Flaws in Sumup Payments Ltd. based systems

We would like to inform you about our findings regarding Sumup Payments Ltd. card terminals and the related backend infrastructure.


March 13, 2019

Flaws in Sumup Payments Ltd. based systems


We would like to inform you about our findings regarding Sumup Payments Ltd. card terminals and the related backend infrastructure. During our research we have found several flaws in the system including information disclosure in the backend of Sumup Payments Ltd. backend and defects in the terminal's firmware.


We thank Sumup Payments Ltd. and CERT-Bund for excellent support and cooperation.

CIPH-2018-101501: Information disclosure through receipts

Summary: This advisory announces two security vulnerabilities in the backend system of Sumup Payments Ltd. For every transaction over Sumup (like the payment of a cup of coffee) a Transaction ID (TID) is generated and the Merchant ID (MID) of the seller is assigned. The receipt for this transaction can later be accessed by the customer over a custom link, which contains the TID and MID. Under some circumstances it is possible to access receipts without the knowledge of the MID. Also the entropy of the TID is not high enough, making it possible to access random receipts which leads to disclosure of sensitive data.

Full advisory can be downloaded here: CIPH-2018-101501

CIPH-2018-101502: Multiple firmware defects in Sumup AIR card terminal

Summary: This advisory announces two security vulnerabilities in the card terminal "Sumup AIR" developed by Sumup Payments Ltd. Sumup AIR supports chip and RFID/NFC based bank cards and features Bluetooth LE and USB for communcation with an Android or iOS device. The communication protocol is propritary and consists of binary data packets sent over a serial connection. In our research we have found flaws in the input validation process. Using specially crafted data it is possible to trigger crashes, freezes or reboots. Some of the defects may lead to code execution or arbitary memory reads.

Full advisory can be downloaded here: CIPH-2018-101502





  • CIWATCH


    IT-Monitoring

    Das umfassendste KnowHow zur Überwachung Ihrer IT-Services


    Mehr erfahren
  • CIDESK


    Enterprise-((OTRS)) Community Edition

    Geschäftsprozesse und Kommunikation perfekt managen


    Mehr erfahren
  • CISQUAD


    Wir machen sauber

    Cyber-Angriffe abwehren und
    Sicherheit wieder herstellen


    Mehr erfahren
  • CICHECK


    Wir hacken Sie!

    Stellen Sie Ihre Sicherheit
    auf die Probe


    Mehr erfahren

Ihre Internet Explorer Version ist nicht für unsere Webseite optimiert und kann möglicherweise Fehler in der Darstellung aufweisen.
Bitte aktualisieren Sie ihren Browser auf den aktuellsten Stand - Vielen Dank!

Verstanden!