 Hello, this is Point of Cell Terminal Security Uncovered. My name is Alex Stanikov, I am hardware researcher, and I am going to talk about payment hardware security. When I started this research I faced the lack of useful information related to these kind of devices. All vendors are still keeping in secret their technologies used in such hardware. Because of many reasons Point of Cell Terminal Security is still a blind spot. This talk is a combination of two years of research related to payment devices, which handles your payment card data. I am going to present a general approach to understand the internals of hardware, common weaknesses and additionally some of our results. So let's start. As you can see this presentation divided into two main parts – hardware and software. Every topic in this list could be a separate talk, but I tried to highlight the most important things for each of them. At the first step we have to understand that the POST system is not equal to POST terminal. Basically Point of Cell Terminal or PINPAD is a part of Point of Cell system or just a standalone device. Also Point of Cell system may have a register, which in most cases built on Windows-based PC, additional hardware like a buck or scanners and can be integrated to ERP systems. Often when you see the title like someone hacked the POST it means HACK OF REGISTER or CASHIER BOX STATION. Let's look at typical data flow in such systems to define entry points for intruder. This is typical Point of Cell interaction scheme. What can go wrong in this case? As you can see PINPAD has two kind of interactions. First one is an interaction with terminal management system and payment processor through the internet. Second one is an interaction with Point of Cell application using local network. Communication channel between the PINPAD and third party application or Point of Cell application can be configured in two different ways – secure and insecure. Common attack in this case is in difference between amount shown on PINPAD and amount really charged from your card. This is about vulnerable configuration. But I want to pay attention to the most common thing in my talk. Just keep in mind to keep configuration as secure as possible if you are maintainer of such systems. I am sure that you recognized at least two of these terminals. First two vendors are well known for United States and European countries. And as far as I know Pax is widely used in Russia and Asian countries because it is cheaper than previous two. If you try to connect to PINPAD via network connection you will be surprised. There are no listing ports and one or two outcome connections to some bank servers. In this case you have to look at other physical ports. The interfaces exposed to intruder are basically attack surface. They can be divided to general communication interfaces like Ethernet, RS232 different wireless interface and specific payment cut-in interfaces in VMV and NFC. In some documentation you may find information that some of them are not used but in real life operating system has drivers and handlers for some specific peripherals like barcode cameras and external receipt printers. The next important thing is rules how the payment hardware should be built. I know that regulation is a boring stuff but it may provide a lot of information about physical security tests and behavior. Every payment terminal should satisfy these requirements and regulations. In any other cases it can be approved to work with payment data. The first one is PIN-interdevices physical security requirements. It defines protection measures against PIN disclosing attacks like tamper detection, response mechanisms and other cases. For example, if reader permits access to internal areas it is not possible using this access area to insert PIN disclosing bug. Most sensitive functions or information are only used in protected areas. The next one is PIN transaction security. They are almost the same. Both have purpose to prevent PIN disclosing. These requirements also define tamper protection, sensitive data erasing, etc etc. And what is the sensitive data is a question. The vendor chose their own interpretation and way to erase. Let's have a look to common security mechanisms and anti-tampering. According to previous rules and payment system requirements the following events should be registered like a case opening, security circuit damage, power supply anomalies, temperature anomalies, accelerometer anomalies and finally debugging to faces connection. Two or more of them should be interpreted as intrusion. As a result the terminal should lock the event or raise encryption keys, delay sensitive information and finally become brick. This slide shows you tamper detection list we have extracted from IngeniCatallion 2 operating system code. As you may see there are a lot of power supply detectors, JTAG connection detector and mechanical tamper detectors like meshes or switches. Let's look at each of them. When you disassemble IngeniCatallion PIN pad you will see a lot of membrane switches. Some of them are assigned to real buttons like numeric and navigation buttons. They are highlighted as green color. But what are the red membranes? They are mechanical tamper detectors, they are pressed by the PIN pad body when assembled. When you start to rotate any screw in order to disassemble the microcontroller receives a hardware interrupt, wakes up and do defined actions to protect its data. The critical measure is a wire mesh as shown on this slide. It has two main purposes – anti-drilling protection and affuscation. Case on this slide covers smart card reader and registers drilling when protection circuit is destroyed. This kind of meshes you also may find on print circuit boards and ribbon cables. And finally this is example of tamper devices as a result of our… And finally this is example of tamper devices as a result of some of our attempts. Some of them became unusable and some of them ask you for factory password. The main idea is when devices tamper it should be passed to service. Basically only authorized service may restore the device and only bank service can restore it and lower the application. And what consequences anti-tampering bypass may have? One example related to mobile point of sale demonstrated on Black Hat United States. The researchers realized that this device doesn't have any anti-tampering detectors. They found points on circuit to connect in order to obtain encrypted magstripe data. And finally it allows them to collect sensitive payment information directly from device. Another cool research made by SR Labs and presented on CCC. Some of their findings were anti-tampering bypass, unlocked and exposed JTAG connection and software vulnerabilities. What you may do with such vulnerabilities we will discuss a bit later. Anyway, these findings compromised the whole device and now it's deprecated. Another two examples related to the relay attacks and scheming. You can read more using the links below. And now it's time to talk about tobacco maintenance features. When disassembled the point of sale terminal you realize that it is a very complex device. Your imagination and background paint something like what you see on this slide. Because you know that the iPhone for example has very specific JTAG adapter. In this case you can find some forum topics about firmware uploading, tamper clearing and related stuff. But this is what you see in reality. Veriform and PAX use the adapter from simple RS232 to Ethernet connector with custom wiring. You can reproduce them yourself. In Genica you use just a usual USB port for firmware uploading and service actions. These cables used for factory reset, clear security flags, upload firmware and sometimes for specific debugging. But at the moment we still don't have firmware and don't know any information about architecture of microcontroller. And now we should fill this gap. Teardown is my favorite step when I work with new hardware. It delivers a lot of happiness to you and the favorite thing to old children is to broke new toy and see what do they have inside. In the case if you already have the firmware it's good to understand the internals of hardware. If you properly define the exact CPU or MCU it helps you to understand the operating system internals, peripherals and other helpful things. This is an example of old model made by Veriform. It built using Samsung ARM based CPU. You may read more about using a link below. But our region of re... This is an example of old model made by Veriform. It built using Samsung ARM based CPU. You may read more about using a link below. But our region of interest is more modern devices. This is the internals of modern Veriform 520. Here you can see the branded MCU and non flash memory. Definitely this MCU should be relatively popular one. But in this case it is re-branded. It makes more difficult to understand the firmware internals. In this case firmware could be dumped from non flash memory using non programmer. Luckily I found one guy in Twitter who solved the same task. He defined the exact model of MCU by pinout. It was brought come secure MCU BCM5892. You can find header files with definitions of old peripherals in some Linux kernel sources. There are some other ways to determine the exact MCU. And I am going to show one of them in next slides. The next one is a Genico pinpad where there is basically no difference. Is it portable or countertop? They all built using the same hardware and uses the same operating system. I assure it is well known for all of you. You saw this photo on the slide with tampering detectors. In this case pay attention to the microcontroller under the main brain. It is branded crypto processor. They called it booster in their binaries. It stores the encryption keys inside and handles the most of critical cryptography tasks like updates, signature checks and etc. This is other side of print circuit board. And you see another branded microcontroller. They call it application processor according to its purpose. Exactly you can find any information about this microcontroller. As in previous case flash memory in apple left corner stores operating system and application codes. You can desolder the flash memory in order to obtain the context. You can desolder the flash memory in order to obtain operating system and application code for research. In this case it's good to know the exact MCU to understand work with peripherals and other peculiarities. One other important thing is flash contents you are going to dump is compressed. You should solve unpacking tasks by yourself. Booster probably is one of Atmel Cortex M3 MCU series but in an unusual package. I can't do anything in this case without laboratory and tools for decaping. Application processor looks like general purpose microcontroller and I tried to define the exact model. This is another scenario to define MCU. At the first step I desoldered this MCU and defined the exact package. At the next step I made list of all microcontroller candidates for this package. Then I defined power supply pins by PCB used multimeter and filtered all unfit candidates by pinout. The next thing you can see in test path close to the microcontroller. It may be interface used during production for factory flashing and setting up. This hypothesis is confirmed by pullup resistor block. The next list I made was pinout candidates. At the moment I had list of microcontrollers only by microchip. This list is on the slide. And as a result I defined GTAC pinout and I think the exact model is AT91SAM9G20. We tried to apply memory and register maps to our banners and its fit. But sadly the GTAC is turned off. The next case of pinpads is Chinese box point of sale terminals. They are very similar to Varyform by their internals but it is completely different software inside. When you disassemble one of them you will find the same microcontroller and almost the same non-flash memory as used in all modern Varyforms. One flash contains explosives to your encrypted and uncompressed binaries of proprietary operating system and application. Exactly the file system structure is proprietary. Now you can buy a couple of them from eBay for example and start your own payment hardware research. And a few words about the tampering reset. Definitely all terminals have different ways to clear tampering flags. One of them like Pax uses simple hardcover passwords. Varyform models needed to upload dummy encryption keys to clear tamper flags. And in Genica as far as I know storage security flags and keys in separate hardware controller and it can be reset using an external hardware. Also some forum topics contain the information about maintenance, tampering, clearing, etc. Here you may see tips from closed Russian forum about hardcover passwords and special software. The true way to understand all things related to tampering is reverse engineering. What can you do if you can clear tampering flags? For example when you cleared these flags you are able to upload the application again and play with the configuration. You may try to write and upload your own firmware. Tampering clearing may help you to restore after your experiments or use it open in order to research internal interfaces using logical analyzer. Some of the pinpads are able to turn on some debug capabilities. And in this case you can run any applications under the debugger. Now when we know some information about the hardware and connections we should cover another blind spot – payment card interfaces. InVizor payment method based upon a technical standard for smart payment cards. InVizor originally stood for EuroPay, MasterCard and Visa – the three companies which created the standard. In the most cases the hardware allows you to intercept and modify payment card data isn't cheap. In this case we use the device called smart card detective with custom firmware. Now it's not supported by original developer but you can find the PCB and sources to assemble one for you. Here's a link with some information related to this device. In order to understand the EMV packets you should read a bit about tagline value format. Then you should go to the official site of EMV and you will be surprised by the amount of information that you should read. Now you see some information available for download and related to EMV. Every of these documents is very thick because it defines all things started from physical error and deep description for every tag of EMV. I recommend you to read them briefly at least. Another interesting thing is NFC interface. Frame format is close to the EMV but the physical error is near field communication. Here are some approaches to start to work with NFC depends on your skills. The most simple of them is Proxmark. Another way is assemble your own sniffer or repeater based on some available stuff like PN532 or TRF based board. Also you can use Android device with NFC or something else that fits to your skills. Our assembly was PN532 based boards with Raspberry Pi Zero. It was cheap and dirty trick as you see but the components for it available literally everywhere. And another batch of documentation. Now it is related to the NFC. There are many descriptions of contactless payment transactions. I also recommend read it briefly at least. Why is it important? Every card payment interaction has its own handler and you are able to fast every check and you will be surprised. And now it's time to discuss the software and firmware part of point of sale terminals. During our research we faced two different operating systems. Part of them was completely proprietary like Varyfone Varex, Sagem Tellium used by Ingenico and PaxOS. They all have legacy codebase proprietary binary format etc etc. Another part was Linux based devices. Android devices in this case are out of our scope. The first thing we have to understand is device boot order. It also have a lot legacy because almost all of these operating systems developed before traditional secure boot approach became a mainstream. After we said zero-stage boot loader should be started. Basically it located inside Maci controller in form of mask read-only memory. It loads the next tab boot loader from flash memory and checks its cryptographic signature using the key storage in OTP read-only memory or any secure memory. Every next tab boot loader also should check the cryptographic signature of every loaded piece of code etc etc. Every vendor reinvented their own boot order in this case. Sometimes the boot chain is very long. Finally when operating system loads an application it also should check its signature. This slide shows you the boot log from the Linux based Varyfone. Before the kernel started we can see boot loader output. In this case it is very talkative. It called SBI, now we know its version. Also we can load some files from the USB stick and it loaded Uboot. And finally kernel output disclosed the CPU model. Now you see the Varyx operating system based Varyfone output. Surprisingly it started the same boot loader. Again it can work with USB sticks but in this case it loads the proprietary operating system kernel. Please look at the operating system kernel output. Here you can see the Broadcom CPU model that was previously re-bredded to internal Varyfone name. In both cases this boot loader located at the start of NAND flash. When we dumped the SBI boot loader we are able to disassemble and research it. Finally it has a lot of features for factor resetting, maintenance and building command line interface. But to run this command line interface you should exploit a vulnerability related to a bitter memory write that we found during our research. Another good example is Ingeni Kotelium 2 based PIN paths. Its maintenance mode contained a lot of features like boot racing firmware upload, operating systems and application updates, application tracing, application debug and also an disclosed command line interface. Well how to get into these maintenance modes? The answer we found in official documentation as you see to enter this mode you have to press F2 and F4 during the boot of PIN path and enter the password. The default password in this case discussed many many times but no one changes it, surprisingly. You may think that another terminals have more secure ways to enter this mode. This is Linux based Varyfone model from MX series. And surprisingly it has the same password with different hotkeys to enter the maintenance mode. It called the system mode in this case. At the first time when you enter to this mode it asks you to change the password and please look at the official screenshot. We all see that many people change the password to the same except one last digit. Completely different approach we found in Ingeni Kotelium operating system based terminals. They use a special software called LLT as shown on the PIN path display. What can go wrong in this case? The application establishes the PPP connection over virtual USB serial. When it sends some bytes to PIN path and PIN path launches the internal FTP server. This FTP server used for updates and configuration. The directory structure is shown in the LLT software interface. The fun facts – the PPP connection uses constant hardcore credentials. Custom protocol is clear text and has always the same bytes to open the FTP server. The FTP server also uses constant hardcore credentials like FTP user or FTP password. You may do these findings without any reverse engineering. Just launch any USB sneaker on this USB bus and you surprisingly see that there is no encryption. And finally, you should pay attention to alternative work modes. In the case of Ingeni Kotelium it called mockup mode and used for some software demonstration. Some security features are turned off in this mode. For other terminals like Pax you may find special firmware's that don't register tampering and allows you to run any applications without any cryptographic checks. The only one thing you will see in this case – this notification when device turns on. And now it's time to summarize all of our results in this research. Let's start from this well-known Linux-based Varyphone of MX series. In this case we don't discuss any old Varyphone MX models because they are deprecated by payment system because they were very buggy. At the first look the security measures are enough to make device unhackable. It has all traditional tampering detectors and additionally maintenance password, no declared access to command line interface, signed updates and on the Linux level it has well configured role-based access control. But the reality multiplies these security measures by zero because no one changes their default password. There is special mode when SDR and SDR logit via serial port exists. Also you may find interest in a lot of shell command injection directly from the user interface and very simple role-based access control by pass. The link to this research when the researcher started the DOOM game is below. And again we found the way to install and run unsigned packages. The next interesting case is Varyx operating system-based terminals. I sure all of you saw these kind of devices. Please don't be confused by wide range of model like countertop portable devices, devices with Bluetooth or with GSM modules. Every vulnerability you found in one device will work on every other Varyx operating system-based device because they all have the same code base. The previous devices Varyx-based pinpads have the same measures like maintenance password command line interface doesn't exist, updates are signed and encrypted and they should have well tested strong code base. But again, no one changes the maintenance password. During our research we found pre-installed binaries from standard OS package. One of them called VSH like Varyx shell and can be ran directly from maintenance mode. The result you may see on the screenshot. We found the weak cryptography schemes which allows you to run any unsigned code. And finally decryption keys for updates, decryption, could be instructed from the device memory. The one of the most interesting sort of devices is telecom operating system-based devices by Genico. I also showed at least one of these devices from the picture is known for you in real life. And again there is very wide range of devices with the same code base. Let's look at their security. The vendor approach looks like in previous cases but with some peculiarities. For example, they use specialized software for maintenance and separate cryptoprocessor for cryptographic operations. And other things like tamper detectors, decryption, etc etc are standard for any point of sale terminals as we already know. And what we realized during our in Genico research. Private maintenance software is accessible from the internet. A lot of protocols are accessible from the LLT mode. Some of them are vulnerable. Another one allows you to run device with some debug capabilities. Update signature doesn't matter if you have remote code execution on the device or debug. Finally, there is a lot of buggy legacy code. The last one kind of pinpads is Pax devices. They are less known for you but the vendor approaches are less complex than any of previous cases. This is why I'd recommend to start your research from these models. Surprisingly the maintenance software is accessible from internet again. Also you can find operating system builds with tons of security features for testing your own applications and to play with operating system kernel. And probably you may do a lot of findings related to the legacy code base. Why you shouldn't afraid to start paying hardware research? Basically, you don't need to have any banking account to interact with hardware. The only thing you need at start is buy a couple of such pinpads and be ready that some of them goes to the thrice bin. The approximate list of our findings is on the slide. There are a lot of untested critical code. You found some buffer overflows and logical flaws in kernel as well as network state and others. Almost all vulnerabilities are exploitable easily. In secure maintenance and special modes we develop passwords. Also you may find alternate and debug signed operating system builds as well as maintenance software and software development kits. And what is the impact of such findings flaws and vulnerabilities? First of all you have to understand that this hardware works with your payment card data. It means that hardware works with your money directly. The very short list of different attacks is on the slide. I have to say a few words about fake posts. If you were or live in Europe you saw a lot of terminals in almost every touristic shops. The only one reason why it happens is in different rules for different terminals with different payment systems. When you card swiped or inserted in fake not license it at evil pinpad your money became not yours. It happens because someone bought the point of sale terminal with not banking application but evil. You may see on this slide advertisement about selling such firmware on some Russian underground forum. Any other attacks are mostly understandable and you may read more about them in open sources. This is another short list but in this case it contains vulnerabilities we found by our team. As you may see there exist such things like hard code credentials, insecure clear text and vulnerable protocols, a lot of arbitrary code executions etc etc. And one of my favorite is the last one, a protein system independent code execution in very fond bootloader. Soon we are going to disclose technical details for every CVE from this list but it would be a bit later. Finally I want to thank these cool guys for their work and help. It was great to work together on this research. The team members are Timurin Usov, Dmitriy Skliarov, Igor Zaitsev, Vladimir Karanovich, Artem Ivachev and Maxim Kazhevnikov. And that's all for today. If you have any questions, suggestions or topics to discuss feel free to contact me. Thank you for your attention and stay healthy.