packages/dists/testing/main/binary-armel/
http://beaconpkg.card.io/ppbeacon-packages/dists/stable/main/binary-armel/

Issue #3 — root password for the firmware available publicly

A collection of scripts is accessible publicly in the following files (previous versions are not affected):

http://beaconpkg.card.io/images-develop/scripts-1.18.tar.gz
http://beaconpkg.card.io/images-develop/scripts-1.19.tar.gz
http://beaconpkg.card.io/images-develop/scripts-1.21.tar.gz

Within those files, a script named “led_pass.sh” contains what appears to be the root password for the Linux distribution running the beacon hardware as follows (we blanked out the password):

#!/bin/sh
#
# Shell script is triggered by the test script when all the tests pass
# It is continuos loop with LED colors changing from white, red, green, blue, yellow and purple after each
# second
#
# Password to SSH into beacon
PASSWORD=’XXXXXXXXXX’
#LED TESTS

However, it is unclear whether the same password is used in release versions of the beacon or this is for development purposes only.

Vendor Response

The following response was received from the vendor:

We have reviewed your vulnerability submission, However, it seems that the real world risk associated with this product and the submission is not significant to Paypal or our customers. As we have determined this is not actionable you may publish your findings.

References

PayPal Tracking ID: EIBBP-32271

Timeline

2015–08–10: Vendor notified
2015–08–10: Initial vendor response
2015–08–24: Vendor triage completed
2015–09–09: Vendor response received
2015–10–07: Public disclosure

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s