Category Archives: Cyber Attack

Kiosk Hacking – Tips To Harden Your Kiosk

Breaking into unattended and semi-attended devices should be harder than it is.

Recently McDonalds kiosks were hacked but by users simply using the software installed against itself.

One big rule — employ a lot of QA on your unit and have people try to break. Developers always think they have covered all the contingencies but almost never do.  They defend against what they know, not what happens in the real world.

Great video from LOL ComediaHa illustrating the over-confident developer thinking he has it all figured out, only to find out otherwise…

 

We also published a nice feature on Cyber Security and the implications which you should read. We quote:

Think the risk is overblown? A recent story on ZDNet detailed how a third-party worker inserted a USB drive into a computer on a cargo ship, inadvertently planting a virus in the ship’s administrative systems.

Here is much more advice from Andrew Savala of Redswimmer

It recently came out that a McDonalds kiosk in Australia was hacked. The following video shows two young men tricking the kiosk into giving them free food.

McDonald’s kiosk hack

Kiosk hacking has become common place in the news. In addition to the McDonald’s kiosk hack, HR kiosks have recently been hacked and there have also been incidents with smart city kiosks being hacked.

Self-service kiosks are everywhere from street corners to grocery stores and hackers are gunning for your customer’s data. Payment kiosks in particular are attractive targets because cardholder data is easy to monetize.

In this article I’m going to cover several techniques for hardening your kiosks security. Many of these kiosk hardening techniques involves functional changes to your kiosk application, so you’ll need to get your developers involved.

Prevent PIN theft

It’s frighteningly easy to steal someone’s PIN number using an iPhone and a thermal camera.

Flir makes one such thermal mobile camera that can be used to easily determine the PIN number someone entered.

The following video demonstrates this technique and explains how metal PIN pads, like those commonly found on ATMs, can be used to prevent PIN theft.

Shows how PIN theft works with thermal mobile camera and an iPhone
Password protect the BIOS

The BIOS firmware comes pre-installed on a personal computer‘s system board, and it is the first software to run when powered on.

Wikipedia

The BIOS is the first screen that appears when your computer boots and determines the boot order, among other things. From a security standpoint this is of particular concern because we don’t want a hacker to be able to reconfigure the computer to boot from a USB drive, or other media, instead of the kiosk’s hard drive.

Booting from another media would allow the attacker to run malware instead of the kiosk’s operating system. Fortunately, protecting the BIOS is simply a matter of configuring a password so the BIOS settings cannot be modified.

Here’s a tutorial video of how-to password protect your BIOS.

Tutorial video of how-to password protect your BIOS

Restrict keyboard input

The operating system has many keyboard shortcuts that will allow an attacker to exit out of your kiosk application and access the desktop.

There are many such hotkeys (i.e. Ctrl-Alt-Del in Windows) and we want to restrict the keyboard input to prevent a hacker from exiting your kiosk application.

Avoid the use of a physical keyboard when possible and instead opt for an onscreen keyboard with the system keys removed.

As an added layer of security, you can use a keyboard filter driver to filter out system hotkeys.

Prevent the mouse right-click

Right clicking the mouse will prompt the user with a series of options. Some of which could be used to close or compromise your kiosk application. This is particularly true if your kiosk is running a web browser.

Limiting the user to only clicking the left mouse button will help mitigate this risk.

The easiest way to achieve this is by having your kiosk application filter or ignore the right mouse click.

Block physical access to USB ports

By allowing a hacker access to the USB ports they can potentially load malware to hijack your kiosk.

The following video explains how BadUSB works and suggests some techniques for protecting your USB ports on a laptop.

For a kiosk, all the USB ports should be made inaccessible through the use of a secure kiosk or tablet enclosure. Many secure enclosure options are available for both tablets and kiosks.

Explains how BadUSB works and suggests some techniques for protecting USB ports on a laptop.

Prevent access to the file system

It’s important to ensure that hackers cannot access the file system of your kiosk. There are multiple ways to get to the file system, particularly if your kiosk is running a web browser.

One method is by simply entering the file path into the web browser address bar like shown below. I now have access to browse the file system and access potentially sensitive information.

File system accessed through the address bar in Chrome

Other opportunities to access the file system include, but are not limited to, the print dialog and right clicking the mouse.

You’ll also want to monitor for popup windows and automatically close any dialog boxes.

Restrict access to external websites

If your kiosk is running a web browser then you’ll want to restrict the user to only viewing your website.

The most straightforward way of accomplishing this is through the use of a whitelist.

A whitelist list is an acceptable list of websites or web pages, depending on how granular you want to get, which the browser will allow to be displayed.

If the user attempts to navigate to a page not in the whitelist then the page will not be displayed.

Incorporate a watchdog

A watchdog refers to a service running in the background which ensures that your kiosk application is always running.

If your kiosk application crashes, uses up too much memory, or stops behaving for any reason, the watchdog will restart it.

In Windows the watchdog should be a Windows Service that automatically runs at startup. The watchdog will be implemented differently depending on your operating system, but the underlying objective is the same.

Wrapping Up

Anytime you’re deploying a kiosk, protecting customer data should be a top concern.

Payment kiosks in particular are attractive targets for hackers because cardholder data is easy to monetize. But payment kiosks aren’t the only kiosks at risk.

In order to implement the techniques in this article you’re going to have to modify your kiosk application. It’s time to get your developers involved so you can start protecting your customers and your reputation.

 

Your Clever Password Tricks Aren’t Protecting You from Today’s Hackers

Security breaches happen so often nowadays, you’re probably sick of hearing about them and all the ways you should beef up your accounts. Even if you think you’ve heard it all already, though, today’s password-cracking tools are more advanced and cut through the clever password tricks many of us use. Here’s what’s changed and what you should do about it.

Source: lifehacker.com

Good advice

Kiosk Security – Here Is the Porn Video That Played in DC’s Union Station Last Night [NSFW]

Last night, a display screen in Union Station—one of Washington DC’s main transit hubs—found itself moonlighting as a tiny pornographic theater. Now, Gizmodo can exclusively reveal footage of the incident, and I can assure you that, one, it’s definitely pornography, and two, I have never had a commute this stimulating.

Source: gizmodo.com

I think they said it in the movie (Sierra Madre?) ” we don’t need no stinkin’ lockdown…”.  Somebody supposedly smarter than everyone else turns out to be not as smart as many.

Update: Corey Price, VP of Pornhub, provided Gizmodo with the following comment regarding the brand’s surprise appearance in Union Station yesterday evening.

“Pornhub is accessed by nearly 75 million fans across the world each day. It’s entirely possible the perpetrator of this incident was an avid fan who was perusing our content and unfortunately mishandled the technology behind the video screen at Union Hall. While we don’t condone such behavior — by any means — whatsoever, especially broadcasting unwarranted material to innocent passersby, we do hope it provided some…relief…in the midst of a hellacious commute home.”

Another worthwhile read is here on LifeHacker.

The Ransomware Attack Isn’t Over—Here’s How to Protect Yourself

Excerpt:

If your computer’s running on Microsoft Windows, you need to take these steps—right away.

Here’s why: in case you haven’t heard, hackers exploited a vulnerability in older Microsoft Windows servers to execute a large-scale global cyberattack on Friday using ransomware — a malicious software that holds your computer hostage for ransom — and a hacking tool stolen from the U.S. National Security Agency (NSA). The massive attack left victims locked out of their PCs with a promise of restored access if $300 was paid in digital currency Bitcoin—and a threat of destroyed files if the ransom is not met.

Thus far, at least 200,000 computers have been infected in more than 150 countries, leaving everything from businesses and governments to academic institutions, hospitals and ordinary people affected.

See article here on Kiosk Industry on passwords as well.

Your Clever Password Tricks Aren’t Protecting You from Today’s Hackers

More news