Creative EMV: When a hacker mindset saves a pilot
Opinions expressed are solely my own and do not represent the views or opinions of my employer or clients.
A Transformative Project Begins
At a previous company, we undertook a transformative project that ultimately reshaped the business, establishing a strong presence in the UK and sparking a significant growth phase.
The project focused on upgrading the outdoor payment terminals at the client’s forecourts, encompassing nearly 7,000 units nationwide.
My role was to develop the terminal application and provide ongoing support throughout the EMV certification process and User Acceptance Testing (UAT).
The Initial Pilot in a Controlled Environment
Once the system stabilized, we conducted the first pilot in a highly controlled environment on the client’s campus, using just one terminal. This pilot was an essential step before launching a real-world test.
The Real-World Pilot—A Major Hurdle
The time soon came for a real-world pilot involving eight terminals at a live public forecourt.
I arrived in the country the day before to prepare and install the terminals, but at around 7 PM, as I began loading the software, my heart sank—none of the terminals were accepting the installation packages.
Puzzled and concerned, I kept asking myself, "Why?" Then, the realization hit me—all the terminals were "production" versions.
Payment terminals typically have two versions—development and production—to streamline and accelerate the development process.
Due to security measures, applications on EMV terminals are signed with different keys for each version. Unfortunately, instead of receiving the eight development terminals needed for the pilot, we were sent production terminals, and we lacked the capability to sign production apps.
领英推荐
A Seemingly Hopeless Situation
At that moment, it felt like everything was lost. Canceling the first public pilot would have severely tarnished the project, and waiting at least a week for the necessary hardware to enable production signing was not an option. The situation seemed dire.
The Secret Workaround
However, I had a secret workaround. A couple of months earlier, during some experimental tinkering, I had accidentally bricked one of the two development terminals we had. This mishap forced me to find a way to log into the terminal and recover it.
I won't detail the specific exploit I discovered here. Although the terminal model has been obsolete for quite some time and the manufacturer has already patched the vulnerability, disclosing it could still inspire new attacks on other hardware brands.
Fast forward to the night before the pilot, with the production terminals awaiting application loading—a task that was impossible for us at that time. I began to recall something I had noticed during my earlier experiments that might temporarily trick the terminals into behaving as if they were development versions.
A High-Stakes Solution
With the success of the pilot at stake, I approached my manager and proposed a temporary, albeit unconventional, solution: using the exploit to temporarily return the terminals to development mode and install the applications. I emphasized the importance of promptly informing the terminal producer that we had identified an exploit.
My manager agreed, and we worked through the night, loading the development versions of the apps onto the production terminals.
The Pilot’s Success
By 3 AM, we had finished loading and packing the terminals, just hours before the pilot installation was scheduled.
Although we encountered a few unrelated issues during the installation, the pilot ultimately succeeded, marking a significant milestone in the project.
Two weeks after the pilot deployment, the production-signing hardware arrived, and the pilot terminals' applications were replaced with production-signed versions.
Reflection—The Power of Knowledge
This was one of the most stressful pilot experiences of my career, but it reinforced a valuable lesson: Knowledge is power.
Those experimental "naughty" moments gave me the insights to sideload apps onto the terminals, transforming what seemed like an impossible situation into a viable solution.
Ultimately, the project’s success was a testament to the power of knowledge and the importance of creative problem-solving.