Fast-Food FAIL: Drive-Thru Displays Point-of-Sale LAN Details

Rick Lawhorn went to a local fast-food chain one recent evening and found a potential security threat to go with his burger and fries.

His findings indicate a potential glitch in how a typical drive-thru display is wired. Data thieves could exploit it to steal customer credit-card numbers, he warns.

During his trip to the drive-thru, the display screen that lists one’s food order crashed and a bunch of code appeared. Lawhorn was curious and snapped a picture of the screen with his cell phone; taking the image home for further study.

See also Security at the Point of Sale

The heartburn he later experienced wasn’t from the grease-soaked food, but from what he found upon digesting the code in the photo.

“I hopped on Google and did some searches based on what I saw on the display and found documentation on how such systems should be set up under such things as PCI (the Payment Card Industry’s security standard),” Lawhorn said.

The problem with the set-up he found is that it likely cuts against some basic security requirements concerning network segmentation and wireless devices.

The code revealed configuration details of the LAN running from the drive-thru display to the building, and indicated that the cable ran directly to the restaurant’s point-of-sale system, where customer credit cards are entered.

The name of the restaurant isn’t revealed here because Lawhorn is still investigating and working to contact the proper people within the franchise. But there’s food for thought in what he knows so far.

For one thing, Lawhorn said, it’s unlikely someone is babysitting the network at the individual franchises for security issues. Therefore, bad guys sniffing the network would likely escape detection.

TJX is well aware of how things can go awry at individual stores. The massive breach the company disclosed in early 2007 started with thieves exploiting Wi-Fi weaknesses at a Marshalls clothing store near St. Paul, Minn. In that incident, thieves reportedly aimed a telescope-shaped antenna at the store and used a laptop to snatch data transmitted between hand-held price-checking devices, cash registers and the store’s computers. The exploit eventually led them into the central database of Framingham, Mass.-based TJX, where they repeatedly robbed the system of sensitive customer data.

“If we look at the business model for a typical franchise, the individual locations report to a parent company, but you don’t always have someone on staff at the individual stores to address IT and security,” Lawhorn said. “And so you often end up with a configuration that was set up just in time to get business rolling. When it’s done that way, security holes can be left behind.

Lawhorn doesn’t know how much, if any, credit card data the restaurant in question may be storing. But if such information is being stored (a no-no under PCI security requirements), a cable outside the building that links to the point-of-sale-system is an excellent place for a thief to find it.

“If there’s no barrier, no one on site from IT and you rely on an outside source for IT and security, there is the potential for many gaps,” Lawhorn said.

True, a lot of these places have surveillance cameras to watch for thievery and violence, but someone walking across the grass between the drive-thru display and building isn’t necessarily going to look suspicious. It wouldn’t be hard for someone to drop a device on the ground that escapes the camera’s notice — a device that could be used to sniff out potentially sensitive data.

It’s also true that customers aren’t typically swiping cards at the drive-thru display. They hand over the card at the window. Therefore, credit card data isn’t traveling from the display, thru the LAN to the point-of-sale system. But the right hacking device could still exploit the LAN to access whatever data is sitting at the other end of the system, Lawhorn said.

“Nobody really sits there and watches the surveillance cameras 24-7, and the cameras are there for physical safety of people getting in cars, and so on,” Lawhorn said. “It’s also very easy to find a camera outside the building. And it’s easy to put a wireless device there to sniff the network and see credit-card transactions occurring in something close to real time. The bad guy who finds something at one location then feels empowered to go to other franchises looking for the same misconfigurations.”

What is Lawhorn’s advice for security practitioners dealing with a franchise setting like this?

“Start by making sure the people responsible for setting up these networks are using modern products with security controls built in,” he said. “Also remember that there’s no need for the point-of-sale to be connected to all the other parts of the network. There must be layers of security that includes intrusion detection, firewalls and network segregation between what the public can access (free Wi-Fi) and where sensitive data is processed.”

It’s also important that PCI security standards are truly implemented at the individual franchise level, not just at the parent company, he said.