No Password, No 2FA, Just "root". White Hat Hacker Gains Full Control Over Popular Payment Terminal
The devices are widely used in stores and restaurants, but their security has proven to be illusory.
The devices are widely used in stores and restaurants, but their security has proven to be illusory.
Payment terminals manufactured by Worldline, ubiquitous in Switzerland, have been found vulnerable to an attack that allows gaining full control of the device in just one minute. The discovered issue affects the Worldline Yomani XR model, installed in supermarkets, cafes, workshops, and other card acceptance points. Despite the external level of protection and a well-thought-out anti-vandal design, the terminal grants root access without a password via a service port if an attacker gains physical access to it.
Analysis revealed that there is an unused debug connector on the back panel of the terminal, hidden under a small cover. By connecting a standard serial cable to it and starting the device, a specialist observed the standard Linux boot process. The terminal runs on kernel version 3.6, built using Buildroot in early 2023, with BusyBox utilities and uClibc libraries. At the end of the boot process, a login prompt appears on the serial console. By typing "root", one can immediately enter the system shell without any authentication.
Physically, the device is built with a high degree of protection. It uses a dual-core processor based on the Arm architecture, tightly packed boards, and a complex tamper detection system. Attempts to open the case or drill into the board trigger protective mechanisms, including irreversible locking and displaying a red screen. A separate battery maintains protection even when power is disconnected.
However, the identified vulnerability bypassed all these measures—the debug interface was not protected. This allowed access to the unencrypted Linux environment responsible for network communication and business logic. A second, more secure environment, running on a dedicated processor, manages the keyboard, display, and card reader, and is activated only when security conditions are met. Although it is impossible to control this second environment directly from the Linux shell, having access to the first environment still poses a danger: it allows for the injection of malicious code, interception of network traffic, or disruption of system updates.
At the time of publication, there are no confirmed cases of user data compromise via this vulnerability; however, experts emphasize the seriousness of the problem. Vendor Worldline was notified, and according to open sources, the flaw has already been fixed in later firmware versions.
Nevertheless, the identified vulnerability points to a broader issue—similar shortcomings may be found in terminals from other manufacturers. Unprotected service interfaces, left for diagnostics or maintenance, often become the weak link even in carefully designed devices. Therefore, when designing and deploying payment solutions on a mass scale, it is important to consider not only cryptographic strength and anti-vandal measures but also to eliminate any unauthorized access paths, including debug ports and test connectors.
