Fast Food Drive-Thrus Feature Network See-Thrus

Written by Evan Schuman and Fred J. Aun
August 6th, 2009

When security consultant Rick Lawhorn recently drove through the drive-thru of a local Virginia quick-service restaurant, he was about to place an order when the screen stopped displaying his menu choices and chose to show an internal network screen. Instead of pricing for a burger and fries, it told anyone who happened to walk by the system’s boot count, permanent run time, the restaurant’s IP address, IP Mask, Gateway number and that DHCP was disabled, among other things.

But worst of all, from Lawhorn’s perspective, the display told passersby that the order confirmation board (OCB) was quite completely connected to the store’s LAN and POS, which is enough to tell someone that it’s worth trying to hack into. And with a relatively unprotected network connection plugged into the behind-the-store box, that’s not an especially daunting task.

This particular glitch isn’t limited to one restaurant or one franchise group or even, for that matter, one restaurant chain. It’s apparently a glitch in the OCB system itself—the operating system associated with the OCB, to be specific—and the unit used at that particular location was from Texas Digital, one of the industry’s largest manufacturers of such systems, with devices handling orders at some of the nation’s largest QSR chains, including McDonalds, Burger King, Taco Bell, Crystal’s and Arby’s.

“What you’re seeing is the diagnostic screen when you reboot the system, sort of the equivalent of a PC’s BIOS screen,” said a security manager with one of the impacted chains, who asked that neither his name nor his chain’s name be used in this story.

But that security manager said the data on the screen wouldn’t be a lot of help to most potential cyber thieves. “The information on there is not necessarily indicative of the current configuration of the unit itself. It would merely show the technician what options are on the system,” he said. “It’s a small bit of information that a determined attacker would eventually get anyway. They still would need a means to get into the network. It’s a very low risk. You still need to have physical access.” But that may be easy to do with this system.


2 Comments | Read Fast Food Drive-Thrus Feature Network See-Thrus

  1. Dennis Davidson Says:

    Several of the article’s statements and assumptions are incorrect or misleading. I have clarified some of those below:
    The article states that the OCB showed the “restaurant’s IP address”. That is incorrect. In fact, the display showed a default IP address that had no insight or connectivity into the restaurant network.
    The article states that the “display told passersby that the order confirmation board (OCB) was quite completely connected to the store’s LAN and POS”. That’s quite an assumption. In fact, the OCB is connected via a peer-to-peer network to a protocol converter in the restaurant. The POS data is actually send to the converter serially and then converted to IP for transmission to the OCB. This peer-to-peer network has no connection or access to the restaurant’s network.
    The article states there is “a relatively unprotected network connection plugged into the behind-the-store box”. In fact, the data cable is buried in an underground conduit that then enters the display unit inside the secured pedestal. The pedestal cabinet requires a security key to access to the interior.
    The article states “’You still need to have physical access.’ But that may be easy to do with this system.” Wow, then again maybe it isn’t.
    The article states, in regard to credit and debit card data, “they’ll (restaurants) have a lot more sensitive data lying around.” Yes, there is more data. However, credit card and debit data is required to be encrypted and is transmitted – not stored. The statement is misleading. Later, the article states “storing growing mountains of data”. Again, the PCI-related data is not stored in order to limit risk.
    “Lawhorn was not alone in his observations, with photos of machines in different regions—and with different chains—showing the error screens circulating.” I have reviewed the photos and they are various solutions, from various vendors, and are indicative of a wide range of unrelated system errors. You cannot make a broad assumption about data security based on these unrelated photos.
    Lawhorn was quoted as saying “It provided an IP address and it told me the IP address was fixed.” Again, the IP address displayed was a default address with absolutely no insight into the restaurant network or configuration. Mr. Lawhorn states he could get to the vendor but it is not mentioned that he has not contacted us. I have attempted to contact Mr. Lawhorn, without success, through the original article’s author.
    The article states “I can place a router in line between the sign and the restaurant.” and then “If they are wireless…” The fact is that there is no wireless access at this site and there is no exposed data cable to place a router. To do this, a culprit would have to break into the restaurant or physically dismantle the OCB in the drive-thru. The statement “On the back of the display is a network jack. You could go up to it, unplug the cable and then plug it back into that sign.” is tremendously misleading at the network cable and jack is inside a secured cabinet.

  2. Evan Schuman Says:

    the comments are generally disagreeing with what someone said in an interview.
    Also, many facility set up their mechanisms in many different ways. Not all restaurants deploy systems in the exact manner suggested by the vendor and there are facilities that try and cut costs by going directly. The IP address comment is the position of the vendor that it’s likely the default address and not necessarily the address of that restaurant’s network. And the column explicitly stated that (“The information on there is not necessarily indicative of the current configuration of the unit itself.”)
    But an IT manager with that chain–who didn’t want his name–indicated that the concerns of the consultant the column quoted were fair and accurate. We give the retail chain’s IT department a lot of credibility on such matters.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.