Sumup: Multiple firmware defects in Sumup AIR card terminal ===================================== * Affected system: Sumup AIR card terminal * Released: 2019-03-13 * ID: CIPH-2018-101502 Summary ===================================== This advisory announces two security vulnerabilities in the card terminal "Sumup AIR" developed by Sumup Payments Ltd. Sumup AIR supports chip and RFID/NFC based bank cards and features Bluetooth LE and USB for communcation with an Android or iOS device. The communication protocol is propritary and consists of binary data packets sent over a serial connection. In our research we have found flaws in the input validation process. Using specially crafted data it is possible to trigger crashes, freezes or reboots. Some of the defects may lead to code execution or arbitary memory reads. Affected devices ===================================== Our research was focused on the "Sumup AIR" card terminal. All tests were made with Firmware ("Info Version" from service menu): * AP_VER:1.0.1.21 * FW_VER:2.5.59.2 * LOAD_VER:2.2.18.0 Other card terminals might be affected as well however those devices were out of scope in our research. Affected users ===================================== Every seller and customer who uses Sumup as payment method with a "Sumup AIR" card terminal is potentially affected. Finding 1: Serial API: uncontrolled format string ===================================== A specific serial command enables the user to display custom text on the embedded OLED display of the card terminal. The transmitted string is passed to a printf() function. If the string contains some "%s" placeholders, the card terminal crashes with an exception, displayed on the display. The exception contains the crash cause as code, pointer of the crashed function (EPC) and return address (RA). Passing "%x" placeholders allows to read some bytes of the stack, as long as no non-readable memory region is reached. Due to the restrictive length limit of the supplied string (max. 22 byte) we were not able to exploit the format string vulnerability. It was not possible to execute code on the device or read arbitary memory. * Type: Denial of Service (Segmentation fault) * Access Vector: Local * Authentication: None * Complexity: High * CVSSv3: 4.5 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H/E:P/RL:X/RC:R/CR:L/IR:M/AR:M/MAV:P/MAC:H/MPR:N/MUI:R/MS:U/MC:L/MI:L/MA:H Finding 2: Serial API: insufficient input validation ===================================== During our research we discovered several bugs in the undocumented serial API. We used fuzzing-methods to find undocumented commands and found a series of packets which caused the card terminal to crash. Some other packets caused a reboot or a freeze of the device. This behaviour indicates insufficient input validation. * Type: Denial of Service (Segmentation fault) * Access Vector: Local * Authentication: None * Complexity: Moderate * CVSSv3: 4.5 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H/E:P/RL:X/RC:R/CR:L/IR:M/AR:M/MAV:P/MAC:H/MPR:N/MUI:R/MS:U/MC:L/MI:L/MA:H Impact ===================================== Theoretically a local attacker may be able to run custom code on the card terminal. Currently the impact is limited to local denial of service. Exploitation of this flaw would require more effort since it requires manual interaction with the device on each MIPS-exception which results in unstable and unpredictable state of the card terminal. Timeline ===================================== 2018-10-15 Start of research 2018-10-20 Found vulnerabilities in card terminal 2018-10-26 Abuse notification from vendor 2018-10-26 Verified findings 2018-10-26 Attempt to establish secure communication channel with vendor 2018-11-02 Trying to contact vendor via partner companies 2018-11-02 Informed Niedersachsen-CERT 2018-11-22 Forward from Niedersachsen-CERT to CERT-BUND 2018-11-23 Verification by CERT-BUND 2018-12-03 Further timeline pinned with CERT-BUND 2019-01-09 Teleconference with CERT-BUND and Vendor Discussed vulnerabilities with Sumup Disclosure timeline established - upcoming fix confirmed. 2019-01-10 Vendor verifies vulnerabilities. Fixes should be included in the future releases. 2019-03-13 Advisory released Disclosure Policy ===================================== See: (german) https://www.ciphron.de/vulnerability-disclosure-policy About CIPHRON ===================================== The CIPHRON GmbH was founded in 2003 and is a consultancy for information and cyber security with its central office in Hannover, Germany. As a consultancy for information and cyber security, CIPHRON does penetration tests, code reviews and individual research about security topics. More information are available at https://www.ciphron.de Contact ===================================== Ciphron GmbH Kriegerstrasse 44 30161 Hannover Germany