Risky business: Remote Desktop opened the door for Aloha hackers
When nine restaurants in Louisiana and Mississippi filed lawsuits against Radiant Systems and its Louisiana distributor, they may have represented only the tip of a substantial iceberg of hacks affecting restaurants that used Radiant Systems’ Aloha POS system. It seems that the scope of the problem is first coming to the public’s attention approximately one and a half years after the hacking incidents started.
Breaches in Other Parts of the Country
During a two-month period in late 2008, a Spicy Pickle franchise in Michigan was hacked and 150 customers’ card data were stolen and misused. The franchise closed in June 2009, reportedly unable to recover from the loss of customer confidence after the breach. At around the same time in 2008, Ted’s Cafe Escondido in Oklahoma also reported being hacked. Although both breaches were reported at the time on PogoWasRight.org, the POS system they were using was not reported in the media. Unbeknownst to me at the time, a forum member on FoodService.com commented on both breaches by noting both restaurants used the Aloha system. There was no indication in the forum member’s report, however, as to whether the restaurants had removed any remote access software that was suspected of creating the vulnerability to hacks or whether the restaurants had used commercial grade firewalls.
Hacks Started in Early 2008
Also flying completely under my radar at the time, in December 2008, WKZO News reported this about the Spicy Pickle hack:
Co-owner Terry Henderson says the FBI’s been investigating fraud cases across the country for seven months and they were just the latest victims.
“There’s a similar thread to all of it and it keeps leading to one particular software manufacturer,” says Henderson, adding that he’s not at liberty to say which manufacturer that is. “It’s a popular software that’s used by thousands of restaurants throughout the country.”
Continuing to work backwards to see what else I had missed, I found that in August 2008, WAFB and the Associated Press had reported that a rash of hacks involving Louisiana restaurants began in March 2008. And although Aloha’s name did not appear in any media reports on affected restaurants, when the Secret Service met with Louisiana restauranteurs in August 2008, they may have specifically mentioned the Aloha system. Another poster on the FoodServices.com forum wrote on August 19, 2008:
I spoke to someone who attended the meeting outlined in the Associated Press article. The meeting was set up by the Lousiana (sic) Restaurant Association and was attended by the Secret Service agent on the case, a US Attorney and a represtative (sic) from Visa. During the meeting it was presented that the 15 breaches occured (sic) were all Aloha POS systems. It was stated that he hackers were able to breach the systems as the Remote support software were all using the same User Name and Password (this is against PCI requirements). The hackers installed a “sniffer” program that would capture credit card data on the Local LAN (ie private network).
So it seems as if suspicions about Aloha were being raised over a year ago but were not specifically mentioned in media coverage.
In August 2008, within days of the Secret Service and Visa representatives meeting with Louisiana restauranteurs, Aloha sent a data security alert to its customers. The alert said, in part:
Radiant Systems has been working with Visa on an emerging issue that could cause POS systems to be compromised. The specific vulnerability is related to Remote Desktop being enabled on BOH servers, POS terminals, and routers, which may allow intruders to gain access to POS systems. Once intruders gain access they could install malware such as packet sniffers to capture card holder data. Remote access to POS systems is critical to supporting sites, but can also provide a method for unauthorized users to obtain access to systems and potentially sensitive credit card data. Configuring and managing access to POS systems is extremely important.
The alert then provided specific steps Aloha clients should take to configure their systems securely including:
- Disable Remote Desktop on routers, BOH servers, and POS terminals, if this remote access tool is not used to
support the site.
- Use Command Center as the single means of remote access for Aloha POS systems to ensure the highest level of site security. Command Center has a number of inherent features that significantly increase your ability to support sites, and also significantly decrease the risks associated with accessing sites.
Alternative measures were described for those who chose to leave remote access tools enabled.
Their alert may well have prevented more restaurants from being hacked, but may be small comfort to the allegedly many restaurants who had already suffered hacks resulting in lost business, fines by Visa and Mastercard, and the cost of forensic audits and IT consultants. Whether the juries will agree with the restaurant-plaintiffs or with Radiant Systems remains to be seen, but it would seem that some jurors are in for a real earful on security.