For years, McDonald’s has an ordering system through touch screen terminals, where we can easily choose what we want to eat, and even pay directly so that all we have to do when we go to the bar is pick up our order. The system is comfortable, although it is not uncommon to see some of these machines broken down and have to wait in long queues.

Geoff Huntley’s story with McDonald’s machines in Australia is quite curious (which by the way is the same user who created the website ‘The NFT Bay’ as a parody). And it is that according to him, these machines run Windows 7, and from their touch panel, and with a little skill, it is possible to run any application, and something even more dangerous: inject malicious code.

Terminals with Windows 7 and totally unprotected

As you know, employees have been practically replaced when placing an order inside a McDonald’s. Orders are now made through touch terminals, as we have already mentioned. While this method is quick and easy (for those used to screens), machines often fail. And in fact, according to Huntley, it is a system that depends on the paper that is in the machines to print the ticket.

CVE-2022-244622: A local unauthenticated attacker within a @McDonalds could exploit this knowledge to pop calc.exe. The default user on the terminals is Administrator and touch screen input is enabled. pic.twitter.com/uG1pXG6iYb — GEOFF 🦩🎼🌷 (@GeoffreyHuntley) July 22, 2022

The issue is complicated when there are too many orders and the paper machine to print the ticket inside these terminals runs out more quickly. And it is that according to Huntley, when this happens, McDonald’s employees choose to leave the terminal unlocked to change the role more easily. This makes the terminals are completely unprotectedand that someone clever can execute malicious code.



Imagen: Geoff Huntley

As Huntley comments, the touchscreen terminals at McDonald’s are basically computers running Windows 7 in administrator mode. In fact, in an open terminal it is possible to find USB ports, which someone could take advantage to violate the security of the establishment.

Huntley has taken advantage of this event to show how easy it is to violate one of these terminals, and the dangers that this entails. Fortunately, the only thing he has done is open the Windows calculator, but someone with less friendly intentions could hack one of these machines to get private information. Let’s not forget that a dataphone is connected to these terminals, where hundreds of people use it every day to pay for their orders.

If someone were to install malware on one of these terminals, there would be possibilities that it was done with the payment data of many clients. It would be enough to insert a USB, or enter recovery mode. In fact, as confirmed by Huntley, the terminal is responsible for installing a custom firmware for the card reader. And when user interaction is active, it would theoretically be possible to force terminals into recovery mode at startup by simply tapping on the screen.

Huntley points to two things that McDonald’s does wrong with these terminals: relying on the terminals to be physically protected so they can run in administrator mode, and persistent UI errors when placing an order, often blocking the view of the order number and create confusion for customers, causing them to take orders that are not theirs.