McTerminals Give The Hamburglar A Chance

The golden arches of a McDonald’s restaurant are a ubiquitous feature of life in so many parts of the world, and while their food might not be to all tastes their comforting familiarity draws in many a weary traveler. There was a time when buying a burger meant a conversation with a spotty teen behind the till, but now the transaction is more likely to take place at a terminal with a large touch screen. These terminals have caught the attention of [Geoff Huntley], who has written about their surprising level of vulnerability.

When you’re ordering your Big Mac and fries, you’re in reality standing in front of a Windows PC, and repeated observation of start-up reveals that the ordering application runs under an administrator account. The machine has a card reader and a receipt printer, and it’s because of this printer that the vulnerability starts. In a high-traffic restaurant the paper rolls often run out, and the overworked staff often leave the cabinets unlocked to facilitate access. Thus an attacker need only gain access to the machine to reset it and they can be in front of a touch screen with administrator access during boot, and from that start they can do anything. Given that these machines handle thousands of card transactions daily, the prospect of a skimming attack becomes very real.

The fault here lies in whoever designed these machines for McDonalds, instead of putting appropriate security on the software the whole show relies on the security of the lock. We hope that they don’t come down on the kids changing the paper, and instead get their software fixed. Meanwhile this isn’t the first time we’ve peered into some McHardware.

46 thoughts on “McTerminals Give The Hamburglar A Chance

  1. There was a time when I’d see Radio Shack Model 100s at the local McDonalds. They were in the kitchen area, never knew what for. I seemto recall a panel over much of the keyboard, so maybe just the function keys useable.

    1. Kitchen Order Screens, tells the cook what is expected in what order with what customizations. Nowadays they run a DOS program on a teeny-tiny little x86 box.

  2. I have an addition to this – as I worked at a McDonalds with these kiosks for a few years; the area where the printer is does not contain the NUC (at least in the US ones). The actual computer is secured with a different lock that the store manager typically only has a key to. The card reader terminals do get loaded from the computer, but it’s heavily encrypted and won’t load if the time is more than 15 seconds skew from what it thinks. There are many vulnerabilities for a system assembled like this but just popping a USB stick and loading a program is not as easy as he believes – I poked at these plenty and it would take a bit more effort.

    I want to make clear that I don’t consider myself as skilled as most that post on here and a targeted attack would absolutely be possible on these machines, but the registers would be easier. They run admin mode with a horrible Java app on top of Windows 10 as the UI Shell. USB ports are open and usable but I never did more than confirm it could run a “Hello World” as admin. And everything is networked so once you’re in you’re in.

    1. If you’re lucky you end up in jail. If you’re not lucky, you don’t wake up, in a ditch. A non-zero number of “Gus Fring” types around who have fast food joints for bleaching cash.

    2. The card readers are no longer connected to the register directly. They haven’t been for several years. The registers don’t have any credit card information on them or moved through them. So other then hijacking a register for free food or probably more valuable as an entrance into the corporate network the kiosks are not a good point to gain card info.

      1. +1 This! I can guarantee the Windows PC has zero access to secure card data, all it’s waiting for is an approval code from the bank supplied hardware.

        This article can be safely deleted as it is nonsense written by someone without enough security experience.

  3. I would also lay the blame at using a single receipt printer. It should have two printers, so one can run empty and the system automatically starts using the second one, so the first can be refilled at the attendant’s leisure.

    (One printer, even with a very large paper roll, would eventually run out and it would be a critical issue at that time. But with two, it doesn’t matter at all when one runs out, as long as you can refill it before the second one does too. The critical detail is that you should always be using the printer which is closer to running out, rather than wear-leveling between the two which would result in them running out simultaneously and then you’re back to having a critical issue.)

    1. Welcome to reality, where everything and everyone is dumber and lazier than you imagine. Here we have twice as many printers we ignore until the last one starts whining and then we can’t change the paper anyway because no one ordered new rolls of paper. Instead let’s just buy a new printer. They come with a free roll.

      1. Exactly! I work in a manufacturing setting and explain to my guys never say “that won’t happen” when looking at new designs for equipment. There’s always a bigger idiot

        1. That is what keeps me employed.

          I put two printers in and 4 of the dumb out of paper led sensor packs and then setup the auto order script to have Amazon ship the paper with a “birthday” note saying which kiosk the paper goes in (even though it fits in all of them) and setup the email alert to repeat daily (and hourly when the 2nd printer gets low)

          And they still run out of paper half the time

        2. I wasn’t taught this, but learned it on the job. We shouldn’t ever say “this situation will never happen.” Instead, we should say “under what circumstances could this situation happen” and design accordingly.

          Our biggest fear for our products is that one user who has seen a few teardowns on youtube and therefore thinks that they are smarter than the guy who wrote the warning label.

    2. There’s no advantage to using two printers over one printer with a roll twice as large you still have to go change the paper rolls at some point you don’t have people ordering while you are changing roles and actually makes it more complicated to have to because you have to do the process twice

      1. The advantage comes in the form of increased flexibility with regards to the timing of replacement. You don’t have to replace the empty roll as soon as it runs out if there are two, but with just one roll, the machine can’t take orders until the roll is replaced. Either way, “you don’t have people ordering while you are changing roles [sic]”, but with a single roll, you also don’t have people ordering between the roll running out and sending someone to replace the roll.

  4. I can see the conversation.

    What are you in for?
    Computer fraud and abuse. I rigged the McDs point of sale to give me free ‘food’.
    Respect! Damn, I guess that makes you the new prison boss. Which of the convicts do you want as your Bs?

    Anything you do with a computer that pisses off a federal judge is retroactively illegal faster then the judge can say ‘post ipsofacto, post schmipsofacto.’

  5. Don’t give up on the cheeseburgers just yet.

    The payment terminal (“PIN Pad”) is responsible for the encryption of the card data. It’s a completely separate computer with a split app/runtime architecture. It almost certainly runs a Linux variant.

    To upload a new application package (which is all McDs can change), the app needs to be signed by the terminal vendor. That is a very locked down process where the vendor limits (and audits) what appears on the screens. McDs can’t even submit a screen request with more than six buttons, to prevent a rogue customer from emulating a 10-key pad to Trojan Horse a customer’s PIN.

    The terminal vendor can provide remote OS updates. The updates are encrypted and signed; only those with valid signatures are decrypted and applied.

    The terminal also houses encryption data in a separate secured, tamper-detecting hardware module.

    For cryptographic processes, all the keys are injected into the secure module via a separate dedicated key injection machine, kept in a secured caged facility that is owned or operated by the vendor or their service company. The key injection process itself is a one way operation, with a unique terminal-specific generated key (that isn’t the base derivation key) sent to the terminal

    Cryptographically, the PIN key management system is called DUKPT, which algorithmically generates a new key for every credit card transaction. It continually spins forward generating new keys and destroying old ones. While the terminals chug along generating new keys and forgetting old ones, they are easily decrypted by the payment processor that holds the base derivation key. McDonalds most likely does not own their own base derivation keys, and won’t have access to them.

    DUKPT itself is a really clever protocol.

    The hardware encryption module itself is not field upgradable. It doesn’t get patched by vendor OS patches. (It may get upgraded during key injection, but I don’t know for sure.)

    The tamper detection systems are most fascinating. There’s a miniature Mission:Impossible of booby traps inside: case opening sensors, plunger switches, screen detectors, light detectors, and even a 3-D anti-drill maze of printed circuit traces surrounding the CPU: if a trace is broken, or two adjacent traces shorted, it trips. Tripping the detection circuit causes the encryption CPU to wipe out the key storage memory, bricking the unit. We had a forklift driver drop a pallet full of terminals once, and the g-force shock was enough to trip all their sensors, so they all had to go back to the factory for re-injection. And that was 15 years ago — the security standards have increased considerably since then.

    So the payment terminals are very, very locked down. They should never leak unencrypted cardholder data.

    The kiosk itself just runs whatever McDs wrote for menu and tabulation. All it can do is call the payment terminal and say “transaction total=$12.34, show the customer payment screen”.

    There likely won’t be a jackpotting of these payment terminals as they really can’t do much.

      1. nope, 90% of what he said is already known and published on youtube.

        … something about purchasing disassembling and googleing simillar (larger and heavier) devices.

  6. “There was a time when buying a burger meant a conversation with a spotty teen behind the till, but now the transaction is more likely to take place at a terminal with a large touch screen. ”

    Skipping that and ordering from your cellphone. All you have to do is pick it up.

    1. Unfortunately that requires a 600 MiB “app” that requires access permission to your contacts, calendar, network, storage, camera, fingerprint reader, body sensors, microphone, phone, and SMS just so you can order that dry cardboard slab they claim is a “hamburger”…

      Google Play store won’t even tell you how big an “app” is anymore because they are so absurdly bloated.

      No. Thank you. I’ll talk to the pimple-faced teen and not melt my phone down.

      1. ah no it requires The Location and notification permission and the notification can be disabled and it still works. However is still is a bloated buggy mess that 200mb when it could be like 2 at most, or better yet a univeral webpage.

      2. They don’t have pimple faced teens operating registers anymore except at the drive-thru. I recently went through the absurdity of using a “Manager’s Coupon”. You know, the thing the manager mails you to say “we’re sorry, your next meal (from a limited set of choices) is on us” rather than refund your order when they mess up. Stand around for 20 minutes while everyone pretends to not see you, so they can avoid going to the single till up front (also, there are no menu boards in their restaurants anymore). Finally a staff member shows up, tell them my order and hand over the coupon. They look at it, say “oh that’s cool” and hand it back, expecting cash payment. No clue as to what the coupon is, or how to process it, or that all the details including the code to punch in are clearly printed on it. Hand it back to them, explain what it is, and that they might want to get a manager if they don’t understand what it is or how to process it. Instead, they hit a combination to send the order through to the kitchen, but then void the cash register transaction, and still hand me back the coupon!

        1. @Grizzly Adams “expecting cash payment”? What country are you in? Where I live people look at me like I’m some kind of weirdo when I pay cash. Yeah, cash. Because where I live it’s also legal for the EFT providers to slug you with a 1.8% surcharge for using a card. Maybe everyone where I live is too rich? There are even shops qhere they don’t even _accept_ cash! Needless to say, I don’t go to those places :-)

    2. The first time I used the McDonald’s app, I waited for 20 minutes for my order right there in McDonald’s. The manager asked me if I had ordered and I said yes, I used the app. They had no record of my order, so I ordered at the till and they had my order to me in 5 minutes. 15 minutes later they called out my order I had made with the app. Right then and there I said NO to the app and NO to the kiosk. I order the old-fashioned way and if I stop at a McDonald’s where they force you to use the kiosk, I turn around and walk out. I’m slowly learning to not go to McDonald’s anymore. It used to be my first choice – now it’s my last – born only out of necessity.

  7. Pinpad Transactions are Encapsulated, The Pin pad send encrypted packets to the Net via its own tunneling, the Pinpad only reports status and if the transaction went thru or failed.
    trust me, i worked at Verifone. This way you dont have to verify the system security, Only the pinpad.
    the pinpad has more than 10 sensors against tampering

  8. So in reality, you can’t skim cards, but you could load an alternative menu app, which doubles the cost charged to the card, or charges zero, or messes with the orders. You could add allergens to orders when people have removed them. You could invent new burgers and see if anyone notices.

    But the most damaging thing probably is to put up a screen claiming that you’ve stolen peoples cards. The PR fallout for McD would be horrific.

    1. Not really, unless it’s different in the country I serviced these in, they didn’t run anything as the admin account. You couldn’t even set the resolution or screen rotation and have it persist through a reboot using the account that runs the POS software.

  9. Hacked/broken McTerminals are no surprise. There are so many broken McDonald’s soft-serve ice cream machines there’s a web site dedicated to tracking them.[1][2] See [3] for the supposed “real” reason why so many of McDonald’s soft serve ice cream machines are kaputsky.

    * References:

    1. This website shows every broken McDonald’s ice cream machine

    2. Is the mcdonald’s ice cream machine broken?

    3. The Real Reason McDonald’s Ice Cream Machines Always Seem To Be Broken

  10. The sales staff is always trying to shoehorn me into using those plagued kiosks. Sounds like I have a good reason to use them now. It’s like the Target Kiosk hack that allows you to surf the net while you wait for your wife to do her shopping.

  11. I had worked for a McDonald’s for 12 years and I have seen some crazy things when it came to their computer systems.

    The ISP (Main system) use to run SCO Openserver 5 with Emerge running Windows98. Right before I left in 2016 they switched to Windows 2012 Server with VMWare running SCO Openserver in a VNC session.

    The Registers when I started ran MS-DOS 5. When they were updated I brought home one of the old registers and it had a 133MHz Pentium with 8MB of RAM. Funny thing was it had a 40GB hard drive partitioned to 1GB. The new systems were from PAR and ran Windows XP with the new software called POS 6. They did not have admin rights at all set on them. If you needed to do anything settings wise you had to call tech support and they gave you a password that worked for that day. Couldn’t access the BIOS also, it was password protected with a single daily used password and was some custom PAR BIOS that most likely was a customized AMI BIOS. The printers were IP based and the cash drawers were USB but with RJ11 termination.

    KVS screens (The screens everyone reads the orders from) were Wyse 60 terminals. When the CRTs got so burnt up they switched to a “smart terminal” that were Wyse brand and ran Windows NT 4 or Windows 2000 embedded. I hated it when someone would attempt to plug their phone charger into the USB port. Would get an error about the USB device then had to go grab the mouse from the ISP to clear it.

    The POS Server, Ran SCO Openserver and was headless. If it messed up PAR or Panasonic would just tell us to forcefully reboot it. The updated system ran Windows 2008 Server with CYGWIN and VNC to the cashless system.

    Cashless system Was a Dell Wyse box that god forbid anyone looked at or the cashless would go down. Best I could tell it was a neutered version of XP probably XP embedded. Just had a DOS window pinging the crap out of the card readers.

    In all there are too many hands in the cookie jar. Had PAR, Panasonic, McTel and some other tech support. Also had to deal with AT&T What felt like a month on a daily basis we got a package with a letter saying keep it for installer and it would be some cisco device that ATT would come by and hook it up. God forbid they used the same rack. Had a wall mounted rack that had old 10t-base hubs and a wall mounted box that was head height when sitting. Before I left there was six devices hanging off of that box. We were constantly hitting our heads on it.

    I’m not sure what they use now but it seems the ISP is all web based now. I highly doubt plugging in a rubber ducky into a register would do anything other then seeing many orders of mcdoubles and mcchickens. The card reader has it’s own line running to the cashless server that then sends the “OK” to the register the card machine is paired to.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.