Revealing Vulnerabilities in Android-Based PAX POS Systems.

SkynetHosting · January 21

Banking companies worldwide are making a notable transition, moving from custom-designed Point of Sale (POS) devices to the more universally embraced and reliable Android operating system. This shift signals the replacement of old-fashioned, complicated terminals with modern, interactive touchscreen interfaces. Despite Android's reputation for security and sturdiness, integrating custom features into this system, particularly alongside specialized hardware, presents its own set of challenges.

STM Cyber's R&D team embarked on reverse-engineering the POS devices from the internationally acclaimed PAX Technology, increasingly popular in Poland. This article explores six identified vulnerabilities in these devices, each assigned a distinct CVE identifier.

Breached PAX A920 Device

Android OS's stringent application sandboxing, foundational to the PaxDroid system in PAX devices, ensures apps don't conflict with one another. However, certain apps require enhanced privileges for managing specific device functionalities, thus operating under higher user privileges. An attacker gaining root access can alter any application, including those critical to payment operations. While they can't access encrypted payee information (like credit card numbers) processed by a separate Secure Processor (SP), they can change transaction data sent to the SP. Additionally, gaining control over other high-level accounts, such as the system account, significantly increases the potential for broader attacks.

STM Cyber's investigation into vulnerabilities focused on two primary vectors:

Local Code Execution from the Bootloader: This method only requires access to the device's USB port, without needing extra privileges. Physical access is essential, a significant consideration given the nature of POS devices. Different PAX POS models with varying CPU vendors use distinct bootloaders. The team discovered CVE-2023-4818 in the PAX A920, and the A920Pro and A50 models were found vulnerable to CVE-2023-42134 and CVE-2023-42135, respectively.
System User Privilege Escalation: This vulnerability, found in the PaxDroid system, affects most Android-based PAX POS devices. CVE-2023-42136 notably allows the escalation from any user to the system account, enlarging the scope for potential attacks.

The adoption of Android-based POS systems by banks signifies a crucial evolution in POS technology. While it introduces more user-friendly and advanced interfaces, it also unveils important security challenges. STM Cyber's discovery of vulnerabilities in PAX Technology's devices, particularly the PAX A920 model, emphasizes the need for robust security measures in these systems. The range of vulnerabilities discovered, from local code execution to privilege escalation, stresses the importance of ongoing alertness in cybersecurity, especially in the fast-changing field of digital payments.