Article
How vulnerable are kiosks to hacking? Part 2 – What operators can do
As hacking becomes a bigger threat to computers, kiosk operators must stay current with operating systems and invest in kiosk software. Kiosk experts offer security tips.
May 31, 2017 by Elliot Maras — Editor, Kiosk Marketplace & Vending Times
Computer hacking has become a bigger problem as more devices – including kiosks – become part of the Internet of Things. Kiosk experts agree that kiosk software is needed to prevent the misuse of kiosks, such as displaying pornographic videos, as noted in part one of this two-part series.
Kiosk software can reduce the chances of an attacker gaining access to a kiosk's operating system, introducing malware to the system or accessing proprietary information.
"Self-service devices typically connect via the Internet," said Charley Newsom, CTO at Kiosk Information Systems, a kiosk solutions provider. "As such, these systems require protection from Internet intrusion." An enhanced security suite can control applications that can access self-service devices and stop network-borne attacks and downtime.
"You can deploy and manage firewall policies based on location to deliver complete protection and compliance with regulatory rules such as PCI-DSS 3.0," Newsom said.
A "whitelist," a list or register of entities provided a particular privilege, service, mobility, access or recognition, is another security tool.
Unlike antivirus protection, whitelisting provides complete malware protection without the need for signature updates, Newsom said. Once the whitelist is created and enabled, the system is locked down to the authorized baseline—no program or code outside the authorized set can run, and no unauthorized changes can be made.
'Guide to Hacking' offers insight
Andrew Savala, CEO of RedSwimmer Inc., a kiosk lockdown software provider and kiosk application builder, has published a "guide to hacking kiosk applications" with the intention of educating kiosk operators about kiosk security.
Interrupting the boot process is a hacker's first step to gaining access to the operating system, Savala said.
A hacker can pull the plug and reapply power to reboot the kiosk. By watching the kiosk boot, he or she can learn what operating system the kiosk uses. The boot screens will then give the hacker some ideas on how to interrupt the boot process.
Touchscreen keyboards are "fairly benign," assuming they do not have modifier keys like Ctrl, Alt and Windows Key. A physical keyboard, on the other hand, provides more options for accessing the operating system. If the hacker cannot use a physical keyboard, their options for using system shortcuts will be limited, according to Savala.
Not allowing access to PS/2 and USB ports will prevent a hacker from inserting a keyboard and entering keystrokes to halt the boot process.
Inserting a USB stick can allow an attacker to load malware onto the kiosk.
Kiosk lock down software can also be used to block system shortcuts, which Savala called a must when using a physical keyboard.
He stressed the importance of kiosk operators keeping up with new versions of operating systems.
Kiosk vulnerabilities cited
Frank Olea, president of Olea Kiosks, pointed to obsolete operating systems and not applying security measures as two major vulnerabilities for kiosks.
"Vulnerabilities also are created when unauthorized people have physical access to components or the ability to power the kiosk on and off," Olea said.
Historically, kiosks have been placed outside customer company LANs, Olea said. But increasingly, that practice is reversing itself, and more kiosks are being placed on company LANs.
"They pass data to a server, and the data store inside the corporate LAN becomes the weak point that is comprised," Olea said. Companies can strengthen these vulnerabilities by installing lock down software, which in addition to security often provides audit, reporting and monitoring capabilities.
Accidental infections occur
Vulnerabilities also occur accidentally when malware gets carried into a facility on a employee's or guest's USB drive, Olea said.
"I bring a USB drive to the office that has an Excel document on it that I started at home but need to finish at work," Olea said. "Without my knowledge, however, my son borrowed the drive the night before to download some music from the darker side of the web, which also came with a virus." This is one reason companies require portable devices to be scanned before visitors and employees enter a business.
"If I'm not stopped to scan the drive before putting it into my work PC, I may inadvertently create havoc across the company when that stowaway virus is unleashed through the network," Olea said.
Olea pointed to a more sinister scenario that can occur. An attacker drops a few attractive but infected USB sticks in a parking lot hoping that an employee will find it and take it inside to see what's on it. Unbeknownst to the person picking up the USB sticks, the sticks contain malware.
Olea offers the following suggestions for protecting kiosks from hacking:
- Windows users should upgrade to Windows 10. It has a habit of auto-updating patches, which can be a concern for some users. Anyone who wishes to avoid the automatic updating feature of Windows 10 can investigate Microsoft's new Redstone IoT operating system, which allows for the manual application of patches.
- Run virus and malware software, if only Windows Defender, which is free.
- Install lock down software, which puts the PC into "protected mode user" so admin (or root) is not available for privileged operations. If the kiosk is on the network, though, its safety is, in part, in the hands of the central server and the LAN and how well they are protected.
- Rethink password strategy. Passwords are often too easy either for attackers to figure out.
"Simple things like making sure OS patches and virus definitions are up to date, making sure passwords are complex and expire, and continually educating users on the importance of network security all make a big difference," said Tom McClelland, president of DynaTouch Corporation, a self-serve kiosk solutions provider. "Also, verifying all network traffic only uses secure ports and limiting the traffic to specific IPs also helps limit exposure."
As kiosk capabilities increase, operators need to take measures to protect their systems from hackers. Companies have to stay current with operating systems and they cannot afford to skimp on kiosk software.
About Elliot Maras
Elliot Maras is the editor of Kiosk Marketplace and Vending Times. He brings three decades covering unattended retail and commercial foodservice.
Included In This Story
KIOSK Information Systems
KIOSK Information Systems is a world leader in self-service solutions because of its long history delivering proven expertise in design engineering and manufacturing, application development, integration, and comprehensive support services.
