How secure are Ziosk and other pay-at-table systems?

« Other questions

Many restaurants in Pittsburgh, PA are using Ziosk or similar mobile POS. This permits the customer to notify waitress, play games, display menu items and payment. They said they are doing this to help reduce identity/credit card theft.

But how secure are these wireless “pay at the table” systems?

  • You must to post comments

As it’s wireless, there’s possibility for intercept. From a distance. Wifi equipment (assuming it’s wifi) is reasonably common.

This will ofc require the encryption key to make any sense of captured data.

To assume this is WPA2, typically if the device isn’t succeptible to a tool like reaver, which can deliver a key in optimum conditions in about ten min, then you can forcfully deauthenticate the victim from the AP and sample the handshake as it connects. Once you’ve a good sample of the 4-way handshake you can take that away with you and brute force this at your leasure.

With “modern” GPU’s sporting thousands of cores using them for precalc on the hash means it’s feasible with common household hardware to do this in a few hours, if the pass is short enough. A good graphics card combined with a reasonably fast processor should be able to hit speeds of 100,000+ keys per second.

A casul glance didn’t reveal any specific exploits or vulnerabilities for the ziosk, but there’s always potential for zero day.

I did however find something “interesting” in the comments on:

I’m not sure if the card breaches are related to ziosk. It could of occurred on the POS system the readers connect to. There’s a lot of places, and methods, to attack such a system.

It would also appear that it’s performing some sort of spyware role, additionally : “Ziosk is using a range of Microsoft data and cloud technologies for big-data processing, predictive analytics, and end-user visualization.”

Ultimate solution: Pay cash.

  • You must to post comments
Showing 1 result
Your Answer

Please first to submit.