Uncovering Risks in Android-Powered PAX POS Devices.

Even though in managing a hosting company we often deal with electronic transactions, I believe it would be wise to consider that the new technologies being implemented more frequently can introduce certain vulnerabilities in running a business.
In a major transition, global banking companies are moving away from bespoke Point of Sale (POS) devices to embrace the extensively used and reliable Android operating system. This shift signals the replacement of traditional, less user-friendly terminals with expansive, interactive touchscreens. Despite Android's reputation for security and durability, integrating custom features with unique hardware presents notable challenges.



The STM Cyber R&D team embarked on reverse engineering POS devices from PAX Technology, a well-known global entity, which are rapidly gaining popularity in Poland. This article presents an analysis of six vulnerabilities identified in these devices, each with its own CVE (Common Vulnerabilities and Exposures) number.

Vulnerable PAX A920 Device
Due to Android OS's strict application sandboxing, a foundational element of the PaxDroid system in PAX devices, applications are isolated to prevent mutual interference. However, certain applications require increased privileges to manage specific functionalities of the device, operating under higher user privileges. An attacker who successfully gains root access can control any application, including those handling financial transactions. While such attackers are unable to reach decrypted information like credit card data processed by a separate Secure Processor (SP), they can modify the transaction-related data transmitted to the SP by the merchant application. Gaining control over other high-level accounts, such as the system account, is vital as it widens the scope for potential root-level attacks.

STM Cyber's investigation targeted two primary attack vectors:

1. Local Code Execution from the Bootloader: This method demands only access to the device's USB port, bypassing the need for high-level privileges. Given that physical access to the POS device is required, it remains a significant attack vector. Various PAX POS models with different CPU vendors employ distinct bootloaders. The team found CVE-2023-4818 in the PAX A920, and identified vulnerabilities CVE-2023-42134 and CVE-2023-42135 in the A920Pro and A50 models, respectively.
2. Privilege Escalation to System User: A vulnerability prevalent in the PaxDroid system and most Android-based PAX POS devices. Notably, CVE-2023-42136 allows for escalation from any user level to the system account, substantially increasing the potential for exploitation.

The move of banking companies towards Android-based POS systems marks a critical shift in POS technology. While this change introduces more sophisticated and user-friendly interfaces, it also exposes significant security risks. The vulnerabilities found in PAX Technology's devices, particularly the widely utilized PAX A920 model, emphasize the need for robust security measures. These vulnerabilities, spanning from local code execution to privilege escalation, underline the importance of maintaining constant cybersecurity vigilance in the ever-evolving field of digital payments.