Hacker News is a community-driven platform for sharing and discussing technology news, startups, and programming-related topics. Through user submissions and comments, Hacker News offers insights into emerging technology trends, industry developments, and entrepreneurial ventures. Readers can participate in discussions, share their insights, and stay informed about the latest advancements in technology and innovation.

Hacker News

A security researcher reverse engineered a Worldline Yomani XR payment terminal and discovered an exposed root shell accessible via serial console without authentication. Despite sophisticated tamper detection mechanisms using pressure-sensitive connectors and copper traces, the debug interface remained accessible through an external hatch. The researcher extracted unencrypted firmware using chip-off techniques, revealing an outdated Linux system (kernel 3.6 from 2023). However, the security impact is limited because the Linux system only handles networking and updates, while sensitive payment operations run on a separate, encrypted secure processor.

Root Shell on Credit Card Terminal

In every sane system I know, it is the secure system that starts first and eventually loads insecure part (upon verification), not the other way around…
Once more, a “secure device” and a “secure banking device” are related exactly like a “cat” and a “caterpillar”.
<hr>
Explanation: If paying damage to compromised clients is cheaper than securing system, they will stick to faulty system. Someone stole you a $1000, you get this $1000 back (eventually, a year later) - they don’t care you lost flight/payment due/was left with no money abroad.
Fines for preventable accidents should be so severe the CEO would feel them personally.

Good work. Seems like it was a really fun project :)