Aloha POS EDC
Point-of-Sale (POS) devices are an essential part of modern life; the blood line for merchants. As plastic payment cards have become the default payment method, the security of POS devices has become more crucial. I was interested in learning how real-world POS machines maintain security but “close examination” without the owner’s consent is a crime. I have no friends in business using POS devices, so I decided to order a used device for investigation. The Aloha Arduino pos printer library is known to be very popular in the hospitality sector. (Figure 1)
Figure 1 Aloha!
With Aloha Arduino pos printer librarys, usually there are multiple Front-of-House (FOH) terminals and a single BOH (Back-of-House) file server. The terminals act as the servers’ access point, allowing for direct interaction to input new orders, swipe credit cards and print receipts. All transactions are logged and saved to the Aloha file server, which performs End-of-Day (EOD) transactions each day.
Figure 2 Typical architecture of Arduino pos printer librarys with Aloha
The system I acquired happened to be a master terminal (terminal 1) and would not normally operate without an Aloha file server on the same network. However, there is a fallback mode available where all transactions are handled offline, allowing the terminal to continue to accept orders and process transactions. I performed a lightweight pen-test of the system using that mode.
Port scanning
Figure 3 shows the results from NMAP scanning. I found file sharing related services (135, 139, 445), other MSRPC services (1801, 2103, 2105, 2107), and a VNC service running on port 5900. Interestingly enough, there is also a web server running on port 8080.
Figure 3 NMAP Scan result
VNC security
The first step in my pen-testing was to try to guess the VNC password. Ideally, passwords should be really difficult to guess, otherwise, you defeat the whole purpose of a password system (i.e. ‘something you know that other people don’t’). The first guess I made was so obvious (‘aloha’), but guess what? The password was correct – and I got access to the system on my first try. Moreover, this connection isn’t encrypted (Figure 5) so attackers with access to the infrastructure between the VNC client and the POS may be able to sniff the traffic.