Vulnerabilities in Android-Driven PAX Payment Terminals

  • Filter
  • Time
  • Show
Clear All
new posts

  • Vulnerabilities in Android-Driven PAX Payment Terminals

    Banking firms worldwide are increasingly opting for the Android operating system, a robust and popular choice, over custom-built Point of Sale (POS) devices. This significant change signals the replacement of traditional, complex terminals with modern, large touchscreens. Despite Android's known security strengths, integrating custom features with specialized hardware presents unique challenges.

    Click image for larger version

Name:	9uya1xp.png
Views:	23
Size:	157.1 KB
ID:	633214

    Undertaking a challenging project, the STM Cyber R&D team reverse-engineered POS devices from the internationally known PAX Technology, gaining traction in Poland. This article reveals six identified vulnerabilities within these devices, each designated with its own CVE identifier.

    PAX A920 Device Vulnerabilities
    he Android OS's stringent application sandboxing, a core aspect of the PaxDroid system in PAX devices, ensures that applications do not interfere with each other. Nevertheless, certain apps require higher privileges for specific device functionalities, thus operating with elevated user rights. An attacker gaining root access can influence any app, including those handling payments. While such attackers can't reach decrypted data like credit card information, protected in a separate Secure Processor (SP), they can modify transaction-related data sent to the SP. Gaining control of other high-privilege accounts, like the system account, significantly widens the attack scope.

    STM Cyber's vulnerability search focused on two primary vectors:
    • Local Code Execution from the Bootloader: This method requires just the device's USB port access, no special privileges. Given the nature of POS devices, physical access to them makes this a notable vector. Different PAX models with varied CPU vendors use unique bootloaders. STM Cyber identifi ed CVE-2023-4818 in PAX A920, and found that A920Pro and A50 are prone to CVE-2023-42134 and CVE-2023-42135, respectively.
    • Privilege Escalation to System User: Present within the PaxDroid system, this vulnerability affects most Android-based PAX POS devices. CVE-2023-42136 notably allows user-to-system account privilege escalation, broadening the attack field.

    The transition to Android-based POS systems by banking companies marks a crucial turn in POS technology. While introducing sophisticated and user-friendly interfaces, this shift also exposes significant security vulnerabilities. STM Cyber's findings in PAX Technology's devices, particularly the PAX A920, emphasize the need for robust security measures in this evolving sector. The range of vulnerabilities, from local code execution to privilege escalation, calls for persistent vigilance in cybersecurity within the dynamic field of digital payments.
    Attached Files
    VPS Servers | Domain Names | Private VPN | DMCA ignored | Skynet Hosting SRL
    Support 24/7 | 99.9% service uptime | Offshore Hosting

Unconfigured Ad Widget



1 of 2 < >

FreeHostForum Rules and Guidelines

Webmaster forum - Web Hosting Forum,Domain Name Forum, Web Design Forum, Travel Forum,World Forum, VPS Forum, Reseller Hosting Forum, Free Hosting Forum


Board-wide Policies:

Do not post links (ads) in posts or threads in non advertising forums.

Forum Rules
Posts are to be made in the relevant forum. Users are asked to read the forum descriptions before posting.

Members should post in a way that is respectful of other users. Flaming or abusing users in any way will not be tolerated and will lead to a warning or will be banned.

Members are asked to respect the copyright of other users, sites, media, etc.

Spam is not tolerated here in most circumstances. Users posting spam will be banned. The words and links will be censored.

The moderating, support and other teams reserve the right to edit or remove any post at any time. The determination of what is construed as indecent, vulgar, spam, etc. as noted in these points is up to Team Members and not users.

Any text links or images contain popups will be removed or changed.

Signatures may contain up to four lines

Text in signatures is subject to the same conditions as posts with respect decency, warez, emoticons, etc.

Font sizes above 3 are not allowed

Links are permitted in signatures. Such links may be made to non-Freehostforum material, commercial ventures, etc. Links are included within the text and image limits above. Links to offensive sites may be subject to removal.

You are allowed ONLY ONE picture(banner) upto 120 pixels in width and 60 pixels in height with a maximum 30kB filesize.

In combination with a banner/picture you can have ONLY ONE LINE text link.

Webmaster related advertising is allowed in Webmaster Marketplace section only. Free of charge.

Shopping related (tangible goods) advertising is allowed in Buy Sell Trade section only. Free of charge.

No advertising allowed except paid stickies in other sections.

Please make sure that your post is relevant.

More to come soon....
2 of 2 < >

Advertise at FreeHostForum

We offer competitive rates and a many kinds of advertising opportunities for both small and large scale campaigns.More and more webmasters find advertising at is a useful way to promote their sites and services. That is why we now have many long-term advertisers.

At here, we also want to thank you all for your support.

For more details:

More ad spots:
See more
See less