Lockdown Browser – Hacking Kiosks
Breaking into unattended and semi-attended devices should be harder than it is.
Recently McDonalds kiosks were hacked but by users simply using the software installed against itself.
One big rule — employ a lot of QA on your unit and have people try to break. Developers always think they have covered all the contingencies but almost never do. They defend against what they know, not what happens in the real world.
Great video from LOL ComediaHa illustrating the over-confident developer thinking he has it all figured out, only to find out otherwise…
We also published a nice feature on Cyber Security and the implications which you should read. We quote:
Think the risk is overblown? A recent story on ZDNet detailed how a third-party worker inserted a USB drive into a computer on a cargo ship, inadvertently planting a virus in the ship’s administrative systems.
Here is much more advice from Andrew Savala of Redswimmer
It recently came out that a McDonalds kiosk in Australia was hacked. The following video shows two young men tricking the kiosk into giving them free food.
Kiosk hacking has become common place in the news. In addition to the McDonald’s kiosk hack, HR kiosks have recently been hacked and there have also been incidents with smart city kiosks being hacked.
Self-service kiosks are everywhere from street corners to grocery stores and hackers are gunning for your customer’s data. Payment kiosks in particular are attractive targets because cardholder data is easy to monetize.
In this article I’m going to cover several techniques for hardening your kiosks security. Many of these kiosk hardening techniques involves functional changes to your kiosk application, so you’ll need to get your developers involved.
Prevent PIN theft
It’s frighteningly easy to steal someone’s PIN number using an iPhone and a thermal camera.
Flir makes one such thermal mobile camera that can be used to easily determine the PIN number someone entered.
The following video demonstrates this technique and explains how metal PIN pads, like those commonly found on ATMs, can be used to prevent PIN theft.
The BIOS firmware comes pre-installed on a personal computer‘s system board, and it is the first software to run when powered on.
The BIOS is the first screen that appears when your computer boots and determines the boot order, among other things. From a security standpoint this is of particular concern because we don’t want a hacker to be able to reconfigure the computer to boot from a USB drive, or other media, instead of the kiosk’s hard drive.
Booting from another media would allow the attacker to run malware instead of the kiosk’s operating system. Fortunately, protecting the BIOS is simply a matter of configuring a password so the BIOS settings cannot be modified.
Here’s a tutorial video of how-to password protect your BIOS.
Restrict keyboard input
The operating system has many keyboard shortcuts that will allow an attacker to exit out of your kiosk application and access the desktop.
There are many such hotkeys (i.e. Ctrl-Alt-Del in Windows) and we want to restrict the keyboard input to prevent a hacker from exiting your kiosk application.
Avoid the use of a physical keyboard when possible and instead opt for an onscreen keyboard with the system keys removed.
As an added layer of security, you can use a keyboard filter driver to filter out system hotkeys.
Prevent the mouse right-click
Right clicking the mouse will prompt the user with a series of options. Some of which could be used to close or compromise your kiosk application. This is particularly true if your kiosk is running a web browser.
Limiting the user to only clicking the left mouse button will help mitigate this risk.
The easiest way to achieve this is by having your kiosk application filter or ignore the right mouse click.
Block physical access to USB ports
By allowing a hacker access to the USB ports they can potentially load malware to hijack your kiosk.
The following video explains how BadUSB works and suggests some techniques for protecting your USB ports on a laptop.
For a kiosk, all the USB ports should be made inaccessible through the use of a secure kiosk or tablet enclosure. Many secure enclosure options are available for both tablets and kiosks.
Prevent access to the file system
It’s important to ensure that hackers cannot access the file system of your kiosk. There are multiple ways to get to the file system, particularly if your kiosk is running a web browser.
One method is by simply entering the file path into the web browser address bar like shown below. I now have access to browse the file system and access potentially sensitive information.
Other opportunities to access the file system include, but are not limited to, the print dialog and right clicking the mouse.
You’ll also want to monitor for popup windows and automatically close any dialog boxes.
Restrict access to external websites
If your kiosk is running a web browser then you’ll want to restrict the user to only viewing your website.
The most straightforward way of accomplishing this is through the use of a whitelist.
A whitelist list is an acceptable list of websites or web pages, depending on how granular you want to get, which the browser will allow to be displayed.
If the user attempts to navigate to a page not in the whitelist then the page will not be displayed.
Incorporate a watchdog
A watchdog refers to a service running in the background which ensures that your kiosk application is always running.
If your kiosk application crashes, uses up too much memory, or stops behaving for any reason, the watchdog will restart it.
In Windows the watchdog should be a Windows Service that automatically runs at startup. The watchdog will be implemented differently depending on your operating system, but the underlying objective is the same.
Anytime you’re deploying a kiosk, protecting customer data should be a top concern.
Payment kiosks in particular are attractive targets for hackers because cardholder data is easy to monetize. But payment kiosks aren’t the only kiosks at risk.
In order to implement the techniques in this article you’re going to have to modify your kiosk application. It’s time to get your developers involved so you can start protecting your customers and your reputation.