Root shell on a credit card terminal

Original Article ↗ Hacker News Discussion ↗

Architecture and Scope of the Hack

  • Terminal has two processors: a “secure” one (mp1) handling card, PIN, crypto, and display; and an “insecure” Linux one (mp2) handling networking, updates, and business logic.
  • The root shell was obtained only on mp2. Card, keypad, and secure display paths appear to be mediated via mp1 and not directly accessible from Linux.
  • Secure firmware and its loader (“loadercode”) are signed and integrity‑checked, likely by a ROM or secure element; attempts to tamper with loadercode caused boot failure.

Risk to Card Data and Transactions

  • Multiple commenters highlight that, per the article, sensitive data (PANs, PINs) do not appear reachable from the Linux side.
  • Modern chip/tap cards behave like small HSMs, signing transaction data with on‑card keys and often using dynamic per‑transaction cryptography.
  • Some argue that with physical/root access “you’re owned,” but others emphasize the split architecture: the compromised OS is more like a network modem than a card‑handling stack.

Physical Access, Tamper Logic, and Keys

  • Tamper detection is described as hardware‑implemented, with both processors reading dedicated registers; commenters believe it cannot be trivially spoofed from Linux.
  • When tamper triggers, working keys are zeroed and must be re‑injected; this is standard practice for EMV terminals.
  • Denial of service via physical abuse (drop, water) is seen as easier than any software DoS.

Potential Attack Vectors Discussed

  • Plausible impacts of mp2 compromise: denial of service (boot loops), man‑in‑the‑middle on networking, and possibly abusing firmware‑update tooling if signing/authorization is weak.
  • People discuss theoretical attacks like changing displayed vs actual amount or redirecting funds, but multiple replies note that:
    • Amount display and PIN entry on certified terminals are typically under secure‑kernel control.
    • Merchant IDs and settlement accounts are enforced by back‑end processors; mismatches are rejected or easily reversed.

EMV, Magstripe, and Ecosystem Context

  • Thread contrasts EMV chip/tap (dynamic, harder to skim/clone) with magstripe (static, easily skimmed); some note this terminal still has a magstripe reader.
  • Discussion covers offline transactions, airline/restaurant behavior, and merchant‑cloned POS fraud, but these are framed as ecosystem/contract issues more than terminal‑root issues.

Meta / Hacker Culture

  • Many praise the write‑up as “real hacking”: hardware teardown, UART discovery, BGA rework, and reverse‑engineering.
  • Some lament that such hands‑on technical work is rarer on HN amid LLM and startup content.