Aloha point-of-sale terminal, sold on eBay, yields security surprises

An HP researcher's findings highlight ongoing problems with POS software and hardware

Matt Oh, senior malware researcher with HP Security Research

Matt Oh, senior malware researcher with HP Security Research

Matt Oh, a senior malware researcher with HP, recently bought a single Aloha point-of-sale terminal -- a brand of computerized cash register widely used in the hospitality industry -- on eBay for US$200.

Oh found an eye-opening mix of default passwords, at least one security flaw and a leftover database containing the names, addresses, Social Security numbers and phone numbers of employees who had access to the system.

His findings have received a fair amount of attention due to the role of such systems in high-profile data breaches at retailers including Target, Neiman Marcus and Michaels.

"What we found was that the overall state of security of the system was very poor," he wrote in a blog post describing his analysis.

Even second-hand POS systems aren't cheap, so it's unlikely that cybercriminals would spend hundreds of dollars on a chance that a few contain personal data.

But Oh's research illustrates the security issues facing the hospitality industry, beset by outdated POS systems which it sometimes cannot afford to update.

Oh answered questions about his findings with IDG News Service via email because he has not finished media training required by HP.

He wrote companies don't appear to be paying enough attention to security issues with their POS terminals, and older systems are often still in use, which may not be as secure, he wrote. Unknown software vulnerabilities also pose a risk.

"There are a lot of POS terminals out there, and we don't know how many of them are vulnerable to simple attacks," he wrote by email.

The Aloha POS system is sold by NCR, which came under its wing with its acquisition of Radiant Systems in July 2011 for $1.2 billion. It is one of the most popular systems in the hospitality industry behind those of Micros Systems, which Oracle bought last month for $5.3 billion.

POS systems may seem like glorified electronic cash registers but they're actually closer to ERP systems, tracking inventory, logging employee actions and handling other management functions, said Joseph Snell, CEO of Viableware, a Kirkland, Washington, company.

Snell has had a lot of conversations with companies about POS systems. His company sells a product called Rail Pay that is designed to speed up settling a bill at a restaurant, which integrates with POS systems.

Some smaller businesses he's seen could not be compliant with the Payment Card Industry's Data Security Standard (PCI-DSS) without upgrading their systems, Snell said. PCI-DSS is a set of security recommendations mandated by Visa and MasterCard for businesses processing payment cards.

The restaurant business is low-margin and highly competitive, which impacts spending on technology such as POS systems. "You can freely spend yourself out of business," Snell said.

Second-hand POS systems on eBay, for example, may offer a cheaper alternative to new equipment, but pose a risk of acquiring out-of-date software or systems with longstanding security weaknesses.

Even deep-pocketed companies are finding it increasingly difficult to keep hackers out of their POS systems.

Target, Neiman Marcus and Michaels said their POS systems were infiltrated by hackers, illustrating how intruders are still finding weaknesses in well-maintained systems.

Target's breach, in which it lost details of 40 million payments cards and 70 million other personal records, was attributed in part to malicious software called a "RAM scraper." The malware collects unencrypted card details from a computer's memory just after a card is swiped.

POS systems have long been a mysterious area for security researchers due to their pricey hardware and software, Oh said.

From the system he bought on eBay, Oh analyzed an application called "Aloha Table Service 5.3.24," which bore a copyright notice of Radiant Systems from the 1990s.

The software ran on a slimmed down version of Microsoft's Windows XP operating system for "embedded" devices such as POS terminals. The last time Windows security updates were applied was around March 2007.

Oh said a business was using the Aloha device "less than a few months ago" even though it is years old.

He also found a memory-related problem known as a "heap overflow" within a component called the Aloha Durable Messaging Service, which shuttles information between front-end and back-end systems.

If exploited, the heap overflow "could provide an attacker with full system level control of the target system," he wrote via email.

POS systems are generally supposed to be segregated from the Internet. But restaurants often make configuration errors, such as not properly isolating them from the free guest Wi-Fi, providing a possible point of entry into the network.

That would "present a big problem -- a vulnerable XP machine waiting for remote attack," Oh wrote.

NCR public relations officials did not respond to repeated requests for comment. But Snell said NCR appears to have made great effort shoring up security since it bought Radiant.

Snell said Viableware demonstrated its Rail Pay system around the end of 2011 to P.F. Chang's China Bistro, a restaurant chain that disclosed a credit and debit card breach last month.

The company used the Aloha software, Snell said, but a P.F. Chang's spokeswoman declined to confirm it.

However, P.F. Chang's was listed as a customer of Radiant Systems in an SEC filing in March 2011, a few months before Radiant's acquisition by NCR.

Snell said his conversations with senior executives at P.F. Chang's gave him the impression the company was technically competent when it came to POS security.

But he added, "They had a hole in their armor, and an arrow went right through it."

P.F. Chang's said on July 1 the breach remains under investigation. The company temporarily shut down its POS system and switched to an old-style manual imprinting system for processing payment cards to prevent further damage.

Since then, it has provided its U.S. restaurants with "an encryption-enabled terminal to securely process credit and debit card information," wrote CEO Rick Federico.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags HPncrViablewaresecuritydata breachmalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments


Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >


Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >


Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >


Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?