A security researcher has uncovered a significant vulnerability in a widely used payment terminal that could enable attackers to gain full control of the device in under a minute.
The affected model, the Worldline Yomani XR, is found in grocery stores, cafes, repair shops, and many other businesses across Switzerland.
Despite its reputation as a hardened, tamper-protected device, the terminal’s maintenance port exposes an unsecured root shell, granting remote access to anyone with brief physical access.
Unlocked Root Shell and Accessible Debug Port
When first powered on, the terminal appears to behave normally. A quick network scan yields no open ports.
However, internal analysis revealed an unpopulated debug connector on the device’s back panel, hidden under a small service hatch. By attaching a simple serial cable and powering the terminal, the researcher observed a standard Linux boot log.
The system runs a 3.6 kernel built with Buildroot in early 2023, complete with BusyBox utilities and uClibc libraries. At the end of the boot sequence, a login prompt appears on the serial console.
Entering “root” at the prompt grants immediate access to a full root shell. No password barrier, no encryption just one word.
Once inside, an attacker could install malware, capture transaction data, or pivot into back-end networks.
Physically, the Yomani XR is impressively engineered. The terminal uses a custom dual-core Arm ASIC (“Samoa II”), multiple tightly compressed PCBs, and extensive tamper detection features.
Pressure-sensitive zebra strips and zig-zag copper traces on each board detect unauthorized disassembly by breaking circuits.
A coin-cell battery ensures tamper protection remains active even when power is removed. Exposed wiring or drilling into the PCB would trigger an irreversible red screen, rendering the terminal inoperable.
Yet these hardware safeguards do not cover the debug interface. The reveal of an unsecured serial port undermines the design’s overall security goals.
Further firmware analysis shows the terminal actually runs two separate processing environments.
The first core boots an “insecure” Linux application that handles network communication and general business logic.
This core is responsible for loading a second, “secure” firmware image onto a dedicated processor that manages the card reader, keypad, and display.
That secure image is encrypted and signed, and only runs if tamper protections are intact. As a result, even if attackers access the Linux shell, they cannot directly manipulate card handling without breaching the secure core.
However, compromise of the application core still poses significant risk. Attackers could disrupt updates, log network traffic, or install backdoors to later target the secure processor.
While no public evidence exists of stolen card data through this route, the exposure of an unprotected root shell remains a critical oversight.
Merchants relying on these terminals should inspect devices for unauthorized access hatches and ask vendors for firmware updates that disable the external debug port.
Worldline has been notified and reportedly fixed the issue in later firmware releases. Until those updates are widely deployed, terminal operators face an unnecessary risk hidden beneath robust hardware defenses.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
