When Thieves Order Off The Menu

Retail Realities: A Glitch In The System Threatens To Become A Huge Problem, Especially With Fast-Food Chains

(CBS)  This column was written by Evan Schuman, the editor of StorefrontBacktalk.com, a site that tracks retail technology, e-commerce and security issues. Retail Realities will appear each Friday. Evan can be reached at e-mail and on Twitter.

---

When security consultant Rick Lawhorn recently drove through the drive-thru of a local Virginia quick-service restaurant, he was about to place an order when the screen stopped displaying his menu choices and instead displayed an internal network screen. Instead of pricing for a burger and fries, it told anyone who happened to walk by a wide range of internal network information, all of which would make it easier for someone to break in.

The details exposed included the system's boot count, permanent run time, the restaurant's IP address, IP Mask, Gateway number and that DHCP was disabled. But worst of all, from Lawhorn's perspective, the display told passersby that the order confirmation board (OCB) was quite completely connected to the store's local area network and point-of-sale system, which is enough to tell someone that it's worth trying to hack into. And with a relatively unprotected network connection plugged into the behind-the-store box, that's not an especially daunting task.

This particular glitch isn't limited to one restaurant or one franchise group or even, for that matter, one restaurant chain.

It's apparently a glitch in the OCB system itself-the operating system associated with the OCB, to be specific-and the unit used at that particular location was from Texas Digital, one of the industry's largest manufacturers of such systems, with devices handling orders at some of the nation's largest QSR chains, including McDonalds, Burger King, Taco Bell, Crystal's and Arby's.

"What you're seeing is the diagnostic screen when you reboot the system, sort of the equivalent of a PC's BIOS screen," said a security manager with one of the impacted chains, who asked that neither his name nor his chain's name be used in this story.

But that security manager said the data on the screen wouldn't be a lot of help to most potential cyber thieves. "The information on there is not necessarily indicative of the current configuration of the unit itself. It would merely show the technician what options are on the system," he said. "It's a small bit of information that a determined attacker would eventually get anyway. They still would need a means to get into the network. It's a very low risk. You still need to have physical access."

But that may be easy to do with this system.

Still, the chain said that it contacted its vendor and asked for an explanation and to have the glitch fixed, ideally making the system go blank when it restarts, rather than displaying the internal stats. Asked why it happened, the retailer reported that "their thought process is that it shouldn't reboot during working hours."

This is becoming a huge problem, especially with fast-food chains (known within the industry as quick service restaurants or QSRs). There are three issues these chains are dealing with simultaneously. The first is that these are mostly cash businesses and cash-handling is very expensive. That means that the chains are going to try and get their customers to use more credit and debit cards, which in turn means that they'll have a lot more sensitive data lying around. Dairy Queen is a good example of a chain trying to rein that in.

The second issue is that many of these restaurants are owned by regional franchise groups, which means that the restaurant chain can't dictate what technology and security mechanisms the stores will use. Well, they can certainly dictate, but the stores are out there on their own and they generally do whatever they want. (It's akin to raising a chain of 12,000 adolescent daughters.)

McDonalds has been pushing an effort, for example, to try and segregate all of the payment in all of their stores, including their franchise locations.

The third issue is that, even though these stores (both owned and franchised) may be part of a multi-billion global restaurant chain, each store is comparable to an extremely small business. That means no IT staff and little facility security, other than video cameras.

Add it all up and you stores with little security, storing growing mountains of data and little way of regulating how they deal with it.
Lawhorn was not alone in his observations, with photos of machines in different regions-and with different chains-showing the error screens circulating. But what Lawhorn did see-which is at the heart of most of these units-was far from comforting.

"The information on the screen relayed enough information where I could get to the manufacturer. It provided an IP address and it told me the IP address was fixed. The reason that's important is because I know their networking address scheme and I can introduce another host or node. I know exactly how many devices they can accept by that network address range. I can place a router in line between the sign and the restaurant. If they are wireless, I can sit in their lobby and try different things," he said.

He also questioned the chain's claim that the glitches are only momentary, making the risk from the data being displayed minor. At the location that he initially observed, he saw the system crash. "When that happens, you want to provide people with an error message, but not reveal too much information in that error message. If you provide too much information and leave it up on your display for days at a time while you're waiting for a support call, you are just spreading that information around. This was up for a couple days. I went back two or three days later and it was working while I was in line but then it crashed again. So it was four or five different dates."

The biggest problem, Lawhorn (who provided pictures of the machine he saw) said, was the perceived ease of physical access.

"On the back of the display is a network jack," he said. "You could go up to it, unplug the cable and then plug it back into that sign. You could put in a wireless router inline, making all their internal network traffic wireless. So I can now run any tool I want to and sit in the parking lot and monitor what's going on."

"The diagram offered by the place that provides these signs shows no instructions for setting up firewall rules," Lawhorn continued. "You connect it to a hub and we know that, with hubs, all the network traffic is broadcast across all the ports. So if a sign is part of the internal network, the POS is sending credit card transactions across that network. For the most part, it's one big fat, happy network."


By Evan Schuman
© MMVIII, CBS Interactive Inc. All Rights Reserved

Share:

• Share
• Yahoo! Buzz
• Twitter
• Mixx

More From Opinion

• When the Red, White and Blue Is In the Red
• Analysis: Fed Under Fire As Public Anger Mounts
• An Inconvenient Solution
• The Afghan Speech Obama Should Give
• Bid Farewell To Coupon Clipping?
• A Better Health Bill From The Senate?
• Choking The Blue Dogs

• 

  VideoThe Price Of Security

• 

  VideoMedical Revisions Frenzy

Add a Comment

by ISO-PCI August 10, 2009 8:46 AM EDT

There are a lot of assumptions and incorrect statements in this article so rather than banter theory let me point on the obvious:

1. QSR's are pushing their customers towards credit cards vs cash because taking cash is expensive? This one made me laugh as that is quite the opposite. QSR's only take Credit because of consumer demand, transaction fees are quite high for the low ticket total and high volume environment. There is a reason Waffle House held out til the very end before accepting anything other than cash.

2. That this system in itself is a risk. As the vendor stated these systems are not directly connected to the network. The video controller is IP connected to the outside display and then is connected in one of two ways internally, either via serial or IP. The IP connection does not span between the controller and the POS by default. Most Franchisee's actually use a serial connection from the controller to the POS and traffic is limited to the character set required to display food and price totals.

As with any item there is risk, but a business has to take risks to provide services whether it is someone slipping on a wet floor or someone attempting to breach a network. With this specific OCB you would have to break into the building or break into the conduit the cable is inside to even attempt to compromise the system. Neither of these are attractive options for the real "bad" guys as they are looking for big wins, not single restaurant/retail targets.

Lastly, PCIguru-4u...I would suggest visiting the PCI Standards Council site and doing some home work before you continue to provide services. Merchant's fall into 4 categories not 5. Most small businesses are Level 4 merchants and can do a SAQ. Most also are concerned about doing the right thing but many times get advice from those with insufficient knowledge to answer the questions.

Security is a big challenge, even for those with several professionals on staff. It is unfair to vilify the small guy here. When someone breaks into your house the police come and try to track him down while your insurance pays for your loses. In retail when the bad guys break in to your network you are immediately the one at fault and the one getting prosecuted by the media, your processor, and the card brands. Hardly seems fair.

Reply to this comment

by eschuman August 10, 2009 9:59 PM EDT

As you know better than most, the cost of accepting cash is extremely high. Not only is there the labor time in counting it and recounting it, but there is the high risk of theft, as it's so tempting for employees to pocket and underreport cash. There's certainly theft with payment cards, but it's much more effort-intensive.
But, yes, the interchange fees on payment cards can be quite high. It really depends on the nature of that retailer's specific operations. Then they have to weight that against the preference for cards among many consumers and whether that will translate into higher revenue. To solely look at the lack of an interchange fee for cash is being misleading.
As for the network being connected directly to the drive-thru system, you also know fully that systems range radically across the country. The recommended approach is to not have them connected, but many do anyway. The point was for all such locations, not just those that strictly follow the vendor guidelines. Small businesses often cannot afford to do so. Household quick-service restaurant chains are big businesses, the individual restaurants are typically owned by local business people who only own a relatively small number of stores. And they do what they have to do to maintain payroll.

by PCIguru4u August 7, 2009 9:40 PM EDT

As an auditor for many local franchises, I can state with absolute certainty that Evan (and Rick) are absolutely right in regards to the lack of security. Seems that everyone is missing the point though. I believe the error provided enough intel to start researching. The research then led to documentation created by the vendors that demonstrated no security in implementing the technology in the franchise LAN. No surprises here but the industry as a whole is about food and cost, security is a check box at best in MANY cases. Wireless hotspots using the same network as the POS, cables outside connected to inside hubs, and sometimes no encryption used in transactions are just a few of the things I have seen. Vendors can provide great lip service as to the way things SHOULD be done, but rarely are they implemented that way by the "guy in garage" contracted PC support that franchises use.

At the end of the day, the franchise can do what it thinks it needs to do to get by /survive. This will not change until the agreements/contracts change. Keep in mind that in terms of PCI, they are normally level 4 or 5 so they can do their own assessments.

Reply to this comment

by cameraphone August 7, 2009 3:11 PM EDT

How is it that criminals can hack menu boards, create botnets, and launch denial of network attacks and my internet connection drifts in and out during the day. It just went down for 20 minutes.

I guess the secret is not an internet connection that drifts but an internet connection that grifts.

Reply to this comment

by barbaram99 August 7, 2009 1:29 PM EDT

they should have a firewall and yep I have a home network and it has firewall anti viris etc.
Really, That is why I take cash and will not use a debit card.
Off the subject What is eat in tax as McDonalds is the only one to charge in addion to sales tax. It is a rip.

Reply to this comment

by eschuman August 7, 2009 1:20 PM EDT

For the record, the vendor who commented above spoke with us after the deadline for this column had passed. That said, the comments are generally disagreeing with what someone said in an interview.
Also, many facility set up their mechanisms in many different ways. Not all restaurants deploy systems in the exact manner suggested by the vendor and there are facilities that try and cut costs by going directly. The IP address comment is the position of the vendor that it's likely the default address and not necessarily the address of that restaurant's network. And the column explicitly stated that ("The information on there is not necessarily indicative of the current configuration of the unit itself.")
But an IT manager with that chain--who didn't want his name--indicated that the concerns of the consultant the column quoted were fair and accurate. We give the retail chain's IT department a lot of credibility on such matters.

Reply to this comment

by TD_Speaks August 7, 2009 11:08 AM EDT

I discussed many errors and assumptions this article makes with Mr. Schuman yesterday but see none of the inaccurate statements were updated. Many of these statements are blatantly incorrect and others are misleading. I have clarified some of those below:

The article states that the OCB showed the ?restaurant?s IP address?. That is incorrect. In fact, the display showed a default IP address that had no insight or connectivity into the restaurant network.
The article states that the ?display told passersby that the order confirmation board (OCB) was quite completely connected to the store?s LAN and POS?. That?s quite an assumption. In fact, the OCB is connected via a peer-to-peer network to a protocol converter in the restaurant. The POS data is actually send to the converter serially and then converted to IP for transmission to the OCB. This peer-to-peer network has no connection or access to the restaurant?s network.

The article states there is ?a relatively unprotected network connection plugged into the behind-the-store box?. In fact, the data cable is buried in an underground conduit that then enters the display unit inside the secured pedestal. The pedestal cabinet requires a security key to access to the interior.

The article states ??You still need to have physical access.? But that may be easy to do with this system.? Wow, then again maybe it isn?t.

The article states, in regard to credit and debit card data, ?they?ll (restaurants) have a lot more sensitive data lying around.? Yes, there is more data. However, credit card and debit data is required to be encrypted and is transmitted ? not stored. The statement is misleading. Later, the article states ?storing growing mountains of data?. Again, the PCI-related data is not stored in order to limit risk.
?Lawhorn was not alone in his observations, with photos of machines in different regions?and with different chains?showing the error screens circulating.? I have reviewed the photos and they are various solutions, from various vendors, and are indicative of a wide range of unrelated system errors. You cannot make a broad assumption about data security based on these unrelated photos.

Lawhorn was quoted as saying ?It provided an IP address and it told me the IP address was fixed.? Again, the IP address displayed was a default address with absolutely no insight into the restaurant network or configuration. Mr. Lawhorn states he could get to the vendor but it is not mentioned that he has not contacted us. I have attempted to contact Mr. Lawhorn, without success, through the original article?s author.

The article states ?I can place a router in line between the sign and the restaurant.? and then ?If they are wireless?? The fact is that there is no wireless access at this site and there is no exposed data cable to place a router. To do this, a culprit would have to break into the restaurant or physically dismantle the OCB in the drive-thru. The statement ?On the back of the display is a network jack. You could go up to it, unplug the cable and then plug it back into that sign.? is tremendously misleading at the network cable and jack is inside a secured cabinet.

Reply to this comment

Add a comment

Comment SUBMIT

Click here to add another comment.

The posting of advertisements, profanity, or personal attacks is prohibited. By using this Web site you agree to accept our Terms of Service. Click here to read the Rules of Engagement.

Comment reply

Submit Cancel

The posting of advertisements, profanity, or personal attacks is prohibited. By using this Web site you agree to accept our Terms of Service. Click here to read the Rules of Engagement.

Report offensive content:

If you believe this comment is offensive or violates the CBSNews.com Terms of Use, you can report it below (this will not automatically remove the comment). Once reported, our staff will be notified and the comment will be reviewed.

Select type of offense:

Offensive: Sexually explicit or offensive language

Spam: Advertisements, commercial links, or repetitive posts

Disruptive posting: Flaming or offending other users

Illegal activities: Promote cracked software, or other illegal content

Off-topic: Commentary unrelated to the storyline

Comments (optional):

Report Cancel

E-mail this comment to a friend.

E-mail this to: (Separate multiple e-mail addresses with commas. Limited to 10 addresses.)

Your e-mail address:

Send me a copy of this message

Note: Your e-mail address is used only to let the recipient know who sent the e-mail and in case of transmission error. Neither your address nor the recipients's address will be used for any other purpose.

Add your own personal message: (Optional)

Hi, I found this user's comment on CBSNews.com and thought you might be interested in reading it. Send e-mail Cancel

[ISO-PCI]

There are a lot of assumptions and incorrect statements in this article so rather than banter theory let me point on the obvious:

1. QSR's are pushing their customers towards credit cards vs cash because taking cash is expensive? This one made me laugh as that is quite the opposite. QSR's only take Credit because of consumer demand, transaction fees are quite high for the low ticket total and high volume environment. There is a reason Waffle House held out til the very end before accepting anything other than cash.

2. That this system in itself is a risk. As the vendor stated these systems are not directly connected to the network. The video controller is IP connected to the outside display and then is connected in one of two ways internally, either via serial or IP. The IP connection does not span between the controller and the POS by default. Most Franchisee's actually use a serial connection from the controller to the POS and traffic is limited to the character set required to display food and price totals.

As with any item there is risk, but a business has to take risks to provide services whether it is someone slipping on a wet floor or someone attempting to breach a network. With this specific OCB you would have to break into the building or break into the conduit the cable is inside to even attempt to compromise the system. Neither of these are attractive options for the real "bad" guys as they are looking for big wins, not single restaurant/retail targets.

Lastly, PCIguru-4u...I would suggest visiting the PCI Standards Council site and doing some home work before you continue to provide services. Merchant's fall into 4 categories not 5. Most small businesses are Level 4 merchants and can do a SAQ. Most also are concerned about doing the right thing but many times get advice from those with insufficient knowledge to answer the questions.

Security is a big challenge, even for those with several professionals on staff. It is unfair to vilify the small guy here. When someone breaks into your house the police come and try to track him down while your insurance pays for your loses. In retail when the bad guys break in to your network you are immediately the one at fault and the one getting prosecuted by the media, your processor, and the card brands. Hardly seems fair.

[eschuman]

As you know better than most, the cost of accepting cash is extremely high. Not only is there the labor time in counting it and recounting it, but there is the high risk of theft, as it's so tempting for employees to pocket and underreport cash. There's certainly theft with payment cards, but it's much more effort-intensive.
But, yes, the interchange fees on payment cards can be quite high. It really depends on the nature of that retailer's specific operations. Then they have to weight that against the preference for cards among many consumers and whether that will translate into higher revenue. To solely look at the lack of an interchange fee for cash is being misleading.
As for the network being connected directly to the drive-thru system, you also know fully that systems range radically across the country. The recommended approach is to not have them connected, but many do anyway. The point was for all such locations, not just those that strictly follow the vendor guidelines. Small businesses often cannot afford to do so. Household quick-service restaurant chains are big businesses, the individual restaurants are typically owned by local business people who only own a relatively small number of stores. And they do what they have to do to maintain payroll.

[PCIguru4u]

As an auditor for many local franchises, I can state with absolute certainty that Evan (and Rick) are absolutely right in regards to the lack of security. Seems that everyone is missing the point though. I believe the error provided enough intel to start researching. The research then led to documentation created by the vendors that demonstrated no security in implementing the technology in the franchise LAN. No surprises here but the industry as a whole is about food and cost, security is a check box at best in MANY cases. Wireless hotspots using the same network as the POS, cables outside connected to inside hubs, and sometimes no encryption used in transactions are just a few of the things I have seen. Vendors can provide great lip service as to the way things SHOULD be done, but rarely are they implemented that way by the "guy in garage" contracted PC support that franchises use.

At the end of the day, the franchise can do what it thinks it needs to do to get by /survive. This will not change until the agreements/contracts change. Keep in mind that in terms of PCI, they are normally level 4 or 5 so they can do their own assessments.

[cameraphone]

How is it that criminals can hack menu boards, create botnets, and launch denial of network attacks and my internet connection drifts in and out during the day. It just went down for 20 minutes.

I guess the secret is not an internet connection that drifts but an internet connection that grifts.

[barbaram99]

they should have a firewall and yep I have a home network and it has firewall anti viris etc.
Really, That is why I take cash and will not use a debit card.
Off the subject What is eat in tax as McDonalds is the only one to charge in addion to sales tax. It is a rip.

[eschuman]

For the record, the vendor who commented above spoke with us after the deadline for this column had passed. That said, the comments are generally disagreeing with what someone said in an interview.
Also, many facility set up their mechanisms in many different ways. Not all restaurants deploy systems in the exact manner suggested by the vendor and there are facilities that try and cut costs by going directly. The IP address comment is the position of the vendor that it's likely the default address and not necessarily the address of that restaurant's network. And the column explicitly stated that ("The information on there is not necessarily indicative of the current configuration of the unit itself.")
But an IT manager with that chain--who didn't want his name--indicated that the concerns of the consultant the column quoted were fair and accurate. We give the retail chain's IT department a lot of credibility on such matters.

[TD_Speaks]

I discussed many errors and assumptions this article makes with Mr. Schuman yesterday but see none of the inaccurate statements were updated. Many of these statements are blatantly incorrect and others are misleading. I have clarified some of those below:

The article states that the OCB showed the ?restaurant?s IP address?. That is incorrect. In fact, the display showed a default IP address that had no insight or connectivity into the restaurant network.
The article states that the ?display told passersby that the order confirmation board (OCB) was quite completely connected to the store?s LAN and POS?. That?s quite an assumption. In fact, the OCB is connected via a peer-to-peer network to a protocol converter in the restaurant. The POS data is actually send to the converter serially and then converted to IP for transmission to the OCB. This peer-to-peer network has no connection or access to the restaurant?s network.

The article states there is ?a relatively unprotected network connection plugged into the behind-the-store box?. In fact, the data cable is buried in an underground conduit that then enters the display unit inside the secured pedestal. The pedestal cabinet requires a security key to access to the interior.

The article states ??You still need to have physical access.? But that may be easy to do with this system.? Wow, then again maybe it isn?t.

The article states, in regard to credit and debit card data, ?they?ll (restaurants) have a lot more sensitive data lying around.? Yes, there is more data. However, credit card and debit data is required to be encrypted and is transmitted ? not stored. The statement is misleading. Later, the article states ?storing growing mountains of data?. Again, the PCI-related data is not stored in order to limit risk.
?Lawhorn was not alone in his observations, with photos of machines in different regions?and with different chains?showing the error screens circulating.? I have reviewed the photos and they are various solutions, from various vendors, and are indicative of a wide range of unrelated system errors. You cannot make a broad assumption about data security based on these unrelated photos.

Lawhorn was quoted as saying ?It provided an IP address and it told me the IP address was fixed.? Again, the IP address displayed was a default address with absolutely no insight into the restaurant network or configuration. Mr. Lawhorn states he could get to the vendor but it is not mentioned that he has not contacted us. I have attempted to contact Mr. Lawhorn, without success, through the original article?s author.

The article states ?I can place a router in line between the sign and the restaurant.? and then ?If they are wireless?? The fact is that there is no wireless access at this site and there is no exposed data cable to place a router. To do this, a culprit would have to break into the restaurant or physically dismantle the OCB in the drive-thru. The statement ?On the back of the display is a network jack. You could go up to it, unplug the cable and then plug it back into that sign.? is tremendously misleading at the network cable and jack is inside a secured cabinet.