On January 15, 2024, STM Cyber R&D Team reported various security flaws impacting Android-based point of sale (PoS) devices used across various unnamed financial institutions. The tests were conducted on devices made by PAX Technologies and operating in Poland. However, some of these vulnerabilities apply to all Android-based PoS devices.
As the report notes, Android sandboxing enables segregation of applications and maintains encryption of the payee's data, including payment method and details, within a secure processor. However, the STM Cyber R&D Team argues that there are two attack vectors to achieve local privilege escalation (LPE), enabling the actor to tamper with transactions:
Should the attacker be able to connect to the PoS via a USB, the actor may be able to execute code from the bootloader without any further privilege beyond the user mode. This would be sufficient to gain root privilege. As much as it may seem unlikely that such attack would occur in real life, social engineering schemes work more often than one would commonly think. The attacker may impersonate a technician or personnel of the financial institution, including security staff allegedly - and ironically - helping the PoS user to prevent fraud.
The attacker may be able - via malware injection or exploitation of other vulnerabilities - to raise the privilege level to system level, paving the way to expanded attack surface.
Below a break down of the vulnerabilities with corresponded tested devices and additional data as reported by STM Cyber R&D Team:
Tracking | CVSS | Affected | Vulnerability |
CVE-2023-42134 | 7.6 | PAX A920Pro/PAX A50, version PayDroid 8.1.0_Sagittarius_11.1.50_20230314 | Local code execution as root via kernel |
CVE-2023-42135 | 7.6 | PAX A920Pro/PAX A50, version PayDroid 8.1.0_Sagittarius_V02.9.99T9_20230919 | Local code execution as root via kernel |
CVE-2023-42136 | 8.8 | All Android-based PAX POS devices are impacted. The test was reportedly conducted on PayDroid 11.1.50_20230614 | LPE via code injection in fastboot |
CVE-2023-42137 | 8.8 | All Android-based PAX POS devices are impacted. The test was reportedly conducted on PayDroid 11.1.50_20230614 | LPE via code injection in fastboot |
CVE-2023-4818 | 7.3 | PAX A920 | LPE via bootloader downgrading |
Interestingly, enough STM Cyber R&D Team identified an additional vulnerability - tracked as CVE-2023-42133 - whose details remain "reserved," potentially due to the severity. However, no details have been provided to support any assessment.