Skynet-Hosting
New member
In a significant shift, banking companies around the globe are abandoning custom-made Point of Sale (POS) devices in favor of the widely adopted and robust Android operating system. This transition heralds the end of traditional, obscure terminals, replaced by large, interactive touchscreens. Android, known for its security and robustness, still poses challenges in custom feature integration and implementation, especially when paired with custom hardware.
The STM Cyber R&D team took on the task of reverse engineering POS devices produced by the globally recognized PAX Technology, which are quickly being adopted in Poland. This article details six vulnerabilities found in these devices, each assigned a unique CVE identifier.
Compromised PAX A920 Device
Owing to the rigorous application sandboxing in the Android OS (which underpins the PaxDroid system used in PAX devices), apps are prevented from interfering with each other. Yet, some apps need elevated privileges to manage specific device functions, running as a higher-privileged user. An attacker who escalates their privileges to the root level can manipulate any application, including those involved in payment processes. Although such an attacker cannot access decrypted payee data (such as credit card details) processed in a separate Secure Processor (SP), they can alter the data sent to the SP by the merchant's application, including transaction amounts. Access to other high-privilege accounts, like the system account, is also critical as it broadens the potential attack surface to the root account.
In their search for vulnerabilities, STM Cyber concentrated on two main attack vectors:
Local Code Execution from the Bootloader: This approach only needs access to the device's USB port and does not require special privileges. Physical access to the device is necessary, making it a notable attack vector considering the nature of POS devices. Different PAX POS models, utilizing various CPU vendors, have distinct bootloaders. The team identified CVE-2023-4818 in the PAX A920, while the A920Pro and A50 models were susceptible to CVE-2023-42134 and CVE-2023-42135, respectively.
Privilege Escalation to System User: This type of vulnerability exists within the PaxDroid system and is prevalent in nearly all Android-based PAX POS devices. CVE-2023-42136, in particular, facilitates the escalation of privileges from any user to the system account, significantly expanding the attack landscape.
The shift by banking companies to Android-based POS systems marks a pivotal change in the point of sale technology landscape. This move introduces advanced, user-friendly interfaces but also brings to light significant security considerations. The vulnerabilities discovered by STM Cyber in PAX Technology's devices—especially the widely-used PAX A920 model—underscore the complexity and importance of securing these systems. These vulnerabilities, ranging from local code execution to privilege escalation, highlight the need for continuous vigilance in cybersecurity in the rapidly evolving digital payment arena.
The STM Cyber R&D team took on the task of reverse engineering POS devices produced by the globally recognized PAX Technology, which are quickly being adopted in Poland. This article details six vulnerabilities found in these devices, each assigned a unique CVE identifier.
Compromised PAX A920 Device
Owing to the rigorous application sandboxing in the Android OS (which underpins the PaxDroid system used in PAX devices), apps are prevented from interfering with each other. Yet, some apps need elevated privileges to manage specific device functions, running as a higher-privileged user. An attacker who escalates their privileges to the root level can manipulate any application, including those involved in payment processes. Although such an attacker cannot access decrypted payee data (such as credit card details) processed in a separate Secure Processor (SP), they can alter the data sent to the SP by the merchant's application, including transaction amounts. Access to other high-privilege accounts, like the system account, is also critical as it broadens the potential attack surface to the root account.
In their search for vulnerabilities, STM Cyber concentrated on two main attack vectors:
Local Code Execution from the Bootloader: This approach only needs access to the device's USB port and does not require special privileges. Physical access to the device is necessary, making it a notable attack vector considering the nature of POS devices. Different PAX POS models, utilizing various CPU vendors, have distinct bootloaders. The team identified CVE-2023-4818 in the PAX A920, while the A920Pro and A50 models were susceptible to CVE-2023-42134 and CVE-2023-42135, respectively.
Privilege Escalation to System User: This type of vulnerability exists within the PaxDroid system and is prevalent in nearly all Android-based PAX POS devices. CVE-2023-42136, in particular, facilitates the escalation of privileges from any user to the system account, significantly expanding the attack landscape.
The shift by banking companies to Android-based POS systems marks a pivotal change in the point of sale technology landscape. This move introduces advanced, user-friendly interfaces but also brings to light significant security considerations. The vulnerabilities discovered by STM Cyber in PAX Technology's devices—especially the widely-used PAX A920 model—underscore the complexity and importance of securing these systems. These vulnerabilities, ranging from local code execution to privilege escalation, highlight the need for continuous vigilance in cybersecurity in the rapidly evolving digital payment arena.
