A lesson on taking me in public.

IRLDOSSAYWHA?

So this is why you just can't take me anywhere in public.

I get bored, stare at something electronic, and have this urge to see if I can break it. I call this, IRLDOS. At first glance, the term may remind you of "In Real Life Disk Operating System," which would send shivers down anyone's spine. Not to worry, as this is not the case. This is just a little fun down at the local Target store.

This is instead me trying to see if I can break it, and if I can, see what else I can do with it.

Most see price a checking thingy-ma-bob, I see a toy.

 

        

Clear and enter? Sounds like access control.

You may notice the buttons on the side: 1-9, 0, Clear, and Enter.

For something that doesn't need the user to physically touch the device, that sure is a lot of buttons

Sure, Trent.

So here you can see that there a four more buttons: A, B, C, D. No, I didn't remove the B.

Try not to look obvious.

Holding down A and D at the same time gives you this, a password prompt.

All numbers AND letters.

Oh look, all the buttons are used for password entry.

ERROR

Three wrong guesses and it goes to this screen for a few seconds, and then passes to the home screen. This might mean that it has a failed login attempt list. This could mean that it has storage on the device, or it phones home to a server.

Hint: You'd find more info on your target. No pun intended.

Now what would happen if I put "uniComp" into the Google Machine?

It even tells me what terminal on the switch!

I found this at another Target in the area.

NONE SHALL....oh ok...go ahead.

It was well guarded by clothes.

I was able to confirm that the unit loses power when unplugging the ethernet. Thus that suggests it is POE. The password? Well, I don't know, I haven't actually tried Googling "uniComp" or "uniComp+User+Manual" or "uniComp+Default+Password." Hell, social engineering might work, try a general manager or something. Why not try the store number?

Now who said you can't hack things when you are poor, use the world around you!

So... now what?
Well, this machine's behavior is much like that of a computer. Most of these devices are run by computers that are much like the one you are reading this on. They are connected in a network of computers that control other things too. Like the cash registers. (Don't do that)
So what if we hypothetically get the password right, we explore the device, learn to make it do my bidding (pop a shell, preferably as a super user, or as some default name like root, admin, or even a back door account with default password still being used like "UniComp") ((This kind of stuff really happens, but like I said, that's as far as I have explored above))
That being said here's a scenario:
This type of machine checks pricing. This means that it is database driven. It is highly possible that there is other data on the same database server, like: sales records specific to that store, sales records for that area, maybe even sales records for the entire chain of stores. How do I make these conclusions? Easy, these types of things are connected to inventory control databases, to check pricing and inventory. Even if i couldn't get to that data (due to a password I can't crack) I can still write my own program to analyze what is being bought, maybe even across their network. I can then use either pricing info (checking every conceivable item in the database), or maybe even access to how often they need to order back stock. You know those wireless things the store managers wield? Think of those as something else that queries the same database (or another possible attack vector). If you can get that info, you can get a pretty great idea of the kind of info competitors would want.

That little device right there, bought by the company to help customers could possibly be used for straight up corporate espionage. Nifty, eh? Don't you just love our technology driven world?