Article

How vulnerable are kiosks to hacking? Part 1

As technology advances, computers become more susceptible to hacking and unintended use scenarios. Kiosks are also vulnerable to these attacks.

Image courtesy of iStock.

May 30, 2017 by Elliot Maras — Editor, Kiosk Marketplace & Vending Times

No computer is immune to hacking. Recent events such as the WannaCry ransomware attack, which saw large institutions and companies in 150 countries attacked and forced to pay ransom to recover their files, has revealed an unwelcome aspect of the emerging Internet of Things.

For the kiosk industry, the recent release of a pornographic video on a kiosk touchscreen at Washington D.C.'s Union Station was only the latest reminder of the need to secure kiosks from unintended use. In that widely reported incident, the kiosk's software provider fixed the malfunction within a few days. But because the incident drew a lot of media attention, the danger exists that it could invite mischief makers to target other kiosks.

Google "kiosk hack," and videos will pop up demonstrating various ways kiosks have been manipulated. One video shows how someone hacked a McDonald's self-serve kiosk in Australia to lower the price of their purchase from $14.45 to $9.75.

Technology brings both benefits and liabilities

One problem afflicting all companies that deploy new technology is that new features are emerging faster than security measures to protect computers from being hacked.

"There is no really easy answer to cyber security threats," said Tom McClelland, president of DynaTouch Corporation, a self-serve kiosk solutions provider. "It takes a commitment at all levels of an IT organization to continue to monitor and fight it. But the real risk isn't just some pornography on your screen; it's exposure to you and your customer's private data and interruption of core business practices."

"Kiosk software should at a minimum, adequately control the environment it runs in with the least amount of privileges needed, have necessary business logic to control user navigation, and keep auditing trails to trace user activity," said McClelland. "More advanced features like shell replacement, keyboard filtering and smart backend statistical analysis of atypical behavior with alerts should also be deployed based on kiosk use."

LinkNYC removes browser app

For LinkNYC, a kiosk that offers free Wi-Fi, phone calls, device charging and tablet access to city services in New York City, eliminating unintended use of the kiosks was simply a matter of removing the browser app. The kiosks have a custom built Android-based operating system.

Complaints about people watching pornography and hogging them forced LinkNYC to remove the browser feature in September.

"A lot of steps were taken to make sure the devices are secure," said Dan Levitan, a spokesman for LinkNYC. "For example, if you walk away from the kiosk after you've been using it, it resets the entire tablet to its original condition. Everyone who uses it, uses it anew. You can't save anything or change the tablet."

How big a threat?

How serious is the problem of unintended kiosk use?

Laura Miller, director of marketing for KioWare Kiosk Software, does not think the rate of kiosk security breaches has increased, but there remains the problem of companies not wanting to invest in the necessary software.

"Security holes, when they occur, are typically a result of a failure to use kiosk software correctly, not a failure of kiosk software," Miller said. "If they are using kiosk software, and a breach occurs, a failure to properly configure is typically to blame."

When asked about the recent Union Station incident, Miller was correct in her assessment that a human factor caused the kiosk not to function properly. The company that installed the software, Ping HD, admitted they had failed to secure the machine's operating system. This allowed someone to access a pornography website and play its contents on the kiosk screen in the station's lobby.

"If you lock devices down using kiosk software, you can restrict what people can do," Miller said. "You should lock down all of your devices as much as is feasible. Then you limit who has access to those devices that are not secured. On non-secured devices, you can't completely eliminate the human factor – human susceptibility to phishing schemes."

Aside from unintended use scenarios, kiosks are not any more susceptible to hacking than other computers. Hackers usually target computers to gain access to proprietary information such as credit card or Social Security numbers.

Kiosks are susceptible

Nevertheless, kiosks are susceptible to hacks.

Kaspersky Lab, a security consultancy, released a report earlier this year called "Fooling the 'smart city.'" The report said smart city infrastructure, such as LinkNYC, develops faster than security tools, creating opportunity for cyber criminals.

The more sophisticated the device, the likelier it has vulnerabilities and/or configuration flaws, Kaspersky Lab said in the report.

Kaspersky Lab analyzed touchscreen payment kiosks, infotainment terminals in taxis, infotainment terminals at airports and railways, and road infrastructure components, such as traffic routers and speed cameras.

Most payment and service terminals are PCs equipped with touchscreens, the report said. The main difference being that they have a "kiosk mode," an interactive graphical shell to block the user from gaining access to the regular operating system, providing a limited set of features to perform the terminal's functions.

Kaspersky Lab found that most terminals do not have reliable protection to prevent the user from exiting the kiosk mode to gaining access to the operating system.

Part 2 of this two-part series will examine what kiosk operators can do to prevent hacking.