Flaws in Sumup Payments Ltd. based systems

We would like to inform you about our findings regarding Sumup Payments Ltd. card terminals and the related backend infrastructure. During our research we have found several flaws in the system including information disclosure in the backend of Sumup Payments Ltd. backend and defects in the terminal's firmware.

We thank Sumup Payments Ltd. and CERT-Bund for excellent support and cooperation.

CIPH-2018-101501: Information disclosure through receipts

Summary: This advisory announces two security vulnerabilities in the backend system of Sumup Payments Ltd. For every transaction over Sumup (like the payment of a cup of coffee) a Transaction ID (TID) is generated and the Merchant ID (MID) of the seller is assigned. The receipt for this transaction can later be accessed by the customer over a custom link, which contains the TID and MID. Under some circumstances it is possible to access receipts without the knowledge of the MID. Also the entropy of the TID is not high enough, making it possible to access random receipts which leads to disclosure of sensitive data.

Full advisory can be downloaded here: CIPH-2018-101501

CIPH-2018-101502: Multiple firmware defects in Sumup AIR card terminal

Summary: This advisory announces two security vulnerabilities in the card terminal "Sumup AIR" developed by Sumup Payments Ltd. Sumup AIR supports chip and RFID/NFC based bank cards and features Bluetooth LE and USB for communcation with an Android or iOS device. The communication protocol is propritary and consists of binary data packets sent over a serial connection. In our research we have found flaws in the input validation process. Using specially crafted data it is possible to trigger crashes, freezes or reboots. Some of the defects may lead to code execution or arbitary memory reads.

Full advisory can be downloaded here: CIPH-2018-101502