Banking firms worldwide are increasingly opting for the Android operating system, a robust and popular choice, over custom-built Point of Sale (POS) devices. This significant change signals the replacement of traditional, complex terminals with modern, large touchscreens. Despite Android's known security strengths, integrating custom features with specialized hardware presents unique challenges.
Undertaking a challenging project, the STM Cyber R&D team reverse-engineered POS devices from the internationally known PAX Technology, gaining traction in Poland. This article reveals six identified vulnerabilities within these devices, each designated with its own CVE identifier.
PAX A920 Device Vulnerabilities
he Android OS's stringent application sandboxing, a core aspect of the PaxDroid system in PAX devices, ensures that applications do not interfere with each other. Nevertheless, certain apps require higher privileges for specific device functionalities, thus operating with elevated user rights. An attacker gaining root access can influence any app, including those handling payments. While such attackers can't reach decrypted data like credit card information, protected in a separate Secure Processor (SP), they can modify transaction-related data sent to the SP. Gaining control of other high-privilege accounts, like the system account, significantly widens the attack scope.
STM Cyber's vulnerability search focused on two primary vectors:
The transition to Android-based POS systems by banking companies marks a crucial turn in POS technology. While introducing sophisticated and user-friendly interfaces, this shift also exposes significant security vulnerabilities. STM Cyber's findings in PAX Technology's devices, particularly the PAX A920, emphasize the need for robust security measures in this evolving sector. The range of vulnerabilities, from local code execution to privilege escalation, calls for persistent vigilance in cybersecurity within the dynamic field of digital payments.
Undertaking a challenging project, the STM Cyber R&D team reverse-engineered POS devices from the internationally known PAX Technology, gaining traction in Poland. This article reveals six identified vulnerabilities within these devices, each designated with its own CVE identifier.
PAX A920 Device Vulnerabilities
he Android OS's stringent application sandboxing, a core aspect of the PaxDroid system in PAX devices, ensures that applications do not interfere with each other. Nevertheless, certain apps require higher privileges for specific device functionalities, thus operating with elevated user rights. An attacker gaining root access can influence any app, including those handling payments. While such attackers can't reach decrypted data like credit card information, protected in a separate Secure Processor (SP), they can modify transaction-related data sent to the SP. Gaining control of other high-privilege accounts, like the system account, significantly widens the attack scope.
STM Cyber's vulnerability search focused on two primary vectors:
- Local Code Execution from the Bootloader: This method requires just the device's USB port access, no special privileges. Given the nature of POS devices, physical access to them makes this a notable vector. Different PAX models with varied CPU vendors use unique bootloaders. STM Cyber identifi ed CVE-2023-4818 in PAX A920, and found that A920Pro and A50 are prone to CVE-2023-42134 and CVE-2023-42135, respectively.
- Privilege Escalation to System User: Present within the PaxDroid system, this vulnerability affects most Android-based PAX POS devices. CVE-2023-42136 notably allows user-to-system account privilege escalation, broadening the attack field.
The transition to Android-based POS systems by banking companies marks a crucial turn in POS technology. While introducing sophisticated and user-friendly interfaces, this shift also exposes significant security vulnerabilities. STM Cyber's findings in PAX Technology's devices, particularly the PAX A920, emphasize the need for robust security measures in this evolving sector. The range of vulnerabilities, from local code execution to privilege escalation, calls for persistent vigilance in cybersecurity within the dynamic field of digital payments.