Exposing the Yomani Credit Card Terminal: A Security Deep Dive
In a recent independent security investigation, Stefan Gloor examined the Worldline Yomani XR payment terminal—a device prevalent across Switzerland in retail environments. His detailed teardown and firmware analysis reveal a fascinating blend of strong physical tamper protection and surprisingly weak software defenses.
The Target: Yomani XR Terminal
Gloor chose the Yomani XR model due to its ubiquity in Swiss commerce, even though it's officially discontinued. After an initial UI exploration and basic port scanning yielded little, he moved on to physically dismantling the device.
Hardware Overview
The terminal features multiple PCBs, including:
- Main Board: Houses a dual-core custom Arm SoC known internally as “Samoa II”
- Connector Board: Interfaces with external ports
- Vertical Board: Hosts the card slot
Accompanying components include flash memory and RAM.
Tamper Detection Mechanisms
Instead of traditional tamper switches, Yomani terminals rely on:
- Zebra strip connectors: Sensitive to screw tension; breaking contact triggers tampering
- Battery-backed sensors: Operate even when power is removed
- Copper trace meshes: Surrounding critical boards to detect physical intrusion attempts
- Flex PCB shielding: Encases the card reader with embedded tamper circuitry
Opening the device without care results in a red "TAMPER DETECTED" screen, halting all interaction.
Firmware Extraction
Despite the tamper lockout, Gloor unsoldered the flash chip and dumped its contents. Unexpectedly, the data was unencrypted, though stored using a custom ECC layout. Reverse engineering revealed:
- Non-standard 694-byte blocks with 10 ECC bytes each
- YAFFS2 filesystem with modified metadata layout
- Filesystem dump achieved after adapting YAFFS2 to the altered structure
System Insights
From the dump, it became clear:
- The device runs Linux kernel 3.6.0, built with Buildroot 2010.02
- The firmware was compiled in February 2023, yet uses outdated components like:
uClibc
(last updated 13 years ago)
libcrypt
version 0.9.26
- Bootloader: A proprietary "Booter v1.7"
The Root Shell Surprise
After rewiring the flash chip to the board, Gloor probed the device's debug header using a logic analyzer. He found an active UART interface revealing the full Linux boot log—and a login prompt.
Testing the default username:
samoa login: root
~ #
He gained root access with no password, even in tamper-detected mode.
Serial Port Accessibility
Critically, the debug interface is externally accessible via a rear hatch. This means:
- No need to open the device
- No tamper alert triggered
- Just 30 seconds of access allows malware installation
Dual-Core Security Design
Despite this glaring flaw, the device architecture mitigates certain risks:
- The main Linux OS (mp2 core) handles networking and UI logic
- The secure processor (mp1 core) manages sensitive operations like:
- Card reading
- Display output
- PIN entry
The secure processor only boots if the Linux-controlled bootloader verifies no tampering occurred. If tamper is detected, the secure image (encrypted and signed) is not loaded.
Conclusion
While finding an unauthenticated root shell on a production payment terminal is alarming, the layered architecture ensures critical functions are isolated. No direct access to card data or PIN entry components was found from the insecure Linux core.
Still, leaving a root login on a production device—especially one externally accessible—is a massive engineering oversight. Whether this was an accidental inclusion or a forgotten debug feature remains unclear.
Disclosure Timeline
- 14 Nov 2024 – Discovery
- 15 Nov 2024 – Vendor notified (90-day disclosure announced)
- 18 Nov 2024 – Acknowledged by vendor
- 01 June 2025 – Public disclosure
Reference
Original article by Stefan Gloor:
👉 https://stefan-gloor.ch/yomani-hack