BSides Rochester 2018 - How to "Hack" Point of Sale Systems

[Music]

good levels should be good okay yeah I like em I gotta fill the room there's that many nerds you want to know up on a sail

I'm impressed afternoon this is as my talk about how to hack 2006 my name is Forrest I worked several years as a the MS peace report for Epona cell systems overall we handled at sea about 35 clients in total of various systems and various sizes from little small and pop shops to full size enterprises that have other several story bars and they would fill up on st. Patty's Day they're doing several million in a day this is also gonna be about table service table service is generally like sit-down restaurant or bars and mostly my focus is gonna be on NCR Aloha it's the most common table service point of sale software out there right next to our

paths and micros may not really much but there's vendors so if you actually see like the badges on the terminals for that most most the time the security is about the same that just using Java instead of what Aloha is using generally PCI is a joke it's very hard to enforce for the smaller industry like the franchisees a lot of places how they're set up is it may look like a singular brand but in all reality it's about you know a thousand franchisees that are these small companies that just happen to rent the brand so you're dealing when you're going to a restaurant you're dealing with a small company who has no IT budget so just just a forewarning uh

don't go around hacking your local bar they will not like you very much generally because you'll probably crash their point-of-sale it's very touchy if it doesn't like crash every night anyway so generally NCR Aloha is uses CIFS NetBIOS for most communications it only supports version one SMB version one even the newest versions of Aloha only support SMB version one if you turn it off it crashes before it's static files like menus employee numbers uh things like that debase - it's really really old protocol well actually database format it has about six to seven hundred individual files that are copied over SMB version one to the terminals every morning generally for transactions these are things are constantly changing in

between the terminals it uses unencrypted been PAC logged it's all you int 16 every bit of it with some XML thrown in there every because they like to so things like credit card track data it does store all three tracks for certain versions of Aloha generally the most commonly used one which is Aloha six seven it uses a static DES key of Aloha so that's how your credit card data is being stored and it's doing it for several years most people keep seven years of data on their back of house which is running Windows XP most users are still using six seven because plugins report was nuked and the next version it requires like a two million

dollar license just to write a plug-in and then the store requires like a three to four thousand dollar license just to use plugins so nobody wants to buy that so they just keep on the old now this is still technically a ship or did branch they're still releasing updates for it but you have to pay a couple of grand for the updates so nobody updates this is extremely common for most point sales is that they charge for updates and they charge way too much so what happens is you get these small mom-and-pop shops that will upgrade for ten years generally only time the upgrade is when the credit card stopped working because TLS or something along

those lines have stopped working so generally it is it is a massive pain in the ass to support on the MSP side of things generally we only have an hour to get things back up so technical support ensures you very stressed under train there's no documentation and so we're very easy the social engineer there's no way for us to verify they're actually on the site at all and generally we do a lot of backdoors to get into systems we actively make backdoors in the system so we can get back in we'll end up using default credentials things like that like generally out of the 35 clients we only had two that actually use unique credentials per site they weren't even

different in between the terminals and they were like based off the MAC address so it's pretty easy to find out what it is especially if you're compromised in machine generally this is the networking diagram it's very flat it has to be general if you try anything more complicated than this you're just gonna end up with a crashing point of sale so all this is unencrypted connection it's just office cated if anything it's just a binary version of it amazing enough the kitchen display system for Aloha if you're using a low house version of the KS it transfers car data to the kitchen screens because it has a copy of the drains log so you've got

stuff everywhere also it's connected to the security cameras they have to be on the same network if they want they have a feature where they can show the transactions on the security cameras and so those actually have access to the transaction log as well there's a huge attack surface once you're inside of a network even if you don't have the credentials the kts you can't change the credentials on that but it's windows ce-5 so it's gonna it's got a billion CVS for it as it is we of Lee used exploits to get into terminals that were down that we couldn't log into anymore just so we could get them back up and under the SL

ice generally because they're all using with a cull POS ready 2009 it's Windows XP sp2 with no updates because updating is hard and they don't put these on the internet oh yeah hey if you try to update that it is dice you're lucky if the back of house is running Windows XP we've had a couple of instances where we just moved customers off of Windows 98 and they wanted to go back because it was running faster in Windows 98 then it wasn't running on Windows XP it was the same version of aloha aloha natively supports Windows 3.1 one and forward so you can actively downgrade connections and things of that sort so generally spotting Aloha is extremely

easy you want to look for these stupid buttons there the only point of sale that actively uses this color scheme so you knows how like it's a shaded button from like Windows 98 same thing here with some of the menus very easy to spy they're the only ones that uses kind of teal also this is for bars generally they'll have like this custom layout for their tables along house the only one should that reports this like this where they can do custom buttons and things but they'll still have like the shaded buttons on the sides also this is the new version of Aloha this is a little hot 12 and above they decided to go the Windows XP route and go with

the rounded buttons that's what they currently use this is the latest version of Aloha here also generally if you CNC are hardware like on the printers or on the terminals themselves they're always using aloha like that this comes default so very common to see VNC servers it comes default from in CR with the password of Aloha nobody changes this out of all the customers that we had at the 35 concepts 40,000 stores all of them had that someone more firewall it but the VNC server was still running and it's like the oldest version of real V&C I've ever seen I couldn't even tell the version number because it won't tell me generally all admin chairs have to be

open it uses a share called boot DRV it's always open has to be open the credentials have to be the same across all of the terminals and they have to be the same for the back of house as well so they use the standard credential and they can't change it well you can but it causes problems you just don't want to it's a crashy system that won't to Thunda kate with one another so very common these are default in the inci are images that they get from in CR so when they buy the terminal they get a little hot with it because the imagem because there's like this van choice replaced on program those are the default

credentials that they use it's very surprising whenever they change it usually it's like the higher end places will change those but then the same across the entire place and since they're Ellen hashes they're extremely easy to crack it has to be ellen hashes because it not by us in remote decomp yeah oh so so here's the fun part NCR has certified that Aloha's pci compliant if you follow their implementation guide but no one's audited the implementation guide well they said they put it they push it back on to the people who are implementing it we've actually have I've gotten into a fight with some of their legal team over this was like well it's not actually PCI

compliant if we're storing it with a - static - key well PJ doesn't actually specifically state what kind of encryption you're supposed to use and if it's a custom crypto like if you just kind of changed how the IP works in DES that passes PCI anyway so that's what they did in the newer version so you understand like Aloha 67 is from like 2004 and they just been continuously updating it is end-of-life technically what most people have been doing is that especially with chip and pen as they've been moving away from using the card readers on the terminals themselves and moving to external card readers which have their own host of vulnerabilities on them but if like for instance gift

cards a lot of people don't consider gift cards PC but even I mean some of the larger change they're good as good as cash and they store those unencrypted by default but I don't think you can encrypt it in Aloha they sort it as plain XML and then trans log you just open up a notepad and start pulling gift cards or you know just putting in your own cuz you VNC into it and if you use like the support credentials of 911 9 9 9 or 9 8 8 9 or some version of that or just watch somebody log in because it shows the button depresses as they're logging into the terminal you can you're

gonna make your own gift card cuz you can put the gift card number in manually so you can buy a whole bunch of gift cards only have like 10 15 bucks on them and then put five hundred dollars on it or if you know like corporates gonna be on site what loyalty programs or a huge target as well where they'll have their own custom codes to log in with for loyalty and it's like a high percent off everything so those developer codes generally exist across all loyalty programs as well the trick is is like you have to do a little bit of remote recount most of them was it was like the phone number of one of

the admins up high and that was the loyalty card but then they'd spread it along their own customers so generally they do not have antivirus products they will attempt to put antivirus products on it and then support yells with them enough to remove it it generally causes enough problems because the loja does so much on the high level like it injects itself into kernels it has its own custom driver infrastructure called Oh pass all passes is extremely common in the point-of-sale and Industry uh IBM made it and it's like she posed to be like this middleware for like printers and you know Mac cards and stuff and if antivirus does interfere with this cuz it works like over some decom structure

and there's like this JSON interface that he uses and a little bit of XML so it tries to intercept that traffic and it promptly crashes the upon sale it does not handle this thing of late at all so like we've seen instances like people putting bit 9 and we have to go into everyday train it for because it modifies its own dll's every time on a new data business so you can't like whitelist to based off a Mac or anything like that and since it transfers it from the back of house to all the terminals every morning then you could just infect the back of house then you're on all the terminals this is the case for most

point of sales most important printer sales that I've seen like our pop squirrel micros they all do this they'll do some method of NFS or SMB generally using weak credentials or some kind of weak Auto configuration setting where they will then go ahead and update themselves automatically every day you can man in the middle and it won't even know like I said it's remote become and it's in plain text this is mostly for the communication in between the point-of-sale and what they call EDC electronic graph capture EDC was what actually handles the credit cards communicating with the upstream credit card provider over TLS so but they don't actively support technically encryption in between the two because it's office

gated so you can't actually see the the information it does technically encrypt the card data but it's a rolling pen that's stored in RAM so I mean generally with this they don't encrypt the RAM internally not until the new versions like a little hot 12 and above but like I said nobody runs that unless you see the the new buttons they're running the old version it's extremely common because loyalty programs wealthy programs have generally not moved to the new format out of out of all the customers that we had we only had one that had moved and they spend a lot of money doing that there's a there's environmental variables for days wellhow solely uses environmental

variables to figure out where it is so if you're in the back of house you want to know where Aloha lives because they like to put it in random places just go to hybrid ER and it will take you to the bin folder where it you can just copy whatever you want into there you know will get copied to the terminals there's a bat file in there that's the launching bat file you just edit that and put your payload in there and you're done and then I have persistent access and support won't know because they won't look in there I was a point-of-sale specialist for like three and a half years and we never looked there

I was always fixing the really broken stuff I didn't make a special credit card for certain versions of Aloha which injected a end of record hex into the actual trans log when it would read it and then I put a 32 bytes TCP shell and there so it shell the terminal it would decline the card shell the terminal and then anything else that read the Transvaal it would also show that too so that would be any of the other terminals where they pull your pull your order oh and the back of house when they went to go to do the daily sales I reported it to NCR and I was like oh we've already patched that

yeah but it's like 30 versions I had nobody's gone that far yeah I didn't have to use all three tracks and not all card readers report three tracks like depending on the older units they won't do the three tracks only do the first two sometimes only do the first one those are really old ones so other point-of-sale systems generally they use HTTP or common Playtex protocols to communicate tomcat 5n6 is extremely common and Mike Java 1.2 is also extremely common as well generally it's more those more the custom ones that you'll see that use Java are the more custom and that it is they they generally lack more and more on security most the time they cuz you all you have

to worry about is the card data and if you just secure that into it to the external readers they don't care about the security of the rest of the system they just want it to work and it's usually only like three or four devs anyway aren't I covered like the updates cost too too much that it never gets updated security Kinston comm third when it comes to all point of sale software online ordering yeah so I know of a couple of things you can put an online ordering and it'll cause the printers to just never stop printing junk and they'll restart the printer and I'll go to try to print the ticket again and I'll just start printing more and more

junk that's a voltage problem by the way he got back Gamble's oh yeah so generally you understand that these printers their epson team team eighties they're always TM eighties nobody really uses any other kind of printers I'm gonna sell there's cereal so if you can imagine what really doesn't work over cereal on a really good point of sale system I think if you figure out why all my ordering will break things because it's an outside system that injects records into the trans log somewhat and but they still use a comp or internally like it's it's the best and then there's like NCR printers is a 1787 they're like they look like a spaceship for no reason

those those work fine it's it's this the old app sentence I mean they still use impact printers team team u2 20s and those are big loud ones those really hate that that particular encoding we've only seen a couple of dotnet ones there so there's a Linux one that's that's squirrel it's running a Linux kernel 2.1 they haven't updated the software in years I actually probably almost call it decades and it's becoming more and more popular squirrel because it's a relatively cheaper option and it works decently but I know a couple of clients that use that also documentation is completely it's just not it doesn't exist trying to get support documentation at an NCR they don't have

it they barely have an internal database themselves I mean they'll tell you like if a very common occurrence and point-of-sales corrupt the databases and they'll just uh oh you lost all your shells for the entire day they won't even try to fix it they won't try to fix anything actually they will tell you to reset it a bunch of time or buy new hardware so they don't make internal documentation for themselves and then the actual manuals for Aloha they're almost non-existent there are a 30 page document that tells you how to install it that's about it so generally technical report whenever we're trying to fix things we have to do these back doors because there's no documentation to try

to get these things online

generally most point-of-sale systems have some method of decoding credit cards every one of them that I've seen do not permanently encrypt our hash credit cards they will office gate if you do not have the right privilege levels but there's always a purpose level that you can ask about yourself internally to get credit card data so even if you don't know the type of point of sale just waiting to the manager logs in actively watch the back of houses wait until a manager login or cause credit card problems where they have to login to the credit card system to pull old cards and then there you go they have some form of decoding I know with

Aloha you can do blank out the password and the EMP DBF which is the employee database and will let you log in you can set your own access levels in there as well only works on 6 7 though the newer versions they use the cloud databases and it's a little harder you have to know SQL but it does the same thing so yeah fishing as managers we have at least in my call center and most of the others that I've talked to we have no official way of determining that there you've been on site and most of the time managers are too dumb to actually realize that they're even on site themselves so we just have to kind of

work through it so if you you can probably lead on most of my tier 1 and tier two agents to exploit themselves so there's that especially if you call in is like a franchisee then the franchisee is expected not to know anything about the restaurant and just because it's a high-end restaurant doesn't mean their software is aloha 67 with the Windows XP all the way around some of the restaurants were pulling in two or three million dollars a night and their their tips for matching those are the fun ones especially when he had are on credit cards and the payment processor says no because you've just started a million dollars of cards in one night overall at

our cost owner we had to clean off viruses off of Turtles and servers daily with no de closure policy matter they probably fire us so if we ever to close that which customers got hacked ransomware was extremely popular we've only seen one targeted attack against a restaurant it was restaurant chain they came in over in Excel cinema catering order and yeah it had a macro bug in there they actually tell told them to turn on the macros they actually guide the the caller enabled macros on the machine in and exported the box and then they did that across three different restaurants in the Bay Area and they pulled all data they downloaded every single trans log and credit card that

had been around there since and they had track records back ten years I imagine most cards are dead there is a program that s'posed to run called clean pan it's a cron job but most the time it's broken so it's not like there's any reporting on if it's working that's how they get them around the hole PCI storage thing is that clean pants supposed to be working but there's no monitoring for it monitoring is a huge thing upon a cell that it just doesn't exist Ian V is the future most places hate it especially table service because they like their old tip structure where they take your card to go run it and then they return to receipt to Union write

down their tip well now they have to buy a separate device there's usually like an android-based thing NCR has and then they swipe it at the table and then you can put in your tip while you're signing there they're very expensive and they're prone to breakage they use some bad RF frequency that tends to just be serial based and generally for a lot of what I've seen with my STRs is that it's not encrypted it's just encoded but it uses HTTP to contact the upstream encoder so even if it's a MV doesn't matter but they're swiping cards on those so I know that most point-of-sale is not trained to look for sniffers or any others of

the like the DMV stuff I mean the card stripe readers they don't know how to inspect them or anything like that for any kind of implants oh and yeah generally they trust the hardware a little too bit too much like will damage them and you know it's a it's a supply problem there's a huge supply chain that that's involved with one sale I mean we generally have low paid interns doing the actual imaging so we've actually had issues in the past of them running like Bitcoin miners on them it was a couple years ago that this is a link to the slides there's a QR code for everybody to see Julie I know I only

covered like the bare bones but if anybody has any questions though no it's Google Drive yeah now because generally what happens is is that they're not using EMV anymore it's the restaurants responsibility to cover all chargebacks and any kind of fraud that happens the blame this shift officially happened now so it's a responsibility think so so if they link a breach to you the new responsible for all the fraud that happened on that card in the mobile multi cards it will ruin businesses and it has I've seen it happen a couple of times but if you use EMV you get a lower percentage rate on your charge on your charges it's impossible to charge back

around half the time and generally it you only have to they'll give you the readers now and it just requires Ethernet so more more places need to switch over to EMV but it's not happening at the adoption rate that the industry wants yeah now that's a little SIM card looking thing on your credit card which amazingly enough those run java by the way yeah it's it's global platform it's called it's a form of Java all of those smart card type stuff is all Java it's a small form of it yeah we doesn't have anything else I mean it's all aloha the aloha feature say like if it was a secured system is actually pretty amazing it has a lot of stuff in

there it will manage your entire store it'll order stuff for you it'll handle all the inventory track it'll handle all the HR stuff so we'll actually do people's taxes for them as well the you hit the light but it stores like the social Garrity numbers and everything as unencrypted text in the databases which by the way dbfs can be open up in Excel just don't save them or it will blow up the point-of-sale anything else yeah yeah so the terminals that are running all wireless it probably isn't Aloha system like there's the the hipster point of sales which are like on iPads and things of that sort I still wouldn't trust them as far as I can

throw them through the fact that generally we all know how app security is unlike iOS and Android and generally they have less auditing because they haven't paid for is it like a couple million just to get PCI certified free point-of-sale so I've only seen one place and got closed they had automated rotating passwords using like a power strip shell they they hardened all of their Ethernet cables going into the terminals and everything so you couldn't remove them they're running Windows 7 they had patches on then they would test the patches beforehand and then deploy in all the sites they did run an anti-virus they did have to put exclusions for aloha in there unfortunately so I mean

you could probably still infect the bin folders which has all the binaries in it and do nasties in there but very restrictive networks not even their back-of-house so technically have internet they have very good firewalls generally if you have something that's modern enterprise security really aloha itself's not that hard to deal with it's just that there's some workarounds that you have to do but generally modern enterprise security you get an AK on there you get security passwords you update everything and you're fine and especially for run the newer versions of aloha like oh ha 17 is actually a relatively secure product they rewrote it and dotnet but it's not compatible with the older versions or

anything like that so you have to get new plugins new loyalty new gift cards the whole shebang if you update to that yeah at the time it was email using all versions of Outlook or through the web you know people be browsing weird websites in the back of houses I mean I'm talking about like backcountry places that have like a small computer there's still on dial-up we thought we still had sites that run dial-up actually to the credit card industry dial-up processing is still considered more secure than TCP based Iowa even though the actual connection and between the credit card processor is not encrypted over the modem they only office keep the password I'm not

terribly sure mostly because I think just haven't considered it that's usually what it is most the time when I asked like questions about that like oh we never thought about that oh it doesn't matter you know that will never happen I got a lot of that to any of us is that it Arnie well it's been fun by the way if anyone was wondering my what my hat is a Wi-Fi monitoring station it's been recording all the Wi-Fi in the entire con