Orange Cyberdefense reveals new vulnerabilities in credit card machines and electronic access control devices at exclusive client briefing

Security in Dialogue event artwork designed by local illustrator extraordinaire Rachael Kazembe.

---

Hacking no-touch sensors and PIN entry devices, and automating spear phishing, are three cyber security challenges that Orange Cyberdefense’s SensePost team of ethical hackers took on recently. Leon Jacobs, CTO at Orange Cyberdefense South Africa, revealed some of the latest research coming out of the team at the company’s Security in Dialogue client event.

Orange Cyberdefense South Africa CTO, Leon Jacobs, presenting: “Sometimes hacking is fun.”

---

1. Hacking no-touch sensors: No-touch sensors are often used for exiting a secure building or area, and assume that only authorised people have gained access in the first place. Michael Rodger, a senior researcher at Orange Cyberdefense, designed and built a device that activates no-touch sensors from a distance, and even from the other side of the door, to gain unauthorised access.

2. Hacking pin entry devices (PED): Security analyst, Reino Mostert discovered at least seven physical/network vulnerabilities on a credit card PED, and by exploiting just two of these, was able to gain full root access to the devices and their capabilities. In the researchers’ case, they got the game Doom loaded and running, but jokingly concluded it was not an optimal gaming experience. “The buttons suck!” Jacobs said, while using this as a demonstration of the real risks the vulnerabilities pose in terms of controlling an affected PED.

3. “Automatic” spear phishing: Security analysts Felipe Molina de la Torre and Szymon Ziolkowski explored the opportunities around automating an old-school tactic of domain typo-squatting. They built a tool called “mail-in-the-middle” to harvest mistyped e-mails entered when configuring systems, such as cloud service providers, and then automatically poisoning them with malicious payloads and more before sending them off to their intended recipients.

Each member of the SensePost team is given at least 20% of their time at work to research topics and questions they come across during their ethical hacking activities to better understand the attack surfaces and figure out how to mitigate security gaps.

Jacobs and his team work with vendors to responsibly disclose the vulnerabilities their research has uncovered. “We’re in favour of disclosing early and letting the vendor know,” he said. “The end result is not to hold on to the vulnerability. That doesn’t make all of this better, it actually makes it worse, for all of us.”

MC of the event, Head of Technical Pre-Sales at Orange Cyberdefense South Africa, Thulani Mabuza.

---

Data loss, attacker enablement, more sophisticated social engineering and lack of trust in information. These are some of the main risks of generative AI that businesses called out during a discussion around the threats and opportunities of AI at the same event. However, Charl van der Walt, Head of Security Research at Orange Cyberdefense, had an alternative take. He argued that none of these are new threats, and that while genAI amplifies these risks, it is not the biggest security risk facing businesses today.

“I don’t think AI in large language model machine learning is the biggest IT threat we’ve seen in the last 25 years. GenAI has made things faster, more accessible and more exaggerated, but I don’t think the risks are different,” said Van der Walt.

Take data loss protection. Layering AI tools onto your data, for instance, CoPilot’s integration with Office 365, doesn’t create a new risk. Instead, it exacerbates existing data governance problems and misconfigurations, supercharging current risks rather than creating new ones.

Instead, Van der Walt is concerned about AI taking over company communication with employees and customers, for instance, via chatbots, and the risk of losing the nuances of company culture and dealing with sensitive engagements appropriately. And the business risk of not using AI at all needs to be balanced with a careful interrogation of the productivity boosts promised, he advises.

“I think the real risk with this isn’t the technology, or the ubiquity of AI. It’s a societal risk. Is this thing going to get smarter or dumber? Is it ultimately giving us productivity gains in the direction we want? Are you empowering your people in the direction that you want to go, and making the impression that you want to make?” said Van der Walt.

A printed copy of the 180-page Security Navigator 2024 Research Report.

---

Download Orange Cyberdefense’s Security Navigator 2024 here. This year’s edition features 180 pages of analysis looking at a rich subset of data to which the global organisation has access – including anonymised client data gathered from their 18 SOCs, 14 cyber SOCs and eight CERTs distributed across the world.

A fun retrospective of the last 24 years got the co-founders of the original business, SensePost, Van der Walt and Jaco van Graan, who is now VP of Orange Cyberdefense International, as well as their current Managing Director, Dominic White, up on stage to take the audience back to the start. An entertaining history of this South African start-up success covered early offices and office chairs, hacker training at Black Hat in Las Vegas and maintaining and evolving company culture through the acquisitions by SecureData and the Orange Group.

“Building SensePost – a retrospective journey” panel. From left, Dominic White, Charl van der Walt and Jaco van Graan.

---

Get invited to the next cyber security event by Orange Cyberdefense – simply e-mail info@za.orangecyberdefense.com or download the Security Navigator to join our database and opt-in.

The event's agenda consisted of three breakaway sessions centred on generative AI and its security implications.