CONTINUE TO SITE »
or wait 15 seconds

Blog

How to prevent the hacking of kiosk applications

Strategies to help you improve the security of your kiosk applications.

October 20, 2014 by Andrew Savala — CEO, KioskSimple

I've asked our kiosk application developers to come up with their best ideas on how they would go about preventing the hacking of a kiosk application, and compiled the following list. 

These strategies are to help you improve the security of your kiosk applications.

Preventing an interruption of the boot process

When you approach a kiosk it's unusual that you'll witness the operating system booting, but hackers can make this happen by performing a hard reboot (pulling the plug and reapplying power). By watching the kiosk boot they can learn what operating system the kiosk is running, and the boot screens might give them ideas on how to go about interrupting the boot process.

To defend this boot-process interruption:

Omit a physical keyboard and block access to USB and PS/2 ports to prevent a hacker from inserting a physical keyboard and entering keystrokes to interrupt the boot process.

Some BIOS systems can be password protected to prevent user tampering, which should be enabled if you’re running in a public environment. Password protecting the BIOS will help prevent a hacker from booting from alternative media or reconfiguring the boot process.

Preventing BadUSB

Some "kiosks" are no more than PCs or tablets sitting on a desk with all their USB ports exposed. If an attacker can insert a USB stick, they can potentially load malware on the kiosk by taking advantage of a security flaw known as BadUSB

BadUSB YouTube Video :

To defend a system from BadUSB, it's critical that all physical access to USB ports on your kiosk be blocked in order to prevent a USB stick from being inserted.

Eliminating keyboard input

Typically a kiosk's touchscreen keyboard will be fairly benign when it comes to the keys you're allowed to use, but a physical keyboard gives us more options that could wreak havoc on the operating system. Kiosk applications that collect a lot of information from customers (e.g., a job application kiosk) will often include a physical keyboard to speed up the data-entry process. If the kiosk has any of its USB ports exposed, a hacker might be able to attach a physical keyboard.

Defense: If the hacker cannot utilize a physical keyboard, their options for entering system shortcuts will be greatly limited, assuming your touchscreen keyboard does not include modifier keys like Ctrl, Alt, Windows Key, etc. Kiosk lockdown software can also be utilized to block system shortcuts, which is a must when using a physical keyboard.

Preventing launches of additional applications and dialog windows

In many cases, the kiosk application developer doesn't want any other applications to be able to run -- these could potentially allow the user to gain elevated access to the file system. For example, clicking on an email link could launch a default mail application, which in turn could allow the user to browse the file system through the use of email attachments.

To defend against such a launch, a background watchdog process should be put in place to monitor dialog windows and automatically shut them down if they're not contained in an approved whitelist. This requires intimate knowledge of the messaging used by your operating system. The easiest way to accomplish this is by utilizing good kiosk lockdown software.

Preventing the manipulation of the Web browser

If the kiosk makes use of a Web browser to display its content, a hacker could gain access to the file system or view websites other than those intended by the kiosk application developer.

In order to control the content displayed on your kiosk, the Web browser's ability to surf should be restricted to a whitelist. Typically, a whitelist will allow you to write regular expressions and create complex rules to control exactly what URLs are reachable on your kiosk. Website filtering can be accomplished through the use of a proxy, if one is available, or by using kiosk lockdown software. Your kiosk application should also avoid displaying detailed error messages, but instead display a generic error message about contacting customer support and an error code.

Testing the watchdog

In many cases, kiosk lockdown software will employ a "watchdog" service to ensure that the kiosk application is always running; it will also restart the kiosk application if it crashes. This is not always the case though, so if a hacker can find a way to crash the kiosk application, he might find himself sitting at the Windows desktop.

The key in defending this hack attempt is to find kiosk lockdown software with a watchdog that ensures your kiosk application is always running.

 

Andrew Savala is the CEO of RedSwimmer Inc., creators of the kiosk lockdown software KioskSimple. Andrew has been developing kiosk software for Windows platforms since 2007, with an emphasis on .NET WPF kiosk application design.

About Andrew Savala

Andrew Savala is the COO of BIxby, with a background in designing and deploying payment kiosk systems. He offers consulting services to companies looking to develop their payment kiosks.

Connect with Andrew:

Related Media

Blog
How Self-Service Kiosks Drive Customer Behavior and Increase Sales
Blog
Is Your Kiosk Network Missing Something? The Case for Kiosk Management
Blog
Measuring Kiosk Performance: Are Your Kiosks Meeting Customer Expectations?
White Paper
Simplifying Digital Signage Content Management
Presented by PROVISIO LLC
Recent Posts
USConnect granted US patent for Theft Detective technology
GameChanger Systems secures 2nd round of series A funding
IDEMIA launches enhanced kiosks for background checks
EcoATM names Matt Furlong as CEO
Convious Kiosks cut queues, boost sales at Zoo Osnabrück


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'