DISCLAIMER:
Of course you shouldn’t do this without buying another cup.
Actually you shouldn’t do this at all because someone will get a non-working cup.
Introduction
This weekend we went to KFC with a bunch of friends and we were surprised to discover that the soda fountain was no longer at will. Not that I’m a fan of soda, but the system set up to limit the drinks was quite surprising/complex for a fast-food.
nb: after a little research, self-service soda fountains are now prohibited in France since January 2017
Now in KFCs in France you need to scan your cup in order to get it filled. Of course you can do it only once, if you try to scan your cup again you will be denied.
As a tech guy, my first reflex was to scan the QR Code without much conviction to find something of great interest as I expected some crypted content.
Guess what ?
WBCB;SERVICE;1;3005970;40
This is the content of the QR Code. Plain text.
The first thing that came to my mind is that:
40
was the capacity in CL of the cup (and the amount poured into it)
— and I was right3005970
was the ID of the cup — and I was almost right
My friends’ cups ID pattern were:
300597x
for a 40cl cup400xxxx
for a 50cl cup
Actually the cup id was the 4 last digits, the first 3 digits were related to the size of the cup.
I tried to increment my ID by 1000. It didn’t work, my QR Code did get denied. We tried to increment it by 80 and .. it worked !
Assumption
Maybe the KFC staff receive these cups in large boxes and they need to scan them (the boxes) in order to activate the cups. That would explain why it did not work when we incremented the id by a thousand.
Thoughts on how to protect these cups
AES Encryption 256 bit
Encrypting the QR Code content with a 256bit private key would certainly solve this problem. The scanner could decrypt the content without any problem nor delay.
Move the fountain behind the counter
… like in 95% of fast-foods. And just serve the cups filled.