Critical Security Flaw Found in mPOS TUI Trustlet Could Allow Hackers to Take Over Devices

CVSScvssV3_1: 8.2

The mPOS TUI trustlet, which is used in mobile point-of-sale (mPOS) devices, contains a vulnerability that could allow attackers to execute arbitrary code on affected systems.

The specific flaw is an out-of-bounds write vulnerability (tracked as CVE-2023-21499) located in the TA_Communication_mpos_encrypt_pin function. This occurs prior to the May 2023 SMR release from the vendor. Attackers could potentially leverage this to write code outside of the application’s intended boundaries.

If successfully exploited, this could allow malicious actors to gain full control of mPOS devices. They would then be able to install malware, steal payment card data, or use the device to conduct other criminal activities without the owner’s knowledge or consent.

To protect yourself, users should ensure their mPOS systems have the latest software updates installed. The vendor has since patched this vulnerability in Release 1 of their May 2023 SMR update. Regularly checking for and applying security patches is important to closing vulnerabilities like this.

You should also be cautious about connecting untrusted devices to your mPOS system or leaving them unattended where others could gain physical access. Taking basic security precautions can go a long way in preventing exploitation of flaws and unwanted intrusions.