When McDonald’s machines are open, malware may be used to harvest customers’ payment details.
Geoffrey Huntley is currently traveled all over Australia and observed many open McDonald’s machines. Huntley quoted:
The underpaid staff who used to place the orders have been replaced with these self-service kiosks and a ticket-based process. This process breaks down completely when the ticket printer runs out of paper.”
McDonald’s employees often leave the machines open
Since this happens very often due to the large number of orders, the employees simply leave the machines with the touch screen open in order to be able to exchange the paper for the tickets more quickly. Customers don’t get a meal without a ticket, which is why they complain promptly.
Access to the innards therefore depends primarily on whether you have a USB stick with you. Inside the McDonald’s machine is a regular x86 computer NUC with free USB ports . At least that is the case in Australia. Incidentally, the amateur hacker became popular as the programmer of NFT Bay, the fake site with meaningless data as content that was so widely reported in the media last winter.
Huntley also found that the machines installed were running Windows 7 in admin mode. The touchscreen input was always active. In recovery mode, any bystander could run an application of their choice. For example a program that he has saved on his USB stick. Huntley continues:
“Today I watched the entire bootstrap process at another McDonald’s. I can confirm that the kiosk is indeed responsible for installing “Custom Firmware” on the card reader. With user interaction enabled, it’s theoretically possible to force the terminals into recovery mode when they boot up by tapping the screen…”
Windows 7 as operating system = not a good idea!
Payment terminals are attached to McDonald’s vending machines. If someone here installs malware by inserting a USB stick or by using recovery mode, then the person could possibly also steal the data of the Maestro or credit cards inserted by the customers.
A commenter on Twitter, who claims to be an industry expert, responded by saying that most payment terminal manufacturers have secured their hardware really well. It should therefore not be so easy to view the PINs or other data entered from the Windows PC because the terminals will fail to function if any data is transmitted unencrypted.
Huntley also criticizes that one must not run any machines in administrator mode. This is also the case if visitors cannot open them easily. But this is especially true if the machines are always open anyway to save time. In addition, it makes little sense to use an operating system like Windows 7. Microsoft hasn’t provided Win 7 users with any security updates for a long time. Correction: The embedded version still has regular updates until October this year.
How to hack a Hamburger?
It would be interesting to know whether the same software is also used in McDonald’s machines in Germany. If so, it would be time for another seminar at a security conference. Such a presentation as by Barnaby Jack at DEFCON in 2013 when he had mass unauthorized access to various ATMs due to a security gap received.
By the way. Anyone who would like to set up such a McDonald’s machine at home can purchase the hardware from Alibaba and other online auction houses. Then you could calmly test whether there are other security gaps that have not yet been disclosed. According to the ad, the devices are also used by Kentucky Fried Chicken (KFC) and other franchise restaurant chains.