In a serious transition, international banking firms are transferring away from bespoke Level of Sale (POS) gadgets to embrace the extensively used and dependable Android working system. This shift alerts the substitute of conventional, much less user-friendly terminals with expansive, interactive touchscreens. Regardless of Android’s status for safety and sturdiness, integrating customized options with distinctive {hardware} presents notable challenges.
The STM Cyber R&D staff launched into reverse engineering POS gadgets from PAX Know-how, a well known international entity, that are quickly gaining reputation in Poland. This text presents an evaluation of six vulnerabilities recognized in these gadgets, every with its personal CVE (Frequent Vulnerabilities and Exposures) quantity.
Susceptible PAX A920 System
Resulting from Android OS’s strict software sandboxing, a foundational component of the PaxDroid system in PAX gadgets, purposes are remoted to stop mutual interference. Nevertheless, sure purposes require elevated privileges to handle particular functionalities of the system, working below greater person privileges. An attacker who efficiently features root entry can management any software, together with these dealing with monetary transactions. Whereas such attackers are unable to achieve decrypted data like bank card knowledge processed by a separate Safe Processor (SP), they’ll modify the transaction-related knowledge transmitted to the SP by the service provider software. Gaining management over different high-level accounts, such because the system account, is significant because it widens the scope for potential root-level assaults.
STM Cyber’s investigation focused two major assault vectors:
- Native Code Execution from the Bootloader: This methodology calls for solely entry to the system’s USB port, bypassing the necessity for high-level privileges. On condition that bodily entry to the POS system is required, it stays a big assault vector. Varied PAX POS fashions with totally different CPU distributors make use of distinct bootloaders. The staff discovered CVE-2023-4818 within the PAX A920, and recognized vulnerabilities CVE-2023-42134 and CVE-2023-42135 within the A920Professional and A50 fashions, respectively.
- Privilege Escalation to System Consumer: A vulnerability prevalent within the PaxDroid system and most Android-based PAX POS gadgets. Notably, CVE-2023-42136 permits for escalation from any person stage to the system account, considerably rising the potential for exploitation.
The transfer of banking firms in the direction of Android-based POS methods marks a vital shift in POS know-how. Whereas this modification introduces extra refined and user-friendly interfaces, it additionally exposes vital safety dangers. The vulnerabilities present in PAX Know-how’s gadgets, significantly the extensively utilized PAX A920 mannequin, emphasize the necessity for strong safety measures. These vulnerabilities, spanning from native code execution to privilege escalation, underline the significance of sustaining fixed cybersecurity vigilance within the ever-evolving area of digital funds.