Aaron Christophel Brings DOOM To Payment Terminal

A picture showing acupuncture needles wedged into the inside of the payment terminal

Payment terminals might feel intimidating — they’re generally manufactured with security in mind, with all manner of anti-tamper protections in place to prevent you from poking around in the hardware too much. But [Aaron Christophel] thinks that level of security isn’t aren’t always in practice however, and on his journey towards repurposing devices of all kinds, has stumbled upon just the terminal that will give up its secrets easily. The device in question is Sumup Solo terminal, a small handheld with a battery, LTE connection and a payment card slot – helping you accept card payments even if you’re on the go.

Now, this terminal has security features like the anti-tamper shield over the crucial parts of the device, leading to payment processing-related keys being erased when lifted. However, acupuncture needles, a tool firmly in [Aaron]’s arsenal, helped him reach two UART testpoints that were meant to be located under that shield, and they turned out to be all that a hacker needed to access the Linux system powering this terminal. Not just that, but the UART drops you right into the root shell, which [Aaron] dutifully explored — and after some cross–compilation and Linux tinkering, he got the terminal to, naturally, run Doom.

The video shows you even more, including the responsible disclosure process that he went through with Sumup, resulting in some patches and, we hope, even hardware improvements down the line. Now, the payment processing keys aren’t accessible from the Linux environment — however, [Aaron] notes that this doesn’t exclude attacks like changing the amount of money displayed while the customer is using such a terminal to pay.

If you’d like to take a closer look at some of the hardware tricks used in these secure devices, we did a teardown on one back in 2019 that should prove interesting.

9 thoughts on “Aaron Christophel Brings DOOM To Payment Terminal

  1. So, in short, nobody has ever played doom on physical coins and notes (yet), but atleast physical cash can’t be hacked from you. And physical cash doesn’t care if a battery runs down either. Playing doom on it would require a full physical turing machine though.

  2. At the very least, I wish these articles would offer a couple of photos beside the face of the dude in question before you send us off to the Youtube video that I don’t have the time to go watch.

    1. I download videos from youtube and then watch them at triple speed on my computer. That would cut your viewing time down to 5 minutes and you could download it while looking at other HaD articles. Just a suggestion. For the ultimate time-saver, don’t come here at all and certainly don’t go watch YT videos.

      1. I usually convert long text based article to audio and play them in the background whilst I’m doing other tasks. Definitely a time saver. [ Talkify has been my goto of late, much better after the recent updates. ]

  3. Just because you buy all of the good security pieces. Doesn’t mean you’ll put them together correctly.
    This seems like another one of those situations. They forgot to do something simple and it undermined everything else.
    Example, You could make a great padlock that extremely difficult to pick. You even remembered to make it so shimming doesn’t work. You make it out of great materials that’ll be a pain to drill, grind or cut through. But you forget to put an end cap on the keyway in somebody just reaches through and pushes the locking bar. All of that great security completely negated by forgetting to put in a little disk of metal.
    You can do everything else right but if you forget to disable testing and debugging interfaces. You end up with an easy way to hack your product. Especially if you don’t harden the software that those interfaces access.(If that’s even possible)

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.