Fast-Food FAIL: Drive-Thru Displays Point-of-Sale LAN Details

A cautionary tale on the potential security lapses between a drive-thru display LAN line and a fast-food restaurant's point-of-sale system, as discovered by security practitioner Rick Lawhorn

. What's this?

By , Senior Editor

August 03, 2009CSO

Rick Lawhorn went to a local fast-food chain one recent evening and found a potential security threat to go with his burger and fries.

His findings indicate a potential glitch in how a typical drive-thru display is wired. Data thieves could exploit it to steal customer credit-card numbers, he warns.

Drive-thru display reveals POS LAN details At the very least, the Richmond, Va.-based IT security practitioner believes his findings offer a lesson on how not to fuse card-payment machinery with the rest of a company computer network.

During his trip to the drive-thru, the display screen that lists one's food order crashed and a bunch of code appeared. Lawhorn was curious and snapped a picture of the screen with his cell phone; taking the image home for further study.

See also Security at the Point of Sale


The heartburn he later experienced wasn't from the grease-soaked food, but from what he found upon digesting the code in the photo.

"I hopped on Google and did some searches based on what I saw on the display and found documentation on how such systems should be set up under such things as PCI (the Payment Card Industry's security standard)," Lawhorn said.

The problem with the set-up he found is that it likely cuts against some basic security requirements concerning network segmentation and wireless devices.

The code revealed configuration details of the LAN running from the drive-thru display to the building, and indicated that the cable ran directly to the restaurant's point-of-sale system, where customer credit cards are entered.

The name of the restaurant isn't revealed here because Lawhorn is still investigating and working to contact the proper people within the franchise. But there's food for thought in what he knows so far.

For one thing, Lawhorn said, it's unlikely someone is babysitting the network at the individual franchises for security issues. Therefore, bad guys sniffing the network would likely escape detection.

TJX is well aware of how things can go awry at individual stores. The massive breach the company disclosed in early 2007 started with thieves exploiting Wi-Fi weaknesses at a Marshalls clothing store near St. Paul, Minn. In that incident, thieves reportedly aimed a telescope-shaped antenna at the store and used a laptop to snatch data transmitted between hand-held price-checking devices, cash registers and the store's computers. The exploit eventually led them into the central database of Framingham, Mass.-based TJX, where they repeatedly robbed the system of sensitive customer data.

"If we look at the business model for a typical franchise, the individual locations report to a parent company, but you don't always have someone on staff at the individual stores to address IT and security," Lawhorn said. "And so you often end up with a configuration that was set up just in time to get business rolling. When it's done that way, security holes can be left behind." (For more on this problem, listen to The Failure of Security Investments.)

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER