Techly NewsGet the app

Get the latest tech news

Root shell on a credit card terminal


s project, I started to reverse engineer payment card terminals because they seemed to be an interesting target for security research, given the high stakes involved. Although I initially didn’t knew much about this industry, I did expect a ton of security features and a very security-hardened device.

Many embedded Linux systems will have such a more or less exposed serial console, but most of the time the login is disabled altogether or a random, hard-to-crack password is either hard-coded or generated at boot. This loadercode checks whether the tamper protections have been triggered and based on the result, either show the red screen or continue to boot the actual “secure” image ( mp1.img, in the Linux filesystem). While still being a huge unnecessary attack surface, and a massive oversight from the engineers in my opinion, I could not find any evidence that sensitive data, such as card details, could become compromised this way.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of root shell

root shell

Photo of credit card terminal

credit card terminal

Related news:

News photo

Exploiting DRAM bitflips to get a root shell

« Get $100 Off Nearly Every M3 iPad Air on Amazon, Available From $499
Learning from the Amiga API/ABI »