I actually spend more than 3 years developing applications for different POS devices, including Sagem EFT30 snd EFT930 families. So a couple of things: 0) This is EFT930S model. S has Ethernet as communication method, so no GPRS here. 1) Those are SAMs, not SIMs. SAM stands for secure application module. Those are to receive custom security devices, carrying some extended security keys, etc. 2) Anti-tamper protection on these devices is really amazing! Not only they have tamper switch, but... Basically, there is a bunch of security keys (PIN key, MAC key, etc.) stored in flash inside crypto-processor. They are stored encrypted by the master key. Master key resides in crypto-processor SRAM. As soon as this crypto-processor detects tampering - it destroys master key. This in turn makes encrypted keys useless, because you can no longer decrypt and use them. And tampering conditions include, but not limited to: - case opening - temperature above max/below min - voltage above max/below min - invalid signals on I/O ports (e.g. you put something completely unexpected on USB bus) - circuitry parameters (impedance, capacitance) - you CAN'T just bodge something in - there is also a guard mesh wound around crypto-processor's crystal, so if you bypassed all the other systems and try to de-pot it to read contents using microscope - oops, keys are gone as soon as this mesh receives any damage. - un-sogned application upload to device - yes, even if you have the SDK, and wrote an app for this puppy, you have to sign it with some special key in order to be able to upload it to device 3) It goes to "MOCKUP" mode after destroying the keys. To return it to productuion mode, you have to send it back to factory - i.e. only MANUFACTURER can revive it, not just a retailer or something. It requires factory keys for that. 4) PINPAD in general is a separate device, connected to POS TERMINAL, so customer can enter his PIN, while merchant has the terminal. So it's not really correct to call this terminal a pinpad.

Nice to see my item made it to a Teardown, Also i think that massive cap is probably not for tamper resistance but for the thermal printer. I have seen similar large ones in Dymo Thermal Printers.

Nice teardown Dave. Designing anti-tamper hardware is a really involved process I spent many months designing a secure memory device recently for the aftermarket automotive industry.

metal pins at 15:45 are for minimizing smartcard socket to erode, many card insertions are expected and not always well-aligned to the socket, so plastic card will roll across the metal pins and not the plastic edge of the socket

For those concerned there is a small industry in hacking these pin pads (as they are called in North America). People steal them and drill into to cases in specific places (bypassing the anti tamper). Which allows the harvest of PINs and MSR Data. Many stores are now physically locking down the pin pad so they cannot be stolen. Always check that the seal is in place in a pin pad. Also make sure that there are no funny holes in your pin pad. Also simply covering the keypad will stop people from recording your PIN with a video camera.

(Lawyer notice: This is not a manual on how to do it, it already happend that way here in Germany.) Gut one out, replace with own hardware that lets any card pass, store card data and PIN on mSD and call it a day, normal folks will never get the difference. If you want to spot that "hack" enter your PIN incorrectly the first time. If it passes the device is hacked. If you want good karma you tell the store folks. If you suspect the store owner to set this up, just walk away and call the police. :)

The massive cap there is for providing power for about 100ms in case of power failure. This allows the application to save any critical data to non-volatile storage. When power fails, The application in the terminal gets an event notification.

Nice video - I went away learning a lot of new things! It makes sense when you point it out, but i didn't realise the industry already had hardware security mechanisms. Fascinating stuff, thanks! :)

There are some things I disagree about: 1. The SIM Card holders are most likely SAM Card (+ probably 1 sim) holder en.wikipedia.org/wiki/Secure_access_module This may also be the reason its processor is not secured to hard, as the crypto stuff is done in the SAM module 2. The "shielding with an unpopulated connector"you described at ~ minute 10 seems to me like and unpopulated GRPS module that could for example hold a telit module www.telit.com/products/product-service-selector/product-service-selector/show/product/g24-lite/ 3. The unpopulated stuff on the other side of (2) is presumably the powersupply for the GRPS module. Usually GPRS modules need a peak power of round about 7W.

Only one of the SIMs will be for the cellular radio - the others are to do with the security stuff, which is why they are populated,

Lathering chips in epoxy isn't much of a security mechanism, so it's understandable why they don't bother with it. More the illusion of security than anything else

4:32 that is just a hole so you can see how much receipt roll you have left

I suspect the large cap is there to activate the anti tamper if someone tries to slide an insulator between the button cell and its terminal. The operating life of the terminal would be equal to the life of the battery. Shame Dave didn't measure the voltage left in the battery. If it was exhausted then we know why the terminal was discarded.

Over here in blighty we call them Chip & PIN pads (well, the ones where you stab the card in with the chip facing the right way up or down and get complained at cos you pulled out too early (giggety) even though you didn't that is)... :) As for stealing people's info, these days all you need is one of them FLIR iphone addons and the ability to mug people and take their cards physically, cos the FLIR thing reads where you entered the PIN on a rubber or plastic keypad (coldest to hottest) and there you have a stolen PIN, though a perfect way to thwart the potential muggers is a PIN with one pair of matching digits, so they can only pick out 3 numbers on the pad which increases the probability of getting the PIN wrong when they go to steal cash... :)

You should do a video on how thermal printing works.

the two nails at the entry of credit cart can be seen by outside; They are guides preventing wear of plastic when insertion of card

I would bet part of the anti-tamper was having that big-ass cap on a separate board. To access the microprocessor you had to putt it off effectively disconnecting it.

Separating those two PCB's would trigger it to erase the keys too, that's why the chips are in that metal shield, once you expose the chips, they are already erased.

the cap stores power to flash the firmware when you open the case, no more security is needed. Cellphones store keys without security stuff anyway!

Can you make another video with the POS equipment fixed back after tear down and try powering up. Does it display an error message or does not display at all considering that it detected a temper? I have a Garmin GPS that I tore down. But when I put it back and power it up, the backlit glows, but no display on the screen. I believe, it has too some anti-tamper mechanism.

i have the same machine, and the phone line plugs into a little box first that is connected to the rs232 port on the little square connector. so i think the modem is also separate,

I think the backup power is only given by the battery, the giant cap is there to give "electrocution" to the chips depleting instantly when locks are defeated and erasing all roms

In here they use those machines to add credit to prepaid phones. The ones I used back when I worked doing that used GPRS for the transactions, and were pretty nice machines. But we use a different machine for actual transactions with cards.

I wonder if Chris Tarnovsky has had a go at those Dallas secure microcontrollers. The Infineon ones are probably still more secure...

Very cool video, learned something new today :)

At 6:55 you can see some very interresting marking on the case. I'm surprised that he didn't noticed it. It explain the 3 "sim" cards and the missing "GPRS" module. The marking say: "SAM1 SAM2 SAM3" and on top of it you see "SD CARD" The SD card, I guess, is used for developpement... The internal USB is most likelly to connect to the PC/register so it can send the info about the amount, and get back the result of the transaction.

Generally here in the UK we wefer to these as EPOS. Just thought you might like to know.

That highly stitched area on the green PCB screams switchmode power supply to me. The unpopulated fine pitch header next to the large bare gold fill on the bottom is probably the header for the cellular card. It would make sense, since the cellular card will need an appreciable amount of power. No cellular? No-pop the PS section.

The multiple SIM cards is are there for several reasons, the predominant one is that you usually have different payment processors for different card brands and transaction types(debit vs credit, local vs international card etc..). Also back then only some processors offered IP based interfaces while many others still used tone based modulation(basically PSTN (like) over cellular, usually a FAX compliant protocol or close enough), on top of that redundancy is something which was important to some costumers especially in the earlier days of GSM where carrier specific network reliability was a much more common issue than it is today. P.S. All PCI-DSS standards are available on the PCIcouncil website and on all major card brands, and for the most part they are complete shit when it comes to actual security. It's about compliance rather than about security and it's "cover thy arse" stamp basically for insurance purposes these days. www.pcisecuritystandards.org/security_standards/documents.php?association=PTS

Oh and the usb on the side is for linking to epos. Nothing more. Updates are done over the PDQs connection.

In the U.S. it's known in InfoSec as PCI-DSS.

Nice piece of technology good video 10 /10

Was anyone else waiting for explosive the dye pack?

I have a feeling that all the keys are on the smartcards you insert into those "SIM" slots on hte bottom.

Is it standard practice in Australia to pronounciate it SA-GEM? The company is named "SA-SJEM" (French)

Your video looks glorious Dave. Beautiful smooth sumptuously coloured and of course outstanding content. Did you receive the Irish whelks yet?

Pretty sure that empty connectors on the back of that top board is for the GPRS modem

The big capacitor is used to maitain power when batery is replaced, perhaps.

There called PDQs in the uk (process data quickly) i install a lot of them here in my job.

Why does the shielding can over the application processor have big open areas in the top of it? That would stop it from working, no?

That plastic spacer would be to prevent downward pressure from the Ethernet USB RS-232 connectors from bending the board?

Dave ... This is the E Modell which doesn't has GSM Capabilities... Ethernet & Modem only!

I don't think switching the unit will work. The units I work with each have a unique identifier plus a site identifier. This is linked to the client's merchant account, so another terminal couldn't just appear to be it - they'd need to replace those IDs.

Next step is to show us how to get the security keys from the chip :)

Ive always heard them called credit card terminals, or usually just a card terminal. Many businesses with a computer based POS system don't have these anymore, its all done with software on the computer and a USB or bluetooth card reader.

awesome video!

The USB ports might be for for connecting the reader to a computerised till system.

Great video! Do you think alot of security is on our cards and at the Bank?

I'm not sure how they would go about successfully swapping them without being noticed, the first card swipe would be the giveaway as in order to work it would have to know the correct phone number, the business' account number and the correct serial number. I do know that part of the security is in the communication as well, mostly to detect any sort of nonsense like that. I'd imagine the easy ting to do would be to stick some sort of thing on the terminal that would have a second reader head and memory so that as you swipe the card both the terminal and the added reader will get the card info, they do this on ATMs, they're called skimmers, and its becoming a big problem here in the US.

I wonder, if someone knows the location of the security switches, won't they just make a small hole near each one and then superglue them in their pressed position before taking the device apart?

OPEN IT ALREADY GRR!

What is the point of tamper resistance if customers are conditioned like trained monkeys to hack in their PIN into any POS looking device? Ok, it makes skimming easier if the device actually works. But that is surely optional. Surely the real issues are trojan PIN pads and the total lack of authentication of the terminal device towards the card.

Please !! Don't say PIN number...it's redundant. It's like saying Personal Identification Number number. Sorry, I'll crawl under my desk now....

Videos no longer play using the KZbin app on my android note 2, anyone with a tech head got an idea? App fully updated.

Too bad no company has found a 100% way to stop side channel attacks. When a processor has to process data, it will draw current spikes of a specific pattern for whatever it is doing. Also electromagnetic waves that leak out of products not very well shielded could also be another attack vector.

Cool device

in sweden we call it "kortterminal"

Why are PCB's always green?

why are you waiting so long with the ds1054z review... :(

I'm sure that if I was any good at electronics and software I could get past most of the security measures. For start, you can get past the switches by grinding plastic bit by bit without affecting plastic pressing down on the switches and then gluing the switches down permanently from the opening. Or if I was any good at electronics, I wouldn't be so arrogant and would acknowledge the impossibility of the feat.

what do you think of the goot RX-802AS solder station

The driver for the anti-tamper is located???

Chip & pin machine in the UK.

have you changed your camera? FPS seems smoother

Someone can empty it out and stuff their own circuits in it...

I have a question for those in the know about these. I networked a friends shop, they had one of these exact terminals, i noticed it had ethernet,as they pay for a dedicated phone line for their terminal, i suggested they use the ethernet instead, save a few bucks.Never actually tested it, but they contacted their provider (ANZ) and they said it has to use phone line.I find this odd and don't really see the point of having the ethernet connector if you cant use it in place of a bloody phoneline! Unless its something not offered just by their merchant service provider. Anyone care to enlighten me? Anyone run a terminal on internet instead of phoneline, in Aus specifically?

14:37 what it that piece o metal sticking out of the bottom black plastic?

The key pad is upside down, weird.

wow, thats really crappy tamper security (except for the chip). If you just break the cover instead of taking it off by releasing the screws, you can keep the button pressed down.

I believe I may have purchased a USB car charger made in a similar very honourable high quality factory. with generous amounts of applied solder. The silk screen was even burned in places to provide security should anyone attempt the reverse engineer the product.

Jajaa buenisimo, me encanto la serie, porfavor sube la segunda temporada saludos

Most of the pads are very shiny … it looks like these are leaded joints

that is butter smooth.

Would you call "engineering technicians" or "technologists" actual engineers, or would you reserve that title for someone who's gone through at least four years training?

I think people can actually make a fake terminal that looks just like it and replay megstrip / key stroke to the actually device.

Hackers nowadays don't need do physically tamper the devices. They got lan, sd-cards, wifi and other sort of interfaces which are not always 100% securely implemented ;)

Or JBC Soldering Tools CD-2SD Precision Soldering Station - 230V - 2014 EDITION

is that giant square or shielding REAL GOLD?????????????

SAM != SIM

A local company (MWR Labs) have experimented with vulnerabilities in POS machines. Here's a video of them running Flappy Bird and a racing game using software exploits. vimeo.com/user12202355

chip and pin

Ones more just show, better to pay the " man" then try the hard way, why hack a company if they have a 100usd a month staff

whoops, my ears just fell off...

Looks like a ripoff of Ingenico here in the US

@zaprodk zeeeeeeeeeee! Murca!!! You Essay you essay!!!!

I was born in 1994 awesome :-)

I got in trouble for having one of these, apparently they belong to the bank D: I had to return it after buying it for like $30 :(

My iphone works fine

Jazz

I know why everybody came to see this video, ha haaaaaaa ;)

PLEASE try and lower your voice tone. It is SO annoying - all you need to do is try to speak more from your chest. I love your stuff but increasing find I need to turn the sound off to watch.