SEC Seek the advice of, a cybersecurity consulting agency below Eviden, says fee options firm KioSoft took a very long time to handle a severe vulnerability affecting a few of its NFC-based playing cards.
KioSoft manufactures unattended self-service fee machines, together with for laundromats, arcades, merchandising machines, and automotive washes. The corporate is predicated in Florida and has places of work in seven nations world wide. Its web site claims it has deployed over 41,000 kiosks and 1.6 million fee terminals throughout 35 nations.
SEC Seek the advice of researchers found again in 2023 that a few of KioSoft’s stored-value playing cards — digital wallets that prospects reload to be used at particular fee terminals — are affected by a vulnerability (CVE-2025-8699) that may be exploited totally free steadiness top-ups. The hack depends on the truth that the steadiness is saved domestically on the cardboard slightly than a safe on-line database.
The impacted playing cards recognized by SEC Seek the advice of relied on MiFare Traditional NFC card know-how, which is understood to have vital security points.
Constructing on the identified MiFare card vulnerabilities and analyzing how information is saved on the playing cards, SEC Seek the advice of researchers managed to learn information from the cardboard and write information on the cardboard, enabling them to “create cash out of skinny air”. A hacker can improve the cardboard’s steadiness to as much as $655, however the course of could be repeated, SEC Seek the advice of’s Johannes Greil advised information.killnetswitch.
An attacker can conduct an assault utilizing a {hardware} device such because the Proxmark, which is designed for RFID security evaluation, analysis and improvement. The attacker additionally must have some information of the MiFare card vulnerabilities to hold out a hack, Greil defined.
SEC Seek the advice of printed an advisory describing its analysis this week. The corporate has made out there an in depth timeline of its interplay with KioSoft, revealing that it took the seller nicely over a yr to launch a patch.
The security agency first contacted KioSoft in October 2023, however the vendor was unresponsive till the CERT Coordination Heart on the Software program Engineering Institute of Carnegie Mellon College turned concerned.
SEC Seek the advice of claims to have despatched many requests for a standing replace since October 2023, with many going unanswered. The timeline exhibits that the seller has requested a number of extensions to the disclosure deadline, and finally knowledgeable the security agency {that a} firmware patch was launched in the summertime of 2025. The seller indicated that new {hardware} would even be rolled out sooner or later.
KioSoft refused to offer model numbers of impacted and patched releases, arguing that affected prospects could be privately notified, the security agency mentioned. Whereas KioSoft’s merchandise are broadly used, the seller advised SEC Seek the advice of that the majority of its options don’t use the susceptible MiFare card know-how.
SEC Seek the advice of not has entry to the terminals it initially performed its analysis on and it couldn’t confirm the seller’s patch.
KioSoft has not responded to information.killnetswitch’s request for remark.
