Article

Hacking self-service

One software expert found more than 30 ways to hack a Windows kiosk. Next up: Linux.

February 24, 2009

Paul Craig hacks into kiosks for a living.

The security consultant for New Zealand-based Security-Assessment.com has an office littered with dummy kiosks of various types. His job of late: to attempt to bypass the Windows operating system in as many ways as possible in order to hack into the hard drive where – if these kiosks were real deployments – he could conceivably gain access to the hard drive and plant a virus, or even steal private cardholder data.

The task may seem difficult on its face, but Craig says it's a cinch. In fact, he says he's already found more than 30 ways of doing it.

"The things I've found for Windows are definitely very freaky, easy and very quick," said Craig, who utilizes all the colorful lingo of a military general, with phrases like "attack vectors" and "attack surface" punctuating his conversation.

In the past, many software experts have pointed out the vulnerability of Windows, and Craig is no exception. In order to make kiosk deployers more aware of the exposure, he explained a few of them for SelfService.org. The hacker can break out of the kiosk app and into the kiosk hard drive by:

• Attempting to open a damaged .PDF file in Adobe Acrobat, causing the kiosk app to crash. • Issuing a command to render a damaged Flash file, causing the kiosk app to crash. • Using Windows Media Player as a browser to escape out of the kiosk app. • Using QuickTime to bypass the kiosk app and access the hard drive's file system. • Writing ActiveX commands that exit the kiosk app. • Creating and uploading a Java file that orders the kiosk to escape out of the kiosk app. • While on a personal computer, creating a link on a Web page that's visited by the kiosk and give it the destination File://C:/. They can then go to the kiosk, access that Web page and click on that link.

Most of these methods use a Windows-based tool – Adobe Acrobat, Media Player, QuickTime – as a sort of trap door to sneak out of the kiosk application. That, says Craig, is Windows' primary weakness: all of the unnecessary software baggage that comes with the core operating system.

"Windows, by default, comes with Windows Media Player," he said. "It comes with a bunch of different file type handlers. If you have 50 different applications installed on your base Windows OS, now you have 50 different applications that you could potentially use to escape out of the kiosk."

Craig unleashed his findings on a disconcerted audience last August at DEFCON 16, an annual convention for computer hackers. Craig said the presentation left some in the audience falsely believing that he must have a grudge against Microsoft.

He believes Linux is in some ways just as vulnerable. In fact, he's already started launching similar attacks on Linux-based kiosks to expose just how vulnerable they might be.

"I never actually said at any point that Linux is more secure," Craig said. "They may be slightly more secure, but I wouldn't say Linux kiosks are the end-all of kiosk security. They definitely still have their own weaknesses."

Craig says if Linux has any advantage over Windows, it lies in the fact that its operating system doesn't come with the myriad tools and applications that Windows does.

"I've found that on Linux kiosks the subset of core components installed is much lower, so that means your attack vectors and the attack surface is much lower," he said.

Craig admits that he's only found three methods for breaking into a Linux-based kiosk thus far, but he says he's only getting started.

Gary Gilmer, principal for retail solutions at Chicago-based Clarity Consulting, says he believes Windows is still a relatively secure operating system, despite the holes Craig points out.

Clarity, a Microsoft Gold Certified Partner, develops customized software that's based on the Windows operating system.

He says Windows is no less secure than Linux, regardless of what experts might say about its reputation.

"It's certainly true that most of the viruses out there are aimed at Windows, but the reason for that is that's where the market share is," Gilmer said. "If you're going to try to write something malicious and you want to take advantage of something, you're going to target the largest footprint out there, not the smallest footprint out there."

Regardless of the operating system being used, Craig says it is incumbent upon the kiosk deployer to strip the software down to its bare minimum. That means getting rid of tools such as Java and Flash, if they're not required by the kiosk application.

It's something that can be done relatively quickly on a Linux system, says Craig, but it often takes hours on a Windows-based kiosk.

He says the strip-down approach has always been taken when it comes to kiosk hardware.

"If you'll notice, all of the kiosks have those custom keyboards and custom mice," Craig said. "The keyboards are missing all of the useful keys – the function keys, the start key. But from a software perspective, they haven't been removing that functionality."

In addition to stripping down the operating system, deployers can add special lockdown protection that will disable any commands other than the ones necessary for the user to interact with the kiosk app, according to "Software Security: The importance of locking down your self-service kiosk," a special report sponsored by Kioware and published by NetWorld Alliance Media.

"Using software lockdown protection is extremely important," said Stephanie Kropkowski, director of marketing and sales for Kioware. "You always want your kiosk to be used for its intended purpose."