Hacker News is a community-driven platform for sharing and discussing technology news, startups, and programming-related topics. Through user submissions and comments, Hacker News offers insights into emerging technology trends, industry developments, and entrepreneurial ventures. Readers can participate in discussions, share their insights, and stay informed about the latest advancements in technology and innovation.

Hacker News

A security researcher reverse engineered a Worldline Yomani XR payment terminal and discovered an exposed root shell accessible via serial console without authentication. Despite sophisticated tamper detection mechanisms using pressure-sensitive connectors and copper traces, the debug interface remained accessible through an external hatch. The researcher extracted unencrypted firmware using chip-off techniques, revealing an outdated Linux system (kernel 3.6 from 2023). However, the security impact is limited because the Linux system only handles networking and updates, while sensitive payment operations run on a separate, encrypted secure processor.

Root Shell on Credit Card Terminal

In every sane system I know, it is the secure system that starts first and eventually loads insecure part (upon verification), then the other way around…
Once more, a “secure device” and a “secure banking device” are related exactly like a “cat” and a “caterpillar”.

Good work. Seems like it was a really fun project :)