SEC Consult, a cybersecurity consulting firm under Eviden, says payment solutions company KioSoft took a long time to address a serious vulnerability affecting some of its NFC-based cards.
KioSoft manufactures unattended self-service payment machines, including for laundromats, arcades, vending machines, and car washes. The company is based in Florida and has offices in seven countries around the world. Its website claims it has deployed over 41,000 kiosks and 1.6 million payment terminals across 35 countries.
SEC Consult researchers discovered back in 2023 that some of KioSoft’s stored-value cards — digital wallets that customers reload for use at specific payment terminals — are affected by a vulnerability (CVE-2025-8699) that can be exploited for free balance top-ups. The hack relies on the fact that the balance is stored locally on the card rather than a secure online database.
The impacted cards identified by SEC Consult relied on MiFare Classic NFC card technology, which is known to have significant security issues.
Building on the known MiFare card vulnerabilities and analyzing how data is stored on the cards, SEC Consult researchers managed to read data from the card and write data on the card, enabling them to “create money out of thin air”. A hacker can increase the card’s balance to up to $655, but the process can be repeated, SEC Consult’s Johannes Greil told SecurityWeek.
An attacker can conduct an attack using a hardware tool such as the Proxmark, which is designed for RFID security analysis, research and development. The attacker also needs to have some knowledge of the MiFare card vulnerabilities to carry out a hack, Greil explained.
SEC Consult published an advisory describing its research this week. The company has made available a detailed timeline of its interaction with KioSoft, revealing that it took the vendor well over a year to release a patch.
The security firm first contacted KioSoft in October 2023, but the vendor was unresponsive until the CERT Coordination Center at the Software Engineering Institute of Carnegie Mellon University became involved.
SEC Consult claims to have sent many requests for a status update since October 2023, with many going unanswered. The timeline shows that the vendor has requested several extensions to the disclosure deadline, and ultimately informed the security firm that a firmware patch was released in the summer of 2025. The vendor indicated that new hardware would also be rolled out in the future.
KioSoft refused to provide version numbers of impacted and patched releases, arguing that affected customers would be privately notified, the security firm said. While KioSoft’s products are widely used, the vendor told SEC Consult that most of its solutions do not use the vulnerable MiFare card technology.
SEC Consult no longer has access to the terminals it initially conducted its research on and it could not verify the vendor’s patch.
KioSoft has not responded to SecurityWeek’s request for comment.
Related: eSIM Hack Allows for Cloning, Spying
Related: Major Backdoor in Millions of RFID Cards Allows Instant Cloning
Source link
