POS endpoints have to be connected, otherwise they could now work to verify credit cards. usually such embedded devices have minimal OS and network services so there aren't a lot of weak processes to try to take over. However they probably have a mechanism to upgrade/patch the software on them remotely, and to do that you generally need a port that can push software in. That might be a way the attackers got in.
One trick they use is to send data that's way too big for the buffer (sort of like the "inbox") so that the data overflows into areas of memory it's not supposed to go to. That can crash the system and force a reboot and if you planted bad stuff on it, it will load at the reboot. Really clever hackers can do far more.
Interesting post, thanks
I don't think we will ever hear what happened, but it wouldn't surprise me if the machines didn't have a password set or a very simple one.
Its not that clever. Buffer overflows have been used since Sendmail came out in the 1980s. Its old hat now. Sendmail ran as root. Guess what file they went after? That's right. Send your stuff straight to the passwd file.
Never let anyone code using gets() and you'll take care of mot of those.