Finding PAX point-of-sale devices
PAX Technologies, a China-based company that manufactures a LOT of point-of-sale (POS) terminal devices, has been in the news this week following an FBI raid of a PAX Florida facility. While the FBI didn’t officially confirm much beyond serving a court-authorized search, a Krebs on Security post surfaces some serious security concerns around PAX device use in cybercrime attack operations. Specifically, that some PAX devices are being used in command-and-control (C2) operations during attacks and for hosting malware files. PAX has denied any knowledge of or involvement related to criminal activities involving its products (and point-of-sale devices and systems are well-known to be common targets for cybercriminals). Regardless, some large payment processors, such as Worldpay, started replacing their PAX point-of-sale terminals earlier this month after receiving inadequate explanation from PAX around traffic originating from their devices to websites that were not listed in PAX documentation.
PAX Technologies has not yet released any security advisories or other guidance related to these security concerns involving their point-of-sale terminals.
Finding PAX point-of-sale devices with Rumble #
Most PAX point-of-sale devices don’t offer up any open UDP or TCP ports, which limits the datapoints we have for fingerprinting or identifying those assets. However, we can leverage the MAC address OUI (organizationally unique identifier) to identify PAX-manufactured devices. From the Asset Inventory, use the following pre-built query to locate PAX point-of-sale assets in your network:
mac_vendor:"PAX Computer Technology"

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.
Get runZero for free
Don’t have runZero and need help finding PAX assets in your inventory?
Get started

Pearce Barry is a Director of Security Research at runZero. Barry joined runZero in June 2021, working on the Metasploit Project the four years prior. Now, Pearce leads research efforts at runZero, which includes creating and improving fingerprints, adding to protocols, enhancing scanning logic, and writing queries.
Similar Content
September 29, 2023
How to find WS_FTP Server instances?
How to find WS_FTP Server instances? # On September 27th, Progress Sofware announced eight vulnerabilities in the WS_FTP Server software. These issues can lead to a full compromise of exposed WS_FTP systems and their data through the FTP, SSH, and web management services, …
Read MoreSeptember 26, 2023
How to find TeamCity instances
How to find TeamCity assets? # On September 20th, JetBrains announced a critical authentication bypass vulnerability that impacts users running the TeamCity On-Premises product. The vulnerability is being tracked using CVE-2023-42793 and presents the weakness of CWE-288 …
Read MoreSeptember 12, 2023
How to find OpenSSL 1.1 instances
How to find OpenSSL 1.1 instances # On September 11th, the venerable OpenSSL 1.1.1 reached its end of life date. That means that it will no longer be receiving publicly-available security fixes. Users without a third-party extended support contract will no longer receive …
Read More