Verifone Terminals Run Linux

Bruce Ediger

That’s a Verifone credit card terminal at the King Soopers #1 (13th and Speer in Denver, a.k.a. “Scary Soopers”) pharmacy, November 12, 2020.

What are all the packages?

What can we learn from this display?

crashed verifone credit card terminal

Packages

  • alsa-lib 1.0.0, github.com/alsa-project/alsa-lib has 1.0.3 from Feb of 2004.
  • busybox 1.2.6, busybox.net sasy 1.2.2 is 2006-10-24, 1.3.0 2006-12-13
  • captouch-flash - might be something to do with “capacitative touch sensing”
  • cdgnetcfg ?
  • cdgnetctrl ?
  • dropbear - ssh server, 2012.55.3. CVE before 2012.55
  • ecr-lib ?
  • fancypants - proprietary, an Advanced Graphics Platform for Embeeded linux, Verifone is a licensee
  • fonts-flash ?
  • hantrolib - possible a driver for video displays manufactured in Korea
  • i2c-tools 1.0.0 - utilities for manipulating I2C devices. v3-0-0 from Oct 2007
  • kmods - probably kernel modules package
  • libgpl ?
  • libgraphic ?
  • libvp ?
  • libvpcfg ?
  • logapi ?
  • logo_screen ?
  • mxlegacy ?
  • netutils ?

alsa-lib, dropbear, mxlegacy and busybox taken together indicate a Linux system.

This Verifone credit card reader uses ALSA to make the clicking or beeping sounds when a user presses keys. fancypants is the GUI software system, a replacement for the X11 windowing system Linux usually uses. The credit card reader has a little video display made in Korea. The credit card reader uses capacitative touch sensing for the user input buttons, and it has an I2C interface for the actual magstripe or card chip reading

Googling OS Info Version

I did find a Lousiana state government document that had a Verifone 915 POS Terminal Hardware, running

Application Software WIC Director  4.0.14
Operating System                   MX200001
                                   RFS30251000
                                   GUI Manager 3.27
                                   XPI App library is 5300-BUILD4

in an Albertson’s grocery store, certified 24-Aug-18.

That is remarkably similar to what my picture shows, which has some versions earlier (XPI App Library), some later (GUI Manager)

I presume my picture’s WICIF Version: 4007 is really “4.0.07”, like Albertson’s Application Software WIC Director 4.0.14

Analysis

I find the presence of busybox (the Swiss Army knife of embedded Linux) and dropbear interesting. That means someone expects to ssh in to the card readers and do things. I bet the i2c-tools are used to diagnose and debug problems with the magstripe and card chip reader(s), but it also seems like an out-of-the-way place to stash files, or maintain access to a grocery store’s network. Or perhaps even a way to steal PINs and card numbers.

Looks like the usual infosec assessment of embedded systems is correct: they’re always some jank Linux with old packages installed, full of vulnerabilities, waiting to be taken advantage of.