Hacking Retail Hardware
by dual_parallel (dual_parallel@hotmail.com)
These hacks deal with retail systems: customer-operated and Point of Sale (POS) hardware. Actually, these hacks are the beginnings of hacks; all key presses and codes were discovered one time through a line.
The first piece of POS hardware is the VeriFone PINPad 1000 (Part No. P003-116-09).
The PINPad utilizes Derived Unique Key Per Transaction (DUKPT) or Master/Session key management.
This simple hack deals with the Master/Session management technique. A master key resides in the pad and a session key is generated for each transaction, ensuring accuracy.
To access the master key, press the four corner buttons simultaneously: 1, 3, CLEAR, and ENTER.
WHICH MKEY? appears.
Enter any number and ENTER OLD MKEY appears.
The next step in PINPad exploration would be social engineering the number of digits in the MKEY or the MKEY itself, either from the establishment or a VeriFone vendor. Brute-force would be pretty difficult without knowing how many digits comprised an MKEY.
The next piece of POS hardware is the PIN pad at every register of your favorite store, Walmart. (These PIN pads see a lot of action with a Walmart opening every two business days.)
Access the not-to-be-seen screens by pressing the top-left arrow button and bottom-right ENTER button simultaneously. You'll get:
CM2001I 256k V1.40 SM V5.4 |
and then:
Enter password |
The ever-popular 1234 begets:
Validating app |
then:
EFT prog: 0028 EFT parm: 0032 |
Hitting the CANCEL button after the password prompt shows the following info:
Program Release WALUSA1 1.42 |
The pad resets quickly, so the order of the data might not be correct. In fact, I don't know what any of this data means.
The final hack is akin to owning a CreateaCard machine.
At your local Sears Watch Service, you might find a touch screen terminal called QuickScribe, by Axxess Technologies. This is a consumer-operated terminal that personalizes, by engraving, trinkets and gifts. Upon first inspection, you'll notice the telltale signs of Microsoft: a grayed-out scrollbar and the bottom of a Windows title bar. So with a little time, you're sure to own this box.
Start by grabbing the screen with both hands, thumbs at each top corner. Now press the top corners simultaneously, quickly, and repeatedly. (Hey, it worked for me.) You should get a white screen with four 0-9 numeric keypads, begging for you to enter the four-digit pass code.
With 104 possibilities, start with the obvious. 1234 didn't work, but 1111 did. This brought up the best screen of all a white screen appeared with PRIVILEGED ACTIVITIES across the top. Sounds good. The commands under it were:
View Log Files (Details) View Log Files (Summary) Engraver Utilities Change Stock Change Peripheral Configuration (future) Modify Site Specific Data (future) Run Diagnostics (future) Complete Problem Report (future) Capture Data Merchant Summary Report Restart Application |
The last command will get you what you want - the NT desktop.
Touch Restart Application and the desktop will appear Quickly pop-up the Start menu and it should persist as the QuickScribe app restarts. From here you can do as you please.
(Axxess Technologies has another line of engraving machines called PetScribe, targeted at the pet owner market.)
To further your exploration into the devices of capitalism (including default passcodes), check out the FAQs at www.magtek.com. And share your experience and knowledge with others.
(Thank you Luscious.)