But worst of all, from Lawhorn's perspective, the display told passersby that the order confirmation board (OCB) was quite completely connected to the store's LAN and POS, which is enough to tell someone that it's worth trying to hack into. And with a relatively unprotected network connection plugged into the behind-the-store box, that's not an especially daunting task.
This particular glitch isn't limited to one restaurant or one franchise group or even, for that matter, one restaurant chain. It's apparently a glitch in the OCB system itself—the operating system associated with the OCB, to be specific—and the unit used at that particular location was from Texas Digital, one of the industry's largest manufacturers of such systems, with devices handling orders at some of the nation's largest QSR chains, including McDonalds, Burger King, Taco Bell, Crystal's and Arby's.
"What you're seeing is the diagnostic screen when you reboot the system, sort of the equivalent of a PC's BIOS screen," said a security manager with one of the impacted chains, who asked that neither his name nor his chain's name be used in this story.
But that security manager said the data on the screen wouldn't be a lot of help to most potential cyber thieves. "The information on there is not necessarily indicative of the current configuration of the unit itself. It would merely show the technician what options are on the system," he said. "It's a small bit of information that a determined attacker would eventually get anyway. They still would need a means to get into the network. It's a very low risk. You still need to have physical access." But that may be easy to do with this system.Still, the chain said that it contacted its vendor and asked for an explanation and to have the glitch fixed, ideally making the system go blank when it restarts, rather than displaying the internal stats. Asked why it happened, the retailer reported that "their thought process is that it shouldn't reboot during working hours."
This is becoming a huge problem, especially with fast-food chains. There are three issues these chains are dealing with simultaneously. The first is that these are mostly cash businesses and cash-handling is very expensive. That means that the chains are going to try and get their customers to use more credit and debit cards, which in turn means that they'll have a lot more sensitive data lying around.
The second issue is that many of these restaurants are owned by regional franchise groups, which means that the restaurant chain can't dictate what technology and security mechanisms the stores will use. Well, they can certainly dictate, but the stores are out there on their own and they generally do whatever they want. (It's akin to raising a chain of 12,000 adolescent daughters.)
McDonalds has been pushing an effort, for example, to try and segregate all of the payment in all of their stores , including their franchise locations.
The third issue is that, even though these stores (both owned and franchised) may be part of a multi-billion global restaurant chain, each store is comparable to an extremely small business. That means no IT staff and little facility security, other than video cameras.
Add it all up and you stores with little security, storing growing mountains of data and little way of regulating how they deal with it.
Lawhorn was not alone in his observations, with photos of machines in different regions—and with different chains—showing the error screens circulating.
But what Lawhorn did see—which is at the heart of most of these units—was far from comforting. "The information on the screen relayed enough information where I could get to the manufacturer. It provided an IP address and it told me the IP address was fixed. The reason that's important is because I know their networking address scheme and I can introduce another host or node. I know exactly how many devices they can accept by that network address range. I can place a router in line between the sign and the restaurant. If they are wireless, I can sit in their lobby and try different things," he said.
He also questioned the chain's claim that the glitches are only momentary, making the risk from the data being displayed minor. At the location that he initially observed, he saw the system crash. "When that happens, you want to provide people with an error message, but not reveal too much information in that error message. If you provide too much information and leave it up on your display for days at a time while you're waiting for a support call, you are just spreading that information around. This was up for a couple days. I went back two or three days later and it was working while I was in line but then it crashed again. So it was four or five different dates."
The biggest problem, Lawhorn (who provided pictures of the machine he saw) said, was the perceived ease of physical access. "On the back of the display is a network jack. You could go up to it, unplug the cable and then plug it back into that sign. You could put in a wireless router inline, making all their internal network traffic wireless. So I can now run any tool I want to and sit in the parking lot and monitor what's going on. The diagram offered by the place that provides these signs shows no instructions for setting up firewall rules. You connect it to a hub and we know that, with hubs, all the network traffic is broadcast across all the ports. So if a sign is part of the internal network, the POS is sending credit card transactions across that network. For the most part, it's one big fat, happy network."