An analysis of PoS/ cashIT! cash registers

This report summarizes our findings about vulnerabilities in cashIT!, a cash register system implementing the Austrian cash registers security regulation (RKSV). Besides lack of encryption, outdated software components and low-entropy passwords, these weaknesses include a bypass of origin checks (CVE-2023-3654), unauthenticated remote database exfiltration (CVE-2023-3655), and unauthenticated remote code with administrative privileges on the cash register host machines (CVE-2023-3656). Based on our analysis result, these vulnerabilities affect over 200 cash register installations in Austrian restaurants that are accessible over the Internet. In addition, daily cloud backups of more than 300 active cash register installations (and over 600 including historic backups of presumably inactive installations) are freely downloadable from cashIT! servers. These cloud backups contain detailed sales data, user account information (potentially with data about current and former employees), and may contain customer contact information, credentials for the online signature creation unit, and credentials to the backend system of the Austrian card payment processor Hobex.