Pornographic video at D.C.'s Union Station disassembled; content provider takes responsibility, claims it wasn't a hack
Photo courtesy of iStock.
Last week's release of a pornographic video on a kiosk touchscreen at Washington D.C.'s Union Station was caused by someone who gained access to the kiosk's desktop operating system that was not properly secured. The system's software was not hacked, as originally reported by several media sources.
The software content provider, Ping HD, which manages the digital content for the kiosk, responded to the problem the day after it occurred and expects the kiosk to be operating properly shortly.
Kevin Goldsmith, chief technology officer at Ping HD, told Kiosk Marketplace the kiosk's lockdown software was not secure, allowing someone to access the pornography website and play its content on the kiosk in the station's lobby The content was discontinued when the kiosk was shut off.
Ping HD provides cloud-based messaging software to run advertisements, PSAs, directories and other information. The kiosk has a 65-inch display touchscreen overlay powered by a Windows 10 based media LAN.
Incident drew attention
Because the incident occurred in a busy public place, it drew a significant amount of media attention.
Located outside of a Chipotle restaurant in the station's main hall, the kiosk began to stream pornographic video at 5:30 p.m. and continued for about three minutes until an employee from Roti, a fast casual restaurant at Union Station, turned the machine off with the help of another person.
Fortunately, Ping HD's Goldsmith was in Washington D.C. at the time of the event. He was in in Washington, D.C. for a Tuesday event. Goldsmith found out about the incident on Tuesday afternoon, the day after it happened, and arrived at Union Station Wednesday morning.
Goldsmith said he noticed that certain functions had not been implemented in the kiosk's Windows 10 operating system. Ping HD had recently installed the kiosk's software after taking over from another software provider.
System was not locked down
"It was not locked down in any way," Goldsmith said of the local area network. "In any public environment, you shouldn't have a regular network wide open."
Whoever accessed the pornographic website did so using the kiosk's touchscreen.
"Once he did get to the Windows desktop, then he had free reign," Goldsmith said. Goldsmith doesn't know specifically how the person got to the desktop, but he is aware of plausible scenarios that he did not wish to describe for publication.
"That's something that we, coming in, should have double checked," Goldsmith said. "On this particular unit, that was not the case. Windows 10 as an operating system is designed for tablet based computing, so you've got a lot of swipe type features."
"It's bad enough that somebody managed to do that," Goldsmith said. "But ultimately, once that happens, the network was really open for anybody to get to anywhere. They could have pulled out absolutely anything."
Lock down completed
The lock down of the system has been completed, Goldsmith said. He said there are 27 or 28 screens in the station, and all have been checked so they are configured consistently.
"We've been through every single device to make sure that everything is locked down as we incorrectly assumed it was when we took over," he said. "We vet hardware with a specific image build, and then ensure that all the security tools are in place."
The incident has served as a painful learning experience to Ping HD.
"There's a new precedent in how we handle new hardware that was not specked in by us," Goldsmith said. "We certainly set new protocol. We've basically identified every single component that we can lock down to prevent that from happening."
"It's certainly a bad situation that someone was able to break out of our application, then to be able to access any website in that sort of public environment," he said.
Organizations have no comment
Union Station Redevelopment Corporation, a non-profit organization, oversees the station. Beverly Swaim-Staley, president and CEO of the organization, told The Washington Post last Tuesday that this was the first time such an event had occurred at the station. Swaim-Staley said Ashkenazy Acquisition Corp., the owner of the building, was investigating the incident.
Neither organization could be reached for comment.
The videos can be seen on gizmodo.com. Most, but not all of the sexually explicit content is blocked out on the gizmodo video.
Elliot Maras Elliot Maras is the editor of KioskMarketplace.com and FoodTruckOperator.com.