Root shell on a credit card terminal

In this project, I started to reverse engineer payment card terminals because they seemed to be an interesting target for security research, given the high stakes involved. Although I initially didn’t know much about this industry, I did expect a ton of security features and a very security-hardened device. And to some degree, this was also correct. First Look The model I went with is a Worldline Yomani XR terminal. Although it seems to be discontinued at the time of writing, this is the model that is everywhere in Switzerland. From big grocery chains to the small repair shop on the corner, everyone has one or a whole fleet of this exact terminal. After booting it up and aimlessly clicking through the UI, I did a quick port scan, but couldn’t find anything interesting. So naturally, I started to take it apart. The housing and the PCBs appear to be well-made. The design consists of multiple PCBs: a small connector board for the outward-facing connectors, the main board, and a vertic ... Read full article.