Even Restaurants Need InfoSec

by lg0p89

Recently I attended GrrCON, an InfoSec conference in Grand Rapids, Michigan.

(Incidentally, this is one of the best InfoSec cons in the Midwest with varied talks and subject matter.)

While there, the group visited a local Chinese restaurant.  This had the usual layout.  As we walked in, the WAPs were rather conspicuous, so we knew there was Wi-Fi.

There was no posting that you see at other establishments stating "The Wi-Fi password is xxxxxx."  A quick look from the phone showed the Wi-Fi present and visible.

From here, the manufacturer and model was researched for the specifications and potential default password.  The default password and generic guesses were attempted (e.g. admin, the restaurant name, etc.) to no avail.

To get where we needed to be, a smidgen of social engineering was required.  The waitress was asked for the password, which was probably not for the public's use.  Initially, she asked for my phone to key in the passcode.  Gingerly, I told her with a smile, "I never give out my phone."

I was a bit surprised to be asked to give my phone to a stranger to take to parts unknown in the restaurant to input the passcode and who knows what else.

The waitress volunteered, as she wanted to be very helpful, to write down the code for me.  A few moments later, she dropped off a napkin with the passcode (AF20171998) nicely written out.  The napkin happened to be passed to a few others in the group.

The protocol for the passcode appeared to be possibly the owner's initials, the current year, and possibly the year the restaurant started.

From here, we were able to review the Wi-Fi IP, BSSID, local address, and what devices were on their network.

Curiously and sadly, the restaurant's Wi-Fi was using WEP, still.  This included the server, stations where the waitresses would input the orders, the cashier's station (presumably the device used to run the credit cards), the cashier's iPad, and several other devices not nearly as exciting.

A quick scan of the server showed the open ports and services.  These included the Microsoft-DS (SMB directly over IP) and the MS-SQL-S (Microsoft SQL Server), among other services easily and quickly seen.

This is not an unusual occurrence in small- and, at times, medium-sized businesses in America.  The small business owner, not knowing any better and not having the capital to purchase professional services, simply goes to the Big Box store to purchase items and try their best to install these or, better yet, have their cousin try.

The results tend to be not optimum (a.k.a., poor - and amazingly insignificant to take advantage of for those in the field).

In this specific case, there were correct and incorrect protocols observed in this installation and procedure.

Correct

Although this was a rather disheartening chain of events, there were a few items that were of a more positive nature.

Granted, there was Wi-Fi present, as anyone with a simple smart phone could tell with ease.  The fact the restaurant management did not publicize this at the front of the restaurant as the patrons walked in was a good thing.  Once you have this out in the open, the restaurant is manually beaconing its existence and handing out a welcome card to the curious.

Without a slight sprinkle of social engineering, the Wi-Fi maybe seen, but generally not entered, much like a massive wooden door on the front of a mansion.  You can see the building and door, but you don't know what is on the other side.

Also a positive is the fact that the password itself did not appear to be static.  From the naming protocol, it appears that the year would change annually.  Although this is only an annual update, it's clearly better than nothing.

Those are two of the positive points.  Alternatively, there are a few ways they could have improved the situation so they would not be as vulnerable to the InfoSec public.

Incorrect

Although the food was good, the security, unfortunately, was not.

The patron/guest network really should be different.  When you allow the guests access to your network where your business hardware is located, such as a waitress station where they enter the food orders, there may be an issue if someone is bored and has rudimentary equipment.  As a business owner, you are asking for problem.  Don't do it.

Let's say you don't want people connecting to the Wi-Fi.

Don't give out the passcode.  It is simply that simple.  As a small business owner, you probably don't want me connecting to the Wi-Fi when you have everything else connected.

Last, but certainly not least, keep your Wi-Fi protocols up to date.

This does not need to be the cutting edge and it doesn't mean adopting everything just as it comes out.  If you want, just wait a bit until any potential issues have been vetted by the community at large.

In this case, WEP was being fully implemented for not only the restaurant, but anyone connecting to the Wi-Fi.  There is no need to expand on the inadequacies of WEP at this point.  What is pertinent, however, is that WPA2 should have been in place and used, if not for the welfare of the patrons, then for the restaurant's operations and welfare.

With the rudimentary issues resolved, and without taking a massive amount of time, energy, or expense, security could have been applied in at least a baseline level.

Even with this in place, the establishment would be a bit more secure and less likely to be popped, along with the customer's Personally Identifiable Information (PII).

In Closing...

If you are a small business, or if you consult with small businesses, please make sure their technology is relatively up to date.

Without this covered, the business will be at risk.