iPad POS

While traveling in the US, I noticed that a considerable number of smaller food establishments used an iPad Point of Sale (POS) system. Given the number of POS vulnerabilities reported in the past year, I wondered if the iPad would be a more secure POS platform compared to the traditional system.

One thing that the iPad has going for it is that the operating system is frequently and easily updated when new patches are released. Apple is also relatively quick in patching vulnerabilities so the device's exposure to risk is minimized. In contrast, firmware released for traditional POS systems are often less timely, in addition, the flashing process is also much more involved, thus most establishments do not even update their systems leading to greater exposure to risk.

However, the iPad is also a much more complicated device compared to the traditional device. Most features such as bluetooth, GPS, web browsing and so on are not required for the purpose of receiving payment. As a result, there is much more code running on the iPad, thus leading to a greater probability of a vulnerability being present. For example, non payment related function such as notifications could contain a vulnerability which could crash the entire system. In addition, these channels also increase the attack vector. Instead of attacking only over ethernet in the traditional system, an attacker could leverage bluetooth, NFC(future generations of iPad might have NFC capability) or even other installed apps to carry out the attack.

Lastly, the POS functionality on an iPad is provided by a third party application. Thus, the business owner would have to trust multiple companies with the security of their data. These companies are usually new startups and are not as established as the companies providing traditional solutions. A quick look at some of these companies reveal that ease of use, low costs and on-the-fly statistics seem to be the main selling points of the application. Most also do not have data protection clauses. For all you know, they might be selling transaction data to an advertising company.

The iPad was not originally designed to be a POS system, it is only in recent years that the phenomenon has really taken off. Since the majority of companies still use traditional systems, it is far more lucrative to develop exploits targeting them. Once the popularity of an iPad POS picks up, adversaries might start turning their attention towards them and only then will we be able see if these companies have invested enough into the security aspect of their applications.