Jailbreaking a Restaurant Online Order Terminal with a Simple NFC Card
Mononymous hacker Marcel shows how an off-the-shelf order terminal can be turned into a standard Android tablet in one easy step.
Monomymous security research Marcel, of MGD Productions, has shown how an off-the-shelf locked-down terminal used for online restaurant ordering can be jailbroken — with a simple Near-Field Communication (NFC) card.
"I found this one on a local marketplace for $25, so I immediately snagged it up," Marcel explains of the T-Connect, desktop tablet used by Takeaway.com and Just Eat for restaurants to handle online orders. "After it booted up, it showed an activation screen. Looks like the previous owner has logged out. We can't do much from this screen, either call the number to activate it, or go to the Wi-Fi settings. Since I don't own a restaurant (shocker, I know) I am sure that they will refuse to activate this, so Wi-Fi settings it is!"
Accessing the Wi-Fi configuration menu brings up a screen that will be familiar to anyone who has used embedded devices built on Google's Android, which gave Marcel a few ideas for how to bypass the login screen. Sadly, while the Wi-Fi menu provides access to a file picker for the installation of a certificate file, it proved a dead end — as did attempts to connect the device to a captive portal.
Investigating the hardware revealed two USB ports, an Ethernet port, an antenna connection, and a power input. Connecting a keyboard and using Alt-Tab brought up Android's app switcher, which in turn allowed Marcel to discover the version of Android on the device: the somewhat outdated Android 6. Internal investigation unveiled debug pins that could prove useful, but Marcel spotted something else of interest: an NFC reader.
"I tried to Android Beam some things over and it actually did pick it up and beamed the file over," Marcel says, "however I still couldn't use them because I didn't have access to a full file picker. Then, 130km.ro on XDA [Developers forum] found out that NFC tags work to open an app? I never heard of this before but apparently, yes, it is possible to make an NFC card open any app you want!"
Writing a card to access the full Android Settings app, Marcel was able to disable kiosk mode and restore the Android stats bar and navigation bar. Initial attempts to install custom software failed with an error, which required additional investigation — revealing the hidden presence of the file manger from the CyanogenMod third-party Android ROM project, which proved able to install any app straight from an APK.
Marcel's final discovery: a hard-coded PIN that can be entered by tapping the screen at the bottom-left four times, which provides an administration menu to unlock the tablet — no NFC card required.
The full write-up is available on the MGD Productions blog.
Freelance journalist, technical author, hacker, tinkerer, erstwhile sysadmin. For hire: freelance@halfacree.co.uk.