October 26, 2021

U.S. federal investigators today raided the Florida offices of PAX Technology, a Chinese provider of point-of-sale devices used by millions of businesses and retailers globally. KrebsOnSecurity has learned the raid is tied to reports that PAX’s systems may have been involved in cyberattacks on U.S. and E.U. organizations.

FBI agents entering PAX Technology offices in Jacksonville today. Source: WOKV.com.

Headquartered in Shenzhen, China, PAX Technology Inc. has more than 60 million point-of-sale terminals in use throughout 120 countries. Earlier today, Jacksonville, Fla. based WOKV.com reported that agents with the FBI and Department of Homeland Security (DHS) had raided a local PAX Technology warehouse.

In an official statement, investigators told WOKV only that they were executing a court-authorized search at the warehouse as a part of a federal investigation, and that the inquiry included the Department of Customs and Border Protection and the Naval Criminal Investigative Services (NCIS). The FBI has not responded to requests for comment.

Several days ago, KrebsOnSecurity heard from a trusted source that the FBI began investigating PAX after a major U.S. payment processor started asking questions about unusual network packets originating from the company’s payment terminals.

According to that source, the payment processor found that the PAX terminals were being used both as a malware “dropper” — a repository for malicious files — and as “command-and-control” locations for staging attacks and collecting information.

“FBI and MI5 are conducting an intensive investigation into PAX,” the source said. “A major US payment processor began asking questions about network packets originating from PAX terminals and were not given any good answers.”

KrebsOnSecurity reached out to PAX Technology’s CEO on Sunday. The company has not yet responded to requests for comment.

The source said two major financial providers — one in the United States and one in the United Kingdom — had already begun pulling PAX terminals from their payment infrastructure, a claim that was verified by two different sources.

“My sources say that there is tech proof of the way that the terminals were used in attack ops,” the source said. “The packet sizes don’t match the payment data they should be sending, nor does it correlate with telemetry these devices might display if they were updating their software. PAX is now claiming that the investigation is racially and politically motivated.”

The source was unable to share specific details about the strange network activity that prompted the FBI’s investigation. But it should be noted that point-of-sale terminals and the technology that supports them are perennial targets of cybercriminals.

It is not uncommon for payment terminals to be compromised remotely by malicious software and made to collect and transmit stolen information. Indeed, some of history’s largest cyberheists involved point-of-sale malware, including the 2008 breach at Heartland Payment Systems that exposed 100 million payment cards, and the 2013-2014 string of breaches at Target, Home Depot and elsewhere that led to the theft of roughly another 100 million cards.

Even if it were publicly proven today that the company’s technology was in fact a security risk, my guess is few retailers would be quick to do much about it in the short run. The investigation into PAX Technology comes at a dicey time for retailers, many of whom are gearing up for the busy holiday shopping season. What’s more, global computer chip shortages are causing lengthy delays in procuring new electronics.

Update, Oct. 27, 3:08 p.m. ET: Bloomberg reports that FIS Worldpay has removed PAX’s terminals from their infrastructure over security concerns.

FIS Worldpay told Bloomberg the company confirmed that it no longer deploys PAX point-of-sale devices “because it did not receive satisfactory answers from PAX regarding its POS devices connecting to websites not listed in their supplied documentation.”

“While we have no evidence that data running through PAX POS devices has been compromised, we have been working directly with clients to replace those devices with other options at no cost to them and with as little disruption to their business as possible,” Bloomberg reported. “The spokesperson said fewer than 5% of Worldpay clients currently use PAX point-of-sale devices. FIS’s shares were down 6.6% Wednesday afternoon in New York.”

Update, Oct. 27, 7:57 p.m. ET: PAX issued the following statement:

On Tuesday, October 26, 2021, PAX Technology, Inc. in the United States was subject to an unexpected visit from the Federal Bureau of Investigation (FBI) and other government agencies relating to an apparent investigation.

PAX Technology is not aware of any illegal conduct by it or its employees and is in the process of engaging counsel to assist in learning more about the events that led to the investigation.

Separately, we are aware of media reports regarding the security of PAX Technology’s devices and services. PAX Technology takes security very seriously. As always, PAX Technology is actively monitoring its environment for possible threats. We remain committed to providing secure and quality software systems and solutions.

We intend to keep our team and customers apprised of the situation.

In the meantime, it is business as usual at our locations and operations are continuing as normal. The PAX Jacksonville office and warehouse are both open at this time.

Update, Oct. 31, 8:39 p.m.: PAX has issued a Q&A to customers which maintains that concerns over the alleged unexplained traffic from PAX terminals are related to “the optional geolocation feature available on PAX terminals,” and “the use of dynamic IP addresses, commonly used for geolocation.”

“To make geolocation an available feature, PAX SmartPOS terminals utilize a third party geolocation service provider, just as your smartphone does,” the Q&A explains. “These services require devices to communicate geolocation information to third party IP addresses, some of which may be outside the country were the devices are operational.”

165 thoughts on “FBI Raids Chinese Point-of-Sale Giant PAX Technology

    1. Skyler Ferran

      Think you mean 2012 instead of 2021, unless the folks at B&N have some bad news coming their way!

    2. Paolo Basilio

      Spotted that too Tim, was hoping I’d find a clarification on that here in the comments.

  1. Rick

    Unwilling victim of poor security controls on its devices, or press-ganged / coerced victim of the PLA and other nefarious forces of the CCP? One wonders but based upon the shrill response to inquiries collusion with offensive state forces of the Chinese Communist Party would appear the more likely. In other words this was a strategic attack against the businesses of US and UK.

    1. Thom Smith

      C’mon, man, that is “racially and politically motivated.”

      1. neck sniffer aka "hidden blinden"

        lol c’mon, man, can’t a lying dog face pony corrupt politician make some dirty money the old fashion way?!.. by selling out his country to a known and confirmed enemy?

        my goodness man.. if you don’t trust me?!.. then you ain’t american.

        but hide your kids, fair warning. No move along.. nothin to see here, git!

        1. Richard Turnbull

          Corrupt politicians are all over the spectrum, both ideologically and in terms of the scope and scale of their willingness to engage in criminal acts for monetary rewards.
          The current holder of “most corrupt politician in American history” title of eternal infamy is still active, not yet brought to justice, and may simply avoid the 2024 presidential altogether by claiming it’s “stolen,” and declare himself president.
          As our British cousins put it, “Trump has form” in that regard.
          Thanks to Brian again for helping educate the public, knowledge is power.

          1. the rubicon has been crossed miles ago

            have you conveniently forgotten about antifa, blm burning, looting, killing innocent americans? or what about Hillary and her private server on gooberment servers yet none have been prosecuted or charged.

            maybe once something is done to address those issues.. then people might have a little faith in the fbi.. till then go sell your bs to someone else.

            1. Seditionists be damned

              You can still visit Trump when he goes to prison, don’t cry.
              Black people didn’t cause him to become a traitor, sorry.
              Neither did Antifa. We will deal with your criminal hero.
              (Your call if you want to carry water for traitors ongoing.)

              1. mean jean okerland

                lol, you know neither Hildabeast or Frump will be prosecuted or convicted..

                the extremely wealthy have always fooked over the poor and you nor i or anyone here is included in their club.

                If one or both is convicted and serve time then it was allowed.

          2. denial wil not help you

            have you conveniently forgotten about antifa, blm burning, looting, killing innocent americans? or what about Hillary and her private server on gooberment servers yet none have been prosecuted or charged.

            maybe once something is done to address those issues.. then people might have a little faith in the fbi.. till then go sell your bs to someone else.

            1. Dab

              Hmm, not exactly the pot calling the kettle black, chief.

            2. SeymourB

              So much unconstrained crazy nonsense you had to post it twice, eh?

      2. Rick

        This has little to do with race and everything to do with politics. The Chinese Communist Party through its Ministry of State Security and various branches of the Peoples Liberation Army has made it a key strategic imperative to infiltrate the governments and corporations of foreign powers, no matter how big or small, and what ethnicity or nationality for at least a decade. This has been directed at both military espionage and the wholesale theft of commercial trade secrets and intellectual property to support the CCPs ‘Made in China 2025’ program and others before it.

        The Mandiant APT1 report published in 2013 highlighted the nefarious activities going back years of just one of the PRCs military units – China’s 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (Military Cover Designator 61398). Of course there are many more. Some, whose activities are directed at western powers and others at the PRCs neighbors including Taiwan.

        Viewed in isolation through the conceptual lens of innocence this may be just another of many manufacturers of low quality products that failed to adequately secure their technology and who were victimized by cyber criminals from who knows where. Viewed through a different lens this may be a far more nefarious problem of back-doored Chinese made technology sold globally with far darker state espionage purposes. It certainly wouldn’t be the first either.

        1. sniffy

          C’mon Man.. is your full name Ricked Rolled?

          Everyone knows the CCP is the sweetest, kindess, most truth worthy iron fisted dictators on planet earth!
          They’ve even setup nice lodging and housing for the uyghur muslims and promised them liberty and freedom via a steel boot to the face.
          Xinnyy the pooh would be very disappointed in your harsh assessment of the CCP.. he might even think you might think you have dementia or somthin?!!!

          Well best be gettin back to hidden, dont want the possums to get lonely.

        2. Doug

          I have personal experience with thier espionage techniques and it thier efforts are well documented for at least 40 years. The internet just made it easier. They have a superiority complex and disdain for anyone not Chinese.

          1. Badtux

            They remind me of the Japanese in December 1941.

            That worked out well for the Japanese….

            1. Bushman

              American’s today are not the Americans of the 1940s. Already 40% of our population are traitors to the USA who supported and continue to support the overthrow of a fairly elected government based on believing their own lies. Don’t expect the same outcome for the US in a WWIII.

        3. Victor

          Typical paranoia of destruction. It seems that your media has done a very successful job in discrediting the Communist Party. The Communist Party has become a devil in your mind. I think it’s sad that you are full of biased remarks.What China should do is to develop itself through its own strength, not to destroy others.This is something you can’t understand, because you are always full of aggression, superiority and ignorance. I think PAX only wants to do business with you guys, not help the Communist Party. And The Chinese Communist Party will not have such low-level needs. What we have achieved now is beyond the imagination of you fools.We have learned or are learning from you in some areas, just as you have learned from us. Or we all share the common knowledge of mankind in various fields. However, we have surpassed you in some areas, and these areas have been increasing.Put down your arrogance. Only when we all live in peace can the people of the world have a future. Don’t be fooled by politicians.

          1. Robin

            Okay now that you have pointed the finger and laughed in our faces it is time for me to say what matters here. Everyone on this Earth belongs here or else we would not be here. China is a very old Ancient culture Nationality that is so unbelievably misunderstood. No not misunderstood how about misrepresented.

            There is in no way any aggression towards China at all about how we The People of thr United States have manipulated our misleading mischievous undertakings and laid them on the Republic of China and for that truth in itself I am so very deeply sorry to have taken this kindness for absolute child’s play.

            I very much know that it is All or none.

            1. anom

              “a very old Ancient culture Nationality that is so unbelievably misunderstood”

              Weird argument to defend fraud… smacks of excuses the company gave…

              CCCP is a totalitarian autocracy run by cabalist kleptocrats at the expense
              of the Chinese people. “Chinese people” are not 1:1 responsible for that,
              as the vast majority (any non-Han) are subjects and not actors in any way.
              That government is a world pariah by any objective measure. No nation
              is perfect but those making excuses for the CCCP are particularly clueless,
              or part and proxy of it. There is no reason to mention “ancient culture” here.
              Corruption and autocracy is also ancient and not to be celebrated or excused,
              nor does any “perfect” nation exist from which to point a perfect finger at it.
              You’re free to point out the flaws of the US system, from within it.
              (Try that in Beijing sometime, we won’t hear from you again.)

          2. mealy

            ” The Communist Party has become a devil in your mind ”

            Au contraire, what a humanitarian organization full of forward thinking leadership.

        4. Victor

          My comments have been deleted. Is that what you call freedom of speech?

          1. Wayne

            Freedom of speech only applies to government suppressing it. This is a private publication owned by Brian Krebs and and moderated by him and the people he employs. They can delete any messages they feel don’t meet the standards of the board, which he sets.

            Just like Twitter banning Donald Trump. That’s not stifling Free Speech. That’s private companies deciding they’re not going to perpetuate gross violation of their published standards.

          2. BrianKrebs Post author

            I don’t see any pending comments from you. I don’t generally delete comments here, except from people who are quick to mistake my automated spam detection system for “censorship”.

          3. WumaoWumaoWumao

            None of your comments have been deleted, dummy. You can take a screenshot of your comment now and collect your 50 cents from the CCP, shill.

      3. Martin Du Toit

        It does feel like it could be Politically motivated.

        1. Uh, no

          If you’re illiterate and know nothing about how this works, sure.

    2. Robin

      Yah but who is to say if it in fact is the Republic of China or buddies on our own turf. Like hmm maybe the White House?

    3. Lovelife

      What a moronic statement. Ask yourself why would a successful company need to involved itself in nefarious activities? Dumb Ass.

  2. David

    I would like to point out a common misunderstanding that appears in this article. It is actually uncommon for payment terminals to be compromised. Many of these devices are typically independently certified and tested under the PTS standard. Payment workstations, the Point of Sale system itself which are PC’s or tablets, are another matter. Many of these POS breaches involved terminals running in a “fully integrated” mode where the POS received the card data and facilitated the communication with the payment processor. I can’t think of single major breach that was actually the card entry device and not the POS system.

    Pax, like Verifone and Ingenico have many PTS certified terminal models. In this case, if certified devices were responsible for this traffic then that would be huge news! A PAX supplied POS workstation or tablet would seem more likely.

    1. SREDD Coder

      I write payment terminal firmware for a living and you are very naive.

      1. yingste

        Even some of their newer Android based chip card machines are running fairly old versions of android. At least both the a920 and a80 are running something like android 7.

      2. Robert

        I worked at PAX. Same warehouse off beach by the radio stations. This article is true.

      3. WebBiz

        Listen, if you go around telling these salespeople and client managers what’s really going on in the code, they won’t be able to sell your software in good conscience. So let’s just keep everything on a need-to-know basis…

      4. David

        To clarify my point, I am not saying that bugging the code inside a payment terminal is impossible. What I am saying is we don’t have complete or detailed enough information at this point. We’re don’t even know what the specific product is.

        1. Most reporting on POS/terminal breaches is misleading as reporters do not seem to be aware of the difference. Even Krebs seems to miss this point. (Target, and Home Depot were POS workstation breaches not terminals. The Barnes & Noble Key Pad Breach reporting is unclear if it was a skimmer or unauthorized terminal software – and their solution not to put back the clean devices and use the POS magstripe reader is curious to say the least.)
        2. All things being equal POS breaches are far more likely than terminal breaches.
        3. Reporters don’t always have all the info and the FBI are not disclosing everything they know – so information is incomplete.
        4. We don’t know what PAX product was pulled. They sell terminals (some certified and some not) as well as POS units, and combo units.
        5. Typically, multiple certifications and controls apply to these systems. The terminal hardware and operating firmware, the payment software in the terminal, the POS software in the workstation, the merchant environment. Most people have no idea. Some of these are more rigorous than others.

        Lots of companies have sent out normal products with malware on them (e.g. usb sticks, NAS, etc.). Usually due to sloppy controls. An FBI raid suggests this is something more. But what exactly? Did someone get into PAX? Or is PAX complicit? This is a developing story that will be closely watched.

        If PAX is complicit, it would be easier, less risky, and more plausibly deniable to bug the POS software than the terminal software. Of course any vendor could openly cheat by certifying package 1 and then sending out a modified package 1. They could sign both packages and make them show the same version. They might even be able to bug a certified package in a way that it behaves itself when be tested (like the diesel emissions testing fraud). If this happens, it is a deliberate deception which would be a market betrayal with potentially huge consequences. If this is what this is, then it is huge news.

        In the meantime, watch for more information as this plays out. We need more information to better understand the risk. We need to know the specific products.

        1. SREDD Coder

          You know just enough about how things work to sound like you know what you’re talking about, except that you don’t. If PAX is complicit they could literally do anything they wanted and certifications are totally irrelevant. Our industry uses certifications as security theatre and they have very little to do with actual security. Waving around certifications like they mean something may impress the bros at ETA, but they don’t mean much in the real world. I’ve personally worked for companies that put in all the security safeguards for the QSA, and then ripped them all out as soon as the paperwork was signed. I’ve seen payment devices deployed in the field with 777 unix permissions on the file system. This industry talks about security and they have tons of red tape related to it, but at the end of the day the payments industry is just a bunch of sales bros fighting over basis points and they don’t give a rip about technology or real security.

          1. David

            Then we are in violent agreement!

            If you read what I said, IF PAX was behind this they could do what they want including certifying a product and then backdooring it. That would be huge.

            I also, said we don’t have enough information yet to support that conclusion (i.e. it’s what they refer to as a developing story).

            Let’s see what comes of it.

          2. tylerk

            I spent years doing 3rd level support for these devices and worked directly with Worldpay’s engineers for years. There is no doubt in my mind they have damning evidence that at least some of these PAX devices are compromised. Also POS device software is incredibly insecure and glitchy. The only thing that’s ever checked or cared about with them is that the PCI data is encrypted in transport.

    2. Matt

      This is absolutely correct and a very important distinction.

      1. SREDD Coder

        It’s not even close to correct and if you read the article, it’s the actual terminals that were running malware. And payments industry certifications are a joke. You get certified once every two years and there’s absolutely no enforcement or monitoring after that. They’re mostly paperwork, the process is easy to game, and a malicious company can change anything they want after the ROC’s and certification letters come in. You sound like you work for an ISO or processor in deep trouble now.

        1. delkoman

          SREDD Coder – you live in the real world! We are looking for a terminal firmware developer, but it’s a challenging specialty to find. Any suggestions where to look for trustworthy people with this skillset?

          1. lihong

            You can connect with me,email address:476088799@qq.com

        2. bilbo bacon bits

          in a nutshell… this is the long game for CCP.. they want full control of all production of any computer system, software, manufacturing, new tech gained by legal or illegal means if possible.
          By doing so they can and will install backdoors, malware, root kits, ect into the device from start to finish..

          no need for hackers or fear of hackers getting traced back to them.. if security vuls are baked into the cake from the start.

        3. Dave

          Back before credit card processors allowed payments over the Internet, so quite some time ago, there was a unique company that could process payments over the Internet. What they had done was take payment terminals and hack them so that the card-not-present data coming from the Internet was injected into the payment terminal and processed as a card-present payment. The guy that did the hack said it took him a couple of hours to figure out the first terminal, and then a few minutes after that, most of which was drilling a hole into a particular part of the case and squirting in foam to lock up the anti-tamper microswitch.
          So even before Internet-connected devices these things were only about as secure as a generic laptop with case-open detection. Now, with Internet connections and legacy firmware going back twenty years with patches upon patches upon patches to handle all the broken variants of cards and protocols and whatnot and a total absence of secure coding practices, it’s not surprising to that they could be overrun with malware. In fact the biggest difficulty I can see is that the lack of spare space for the code/data and godawful existing code running on some custom BSP that it has to interface with would make it tricky to write.

          1. Robert

            I remember them days. Then once card not present (internet based) started taking off it as no fun getting them approved by credit. Lol. You know there are several ways fraud or gathering data can be obtained if the POS provider is in on it. Yet to me just because they raided a POS provider facility doesn’t mean that the company itself was involved. Might be an company involved, might be company is a tool for Chinese government or could be the act of someone else and company was just access point for them to try to obtain info. I can say that if the fraud guys that work in that dark corner of the server (joke) started watching any transaction coming from a certain POS system it was serious. Those people dont scream fox in the hen house unless there is a fox in hen house.

          2. Bart

            This is such a dated story, long ago overtaken by the sophisticated fraught detection systems at the banks. Plus no longer possible with chip cards ;

            1. Dave

              Do you work for a bank? Just wondering, because that’s the automatic scripted response every time something like this happens, “that was an old system, our new systems are perfectly secure”, I’ve been hearing the same thing over and over and over for at least thirty years. Every single time there’s a breach of POS security, no matter how recent the system is, it’s “oh, but you used an old system, our new system wouldn’t be vulnerable”.

              I admit that this is a long-ago story, chosen specifically because it’s far enough in the past that it’s unlikely anyone will get prosecuted over it, but that doesn’t mean it’s not happening with far newer systems. For example there’s a clever attack I heard about a year or so back involving putting the POS terminal into offline mode, reflashing the signed firmware with older signed firmware, running transactions in offline mode, reflashing the newer firmware, and then putting the device back online so the fraudulent transactions got flushed through. That was in a current system, although by definition it’d now be classed as an old system the moment the security vuln was pointed out.

            2. tylerk

              If you worked in the industry you would know that that chips or chip reader are often dirty or not functional and it often neglects any of the security the chip provides by downgrading to mag stripe. Also if the software on the reader is compromised it makes chip cards useless.

    3. James Pullen

      Remember that the PCI certification is mainly about protecting PIN and card data – not preventing the device from doing other bad things. In this case it may be that the malware is not stealing card data like most previous attacks (Target etc., which really drove the push for PCI DSS, P2PE etc) but rather simply using the terminals as a launching pad for other network based attacks on infrastructure – a very different threat than what PCI, EMV etc are normally focused on.

      Couple this with the trend towards turning the payment devices into more general purpose platforms for running merchant applications (POS, loyalty etc) and general purpose operating systems (with PAX and others adopting Android – often older versions) it could well be that malware targeting phones has “crossed over”, whether deliberate or accidental. Either way, doesn’t look good for PAX.

      1. Michael N

        Assumed it is Android based devices it would be interesting to see the application signing and authorisation methods, is app signing authorised by PAX only or can it be a 3rd party as well?

    4. Andrew T

      These are most likely Android terminals. Pax is regularly deploying firmware updates to the platform, which could have been used to plant the malware. Original PCI PTS certification can be easily compromised via the flawed firmware release management with and even without PAX direct involvement.

    5. Trevor

      While I agree that it is rare for payment terminals themselves to be compromised, many devices now are 2-in1 ie they function as both the POS (running Android) and the (hardened) terminal itself. PAX indeed have a range of such devices. So likely to be the POS apart if the device compromised- but still the device 🙂

    6. Erik

      It is true that it is uncommon for end-to-end encrypting payment terminals with PCI PTS validated hardware/firmware to be compromised. Most compromises occur with simple POS systems which are basically just a PC with a card reader attached, or in backend systems.

      This is why this case is so interesting/scary. PCI PTS validated terminals are the backbone of the trusted payment infrastructure. If a big company has indeed compromised their own terminals, it is very serious for the trust of the whole payment industry.

  3. Jeffrey Payne

    It’s an open secret in the payments industry that PAX was started with stolen IP. No surprise at all to see them involved in something like this.

    1. NoWayToPay

      Really ? So you say Pax was started by ripping of Softpay ? Or Verix ? Or ACT/UCL ?
      Come on, this is nonsense.

      On the other hand, S920 design was copied by another company (Vx690).

  4. The Sunshine State

    Remember, this is from a totalitarian country that unleashed the pandemic on the world

    1. Scan

      Please stop making Florida look worse than it already is.

  5. Matt

    The difference between this scenario and the many data breaches of the past is that PAX has/had infected payment terminals – all of the other breaches were the result of infected point-of-sale systems – not hardware payment terminals.

  6. bill

    OK slow your roll everybody… We don’t have enough information here!

    The Heartland breach ended up being an inside job done with a keylogger. (this was not the initial conclusion)

    If this was done to glean credit card numbers, then someone is doing a lot of work for very little money.
    It doesn’t make sense.
    They could’ve been hacked.
    Why don’t we let the FBI do their job without speculation!

  7. delko man

    SREDD Coder – you live in the real world! We are looking for a terminal firmware developer, but it’s a challenging specialty to find. Any suggestions where to look for trustworthy people with this skillset?

    1. Martin Humphreys

      I am a retired embedded programmer but I still do contract work. I have coding since the early 80’s.

      Reply with a phone number if you want to chat.

      1. This is not a talent agency

        “I have coding since the early 80’s.” And learn code English in bar yesternight.

  8. DTR hacker

    SRED Coder knows this industry well. Many payment terminal vendors remove anti-tamper hardware after the device is approved by PCI.

    1. BRIAN

      That could result in many many years of waiting. The FBI has rarely reached a conclusion in any case over its lifetime. Useless agency, like 99% of all govt agencies from local to Federal.

      1. Another one

        Be sure to mention that to the Judge at your Jan 6th trial.

  9. Coherent Thoughts

    Plenty or ignorant racist and subjects of MKUltra and Operation Mockingbird.

  10. Tom

    Did they find proof that Huawei phones and 5g equipment was spying on people? After two years niet, nada. But they sure banned them.
    Could be a hack for sure or could be another geopolitical shakeup from the USA. They don’t want Chinese made & designed devices in the hands of Americans.

    1. anon

      Huawei violated US sanctions at the very least while doing business here,
      lied about it, and when their leadership faced consequences they took two
      unrelated Canadians hostage on bogus charges – held them for a long time,
      and released them the same week Huawei’s fraud-accused CFO plead guilty
      as part of a deal to allow her to go back to the state-owned CCCP tool in
      Shenzhen that you in hapless consumer-land know as Huawei products.
      CCCP owned companies deserve more scrutiny and not less. Period.

  11. G

    I did research on them for fun but was not looking for malware. But I can state the both the Prolin based ones and the Android ones are a security mess -> https://git.lsd.cat/g/pax-pwn
    But in general, as far as I could observe, they do not expose by default any port not even in LAN thus should be hard to compromise in mass. Not that US or EU vendors are any better in terms of security though.

  12. SkyPilot

    All businesses in China must commit to the CCP that their businesses will support and cooperate with the CCP.

  13. Mike

    I wonder what this means for Disney. I know that they use pax devices all across both Walt Disney World and Disneyland…

  14. Coder Dude 5000

    SREDD Coder is correct. I have worked directly with these terminals. They are running old versions of Android. It is up to the end user to update the firmware, etc. as newer versions come out. They also open up multiple Websocket/MQTT connections out to IP addresses in mainland China. Partners have complained about this and questioned why that is necessary. The terminals also have cameras and microphones on them, just like any android does. It will be very interesting to see where this goes.

    1. Random coder

      I’ve integrated with a920, a80, Aries 8, and more.. the Mqtt/websocket connection is used so they can remotely control the terminal like push apps, reboot, etc they have full control over the terminal… And to obtain info like battery level, connection status, etc.. all in the pax portal.. nothing out of the ordinary in that usage, it’s obvious to those who understand real time communication methods. But definitely very interesting to see where this goes, hopefully a misunderstanding, but playing the race card is not a good sign.

      1. an_n

        A misunderstanding lol. Outstanding term of art to describe espionage.

  15. William Kemmler

    “PAX is now claiming that the investigation is racially and politically motivated.”

    Which is the typical response when a Chinese company is accused of wrongdoing. Don’t deny it. Don’t show that the investigators are incorrect. They immediately throw down the race card and whine that it’s all politically motivated when caught with their hands in the cookie jar. Just so predictable from the Chinese it’s disgusting.

  16. Notme

    How do you identify the affected hardware? Is there more than one model?

  17. Jaimoe

    More distraction.
    Soon, we’ll need to do more than just protest.

  18. Mikm

    The FBI is doing this? The same people who watched Brian laundries mother in her own house and thought it was him?

    1. Red Okterrible!

      Learn how to read first comrade, it helps! That was LOCAL FLORIDA COPS, not the FBI.
      You’re seriously trying to shine down the FBI and can’t even think of one real thing?
      Lazy AF. Back to Communist Journalism 101 with you.

  19. Bart

    It seems there is some confusion in terminology, the PAX devices are pin pads I understand, manufactured in China. Not complete POS systems.
    It would not be the first time devices with build in backdoors are manufactured there. Just remember the story about compromised Android CPU boards from a few years back. These all went into phones that never made it into the North American market. This kind of supply chain hack would not likely be detected in regular PTS and other device testing.

    FIS is pulling out all the PAX devices according to Bloomberg:

  20. Kermit Paulos

    Very surprised by PAX release, immediately defensive and no mention of fully cooperating.

  21. Fudge packer freddy Bear

    From our good friends the Chinese, I am not surprised. The good thing is that we mostly likely all have China spy tech in our mobile phones. If you are not concerned you are not paying attention. Reject the CCP.

  22. Robert Townley

    Fifteen+ year old WiFi routers had onboard AES for dirt cheap, but new PAX terminals only offer 3DES. Every cheap WiFi device does AES, why not PAX? Is it the upstream processors fault?

Comments are closed.