KALYPTO (IN)SECURITY

Research, demonstrations, and popcorn

Hacking Chili’s ZIOSKs (Not just Chili’s)

Background:

In 2013 Chili’s and Applebee’s started installing ZIOSK tablets at all of their restaurants.  These tablets allow patrons to order, request drink re-fills, view the menu, view websites, and pay the bill.  These little tablets are a good way to give patrons a little more control over their end-of-dinner timing and get out of the restaurant faster.  These tablets also allow the restaurants to make a couple more bucks on selling access to the games.  This new option is a win-win for the customers and the restaurants.  In 2014 these tablets were rolled out to Olive Garden as well.

What I Found:

I had not been to a Chili’s since they introduced these tablets until April 2014.  Being the ADHD, geek, and meddler that I am, I started playing with the kiosk immediately.  The main screen is a scrolling screen that allows you to access the menu, games, android applications, and websites.

Ziosk_Main_Screen

If you look closely, everything on the main screen is either displaying something useful or a button to access a section of the menu or offerings.  Everything except the table number in the bottom right corner is useful.

Anyone that visited a BestBuy over the last ten years remembers the software BestBuy uses on their computers to keep people from messing with the display models too much.  With their software, you access the admin menu by double-clicking the software version that was displayed in the corner.  After clicking on that, the administration window for disabling the software popped up.

Turns out these little tablets work the same way.  Double-tap on the table menu and a login window pops up.

Ziosk_Login_Screen

Once again, being the meddler that I am… I instantly started trying to get past the login prompt. As it turned out, it was actually pretty easy.  First I tried four zeroes, blank, and admin.  Those three didn’t work.  I thought about the fact that thousands of these tablets were sent out to all the stores at once.  No lazy company is going to take the time to setup individual passwords that are either hard to remember or take too long to enter.  So, what is the most logical password that could be unique to each store?  The store number.

As it turns out, the payment application on these tablets does not handle split checks in larger multi-table parties well.  So, I ended up getting a paper bill instead.

Chilis_Reciept

Lucky for me, I didn’t even have to ask the waiter the store number.  He probably would have thought that was an odd question to ask anyway.  It happened that they print the password right on the receipt for me.

Entering the store number of 1282 dropped me right in to the configuration screen.

Ziosk_Admin_Screen

Unfortunately, my ethics prevented me from messing with it beyond this point, but it sure was fun playing with it.

When I got home I emailed Brinker International (the company that owns Chili’s, Olive Garden, and several other chains).  I let them know what I had found and how easy it was to mess with their POS system.  A couple days later I was contacted by Ashley from Brinker.  She let me know that she had forwarded my information over to ZIOSK.

Craig from ZIOSK reached out to me and requested I hold off on posting any articles about my findings until they had the opportunity to update their kiosks.  He was extremely nice and was willing to listen to my input and suggestions.  I wish more companies looked at people like me with that kind of an open mind.  Being willing to listen is key to success.

It took five months, but they finally updated their kiosks.  Craig sent me a gift card to go out to Chili’s with some friends and hack around on the new firmware.  I was able to get to the information screen by double-taping on the table number again, but there is no longer a login prompt.

I have been back several times since the update was done and have yet to figure out how to get to the configuration screen.  The best I can tell is they followed the security standard of “something you have and something you know.”  So, my hope is that they have a special card that has to be swiped in the credit card reader before you can login to the configuration screen now.

Much like my interactions with Alienware, Brinker and ZIOSK did exactly what all companies should do in cases like this.  Be courteous, respectful, and listen to input.  Reacting with hostility or threats of law suits just makes people not want to help you close holes that could have devastating financial results for the company.

adminchilisconfigurtioncraigresearchziosk

Kalypto • January 18, 2015


Previous Post

Next Post