Hacking Retail Hardware (Autumn, 2001) -------------------------------------- By dual_parallel These hacks deal with retail systems: customer-operated and point-of-sale (POS) hardware. Actually, these hacks are the beginnings of hacks; all key presses and codes were discovered one time through a line. The first piece of POS hardware is the VeriFone PinPad 1000. The PinPad utilizes derived unique key per transaction (DUKPT) or Master/Session key management. This simple hack deals with the Master/Session management technique. A master key resides in the pad and a session key is generated for each transaction, ensuring accuracy. To access the master key, press the four corner buttons simultaneously 1, 3, CLEAR, and ENTER. "WHICH MKEY?" appears. Enter any number and "ENTER OLD MKEY" appears. The next step in PinPad exploration would be social engineering the number of digits in the Mkey or the Mkey itself, either from the establishment or a VeriFone vendor. Brute force would be pretty difficult without knowing how many digits comprised an Mkey. The next piece of POS hardware is the pin pad at every register of your favorite store, Wal-Mart. (These pin pads see a lot of action with a Wal-Mart opening every two business days.) Access the not-to-be-seen screens by pressing the top left arrow button and bottom right ENTER button simultaneously. You ll get: CM2001I 256k V1.40 SM V5.4 and then: Enter password... The ever-popular 1234 begets: Validating app... then: EFT prog: 0028 EFT parm: 0032 Hitting the red CANCEL button after the password prompt shows the following info: Program Release WALUSA1 1.42 The pad resets quickly, so the order of the data might not be correct. In fact, I don't know what any of this data means. The final hack is akin to owning a Create-A-Card machine. At your local Sears Watch Service, you might find a touch screen terminal called Quick-Scribe, by Axxess Technologies. This is a consumer-operated terminal that personalizes, by engraving, trinkets and gifts. Upon first inspection, you'll notice the telltale signs of Microsoft: a grayed-out scrollbar and the bottom of a Windows title bar. So with a little time, you're sure to own this box. Start by grabbing the screen with both hands, thumbs at each top corner. Now press the top corners simultaneously, quickly, and repeatedly. (Hey, it worked for me.) You should get a white screen with four 0-9 numeric keypads, begging for you to enter the four-digit pass code. With 10^4 possibilities, start with the obvious. "1234" didn't work, but "1111" did. This brought up the best screen of all a white screen appeared with "PRIVILEGED ACTIVITIES" across the top. Sounds good. The commands under it were: * View Log Files (Details) * View Log Files (Summary) * Engraver Utilities * Change Stock * Change Peripheral Configuration (future) * Modify Site Specific Data (future) * Run Diagnostics (future) * Complete Problem Report (future) * Capture Data * Merchant Summary Report * Restart Application The last command will get you what you want - the NT desktop. Touch Restart Application and the desktop will appear. Quickly pop up the Start menu and it should persist as the Quick-Scribe app restarts. From here you can do as you please. (Axxess Technologies has another line of engraving machines called Quick-Tag, targeted at the pet owner market.) (Thank you, Luscious.)