How To Hack a Restaurant

wh00hw
6 min readAug 28, 2022

--

Well, it’s actually a DOS attack but that was a journey into some nerds stuff that bring me to discover how easily you can create problems to people who work honestly.

It’s matter of hunger

I like to eat and everything starts in a common lunch break. My 9–6 job office is in a big chaotic city where everyone has no time to say sorry when they bump into you… I don’t like delivery food so I prefer to take a walk and to go pick it up by myself. So as usual, my pick was a famous kind of sandwich at ** ******* restaurant.

Those damn buzzers

Also known as “Restaurant Pagers”, they were probably created to generate mental confusion among customers and employee. That’s why when your order is ready they start buzzing loudly until someone pushes the button hidden under the restaurant sticker. It’s not a secret, believe me, please push that button for our ears grace. By the way, I was wondering how they work, if there was some kind of communication encryption, if it could be sniffed, captured, emulated, and so on, just normal thoughts.

The Flipper Zero

Here comes the cool part. Probably some of you have already heard about this evil device, it looks like a cute Tamagotchi…

but inside it hides some powerful antennas.

Thanks to the sub 1 Ghz module you can capture signals in the frequency range allowed by your region… but it’s completely opensource so thanks @Eng1n33r for the Unleashed Firmware.

Do not try this at home

Even if that’s not WWE I’m not encouraging you to do what I’m describing below, it’s just a geek diary.

As soon as I got my Flipper Zero I went to the usual restaurant to test my new cute little dolphin.

Eureka! The listener started and a bunch of signals were captured, actually a lot. In fact, everytime a meal was ready the dolphin beeped displaying the communication details. There’s no encryption, the Flipper recognized the protocol automatically.

So, once captured, I instantly saved them then I tried to reply the signal and… it worked!

The buzzer started to vibrate beeping loudly as usual. During the first day, I sniffed dozens of them.

Take the red pill

Going deeper I analyzed all the buzzers codes captured.

Filetype: Flipper SubGhz Key FileVersion: 1Frequency: 433920000Preset: FuriHalSubGhzPresetOok650AsyncProtocol: PrincetonBit: 24Key: 00 00 00 00 00 17 93 20TE: 269

The difference between all the captured signals is the 24 bit key. In the coming days I captured more of them and I thought…

What if replying by looping through the keys?

The Pizza DOS

When I was at high school, the IT Teacher used to explain to us the Denial of Service attack with the Pizzeria example. Suppose there is a city with only two Pizzeria competitors, one in front of each other, in the same street. Both only use the telephone to take orders but one has many more customers than the other. So at some point, the other decides to be evil. He starts to call cyclically the luckiest Pizzeria to keep the line busy. The customers can not order their favorite pizza, and they are indirectly forced to purchase from him.

No pain no gain

So my goal was to perform a proof of concept DOS attack to the restaurant pagers by using the Flipper Zero, ok but… How? In fact the dolphin doesn’t have implemented in the firmware a function that loops and sends automatically all the signals I saved before. However, it implements a UART interactive command cli by connecting it through the USB.

pyFlipper

So I decided to exploit this thing by implementing a Python library to interact programmatically with the Flipper Zero. This library is intended to be a wrapper, it simply abstracts each already existing cli function as Python methods.

The Script

Now thanks to pyFlipper things are easier, I programmatically extract all the buzzers saved key, put it on a list and send it forever in a while true loop.

Almost done… maybe

The script works well but, can you imagine going to the restaurant with the laptop? I was looking for something more stealthier, maybe just plugging the Flipper via OTG USB on Android and running the script in Termux was enough, no?

No.

Yet another OTG USB UART Bridge

Unfortunately I can not just plug the Flipper via OTG USB and get the UART through /dev/ttyAMC0 as I do on Linux. I need root access (not tested yet) for that and my actual smartphone is stock (for my choice). The second smartphone I have is an old Redmi 4 Prime Android 10, rooted with Custom Rom but the OTG communication doesn’t work in any Custom ROM according to XDA forum.
I came across a bunch of documentations and articles and I discovered that the Android SDK allows you access the UART. So I decided, again, to write my own code.
The idea was to create a native Android app in Java. The app read from the UART and opens a websocket server. Any websocket client connected to it can read and write data through the serial.

And it worked.

The app works even with Arduino, Raspberry, and every UART device and supports multiple connected devices at the same time.

First of all, I implemented the websocket client in the PyFlipper library, then I decided to release it into the PlayStore so you can take advantage of the Flipper functionality on Android without root.

The POC

Finally, I plugged the Flipper into the smartphone OTG USB port, then I opened the Serial2Websocket app. I started the websocket server on the loopback address and then launched the script in Termux as a websocket client.

Everything was ready and here comes the attack.

The attack was performed while the restaurant was close to avoid any problem

Conclusion

The attack could be improved by bruteforcing the 24 bit key range, instead of looping through the saved signals, to cover the maximum number of buzzers. However this is enough. This journey was unintended, but thanks to that I realeased an open-source library that really helps the Flipper Zero community.

Curiosity is the key, sometimes a rabbit hole.

--

--