Kiosk Mode
Recently there was a large RFP for kiosk enclosures (at a federal cemetery). The procuring office indicated that no computers would be required as they had existing stock of some older Dell laptops. The laptops run Windows 7 (consumer edition). Deploying self-service computers with an unsupported (and often hacked) operating system in order to save $20 is a common mistake.
We often find windows computers, in particular, to be highly vulnerable in public locations. As a “white hat” we probably get into 50% of those computers one way or another. If they have personal data, that brings in to bear some pretty hefty HIPAA violations, especially in the medical field.
Bootup is the most vulnerable period for a public computer. Usually fairly easy to locate the power plug and unplug the unit. If you go really cheap, then you didn’t bother to use an UPS either.
And having been in the role several years as IT manager, we can tell you that as earnest and well-intentioned in-house technical gurus like to fancy themselves, at best they have to educate themselves first in order to eliminate access and data (cache files) to any reasonable degree. Our advice has remained the same over the years for those techs. Use a robust and mature lockdown system and see what it does. It has been hacked over the years (all software has been hacked and then adjusted if it is any good). Imitation is the sincere form of flattery. Don’t learn at the expense of your customers (or your legal settlement fund).
Employee Considerations
The usual mental framework for kiosk mode is to secure the interface for customers in self-service mode.
Fact is though the same applies to employees, especially with the social account proliferation. We see examples of employees playing Doom for example on POS terminals (usually running Windows). They could just as well be on TikTok or a porn site or surfing Google (with all its bad actor ads). Data, privacy, and ransomware all come into play.
Or maybe the employee loads Doom onto customer kiosk. See McDonald’s employee incident. The good news there is that at least the game station had a built-in screenreader (JAWS is used on McDonald’s kiosks).
Best to lockdown that POS application and the order kiosks…
Other Kiosk Mode Horror Stories
To be sure software and application must be secure. But don’t forget the physical — one of our favorites is the LazyBoy credit application. We wrote this up in 2018.
Note the bottom mount plate the unit sits on. It says Private, Safe, Secure.
Run the video and checkout the backside of the unit with the keys available to unlock the enclosure.
Inserting a small USB transaction sniffer is child’s play and anyone who fills out the credit application is handing it to some hacker. For reference the lockdown solutions referenced all provide protection against USB sticks.
Resources
- Kiosk Mode Software Providers
Disadvantages of Assigned Access
A common question I hear from new clients is “why would I want to use kiosk software when I can just use kiosk mode in Windows (aka Assigned Access)?”
This is a fair question, so we’ll explain the limitations of Windows Kiosk Mode and when there is a need for kiosk software.
The short answer is that kiosk software makes up for the shortcomings in Windows Kiosk Mode and adds an additional layer of security and ease of use to get you up and running quickly without all the headaches.
Windows Assigned Access is a feature which lets you restrict a specific standard account to using only one Windows Store app. For example, you can restrict customers at your business to using one app so your PC acts like a kiosk.
Whenever someone signs in with the specified account, they’ll only be able to use that one app. They won’t be able to switch apps or close the app using touch gestures, a mouse, the keyboard, or hardware buttons. They also won’t see any app notifications.
In a self-service kiosk environment, you might select Internet Explorer as your one app to run and point that at your kiosk application website.
Unfortunately, there are several limitations to Windows Kiosk Mode that will cause big problems, particularly in an unattended kiosk environment…
- Malicious users can potentially access the operating system, manipulate files, steal customer data in a number of ways. See my article on kiosk hacking.
- Users can browse to ANY website since there’s no ability to restrict the browser to certain websites
- Printing will popup the print dialog box, thereby confusing users and compromising security
- Downloading malicious files can corrupt the operating system and compromise user data
- System shortcuts like CTRL-ALT-DEL are not blocked, giving the attacker the ability to disrupt your kiosk and compromise security
- No support for payment devices (bill acceptors, credit card readers, etc…)
Another Point of View
Microsoft provides a basic lockdown solution that misses many key features that kiosk software like SiteKiosk provides for a successful deployment of kiosks, public computers and digital signage screens.
Different devices in public locations require different designs and layouts. Kiosk software like SiteKiosk come with different layouts, customizable browser designs and a design tool to create custom user interfaces without programming skills. Microsoft’s kiosk solution might require you to consult with a web developer if you require a certain design of your start screen.
Especially for larger deployments and for managing interactive screens, a Cloud-based remote management, monitoring solution adds value for administrators to remotely update the configuration and the content on the remote clients without local human intervention. Similarly, important information, notifications and logs can be accessed by administrators remotely.
Kiosk software adds necessary system monitoring and maintenance features out-of-the-box. A software watchdog feature in SiteKiosk monitors the system and restarts it within seconds if needed.
To protect business and user data, kiosk software like SiteKiosk also provides a session reset feature to reset the system after a pre-configured idle time and/or upon clicking a logout button by the user.
All browser and application windows will be closed, all user traces will be deleted (history, cookies, and cache), and the SiteKiosk browser returns to the Start Page.
Most kiosk software products and remote management solutions for kiosk systems can be tested before purchasing.
Kiosk Mode Posts
- Kiosk Mode Android Software New Release
- Windows 10 Kiosk Mode – KioWare 8.33
- Kiosk Mode Lockdown Browser – for Android + Windows 10
- Kiosk Mode Lockdown Browser – – Android Kiosk Software Released
- Kiosk Mode, Windows 10 & JAWS Software
- Kiosk Mode with Edge – How To – Microsoft Windows Common Problems
- Kiosk Mode Android – Esper Android Lifecycle Management
- Kiosk Mode Software – Renewing Sponsor Sitekiosk
- Kiosk Mode – FlowVella Integrates into iPad App
- Kiosk Mode for iPad Kiosk – Using iPad in Kiosk Mode with Horizon View
- How to setup the Chromebox and Kiosk mode?
- internet explorer – How to open IE(Desktop Version) in kiosk mode
- Kiosk mode VMware Communities
- Google Chrome Kiosk Mode by Google
- Kiosk Mode vs. Kiosk Software for Windows
Other Resource Links on DIY Kiosk Mode
Still feeling like you’d rather do it yourself and deal with the unknowns and Windows (or Android) patch management cycle? Here are some contract “writers” offering their semi-educated viewpoints.