Swiss Payment Terminal Flaw: Unencrypted Firmware & Accessible Root Shell
2025-06-01
A security researcher reverse-engineered a widely used Worldline Yomani XR payment terminal in Switzerland, uncovering unencrypted firmware and a publicly accessible root shell. Despite physical tamper protection, the debug port is externally accessible, allowing attackers to gain root access and deploy malware within 30 seconds. However, deeper analysis revealed the Linux system doesn't handle sensitive data (like card details); a separate, encrypted and signed processor manages security functions. While a significant software engineering oversight, the direct risk may be less than initially feared.