If your kiosks have any of their USB ports exposed then watch out, because your kiosks are vulnerable to a recently discovered security vulnerability. According to a recent USB security article in Wired the security researchers Karsten Nohl and Jakob Lell have demonstrated how their malware called BadUSB “can be installed on a USB device and used to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic.”
By allowing your kiosk users to insert a USB memory stick it could potentially allow attackers to smuggle the BadUSB malware onto your kiosk undetected. It’s completely possible that the kiosk user doesn’t even realize their USB stick has been infected, but none the less inadvertently compromises the security of your kiosk.
How do I defend my kiosk from BadUSB?
“In this new way of thinking, you have to consider a USB infected and throw it away as soon as it touches a non-trusted computer.”
In order for the vulnerability to be addressed a new layer of security will need to be developed around the USB firmware, thereby requiring an update of the USB standard, which will take a while. In the meantime it’s critical that all physical access to USB ports on your kiosk be blocked in order to prevent an infected USB stick from being inserted. Too many kiosks are nothing more than a tablet sitting on a countertop with all of their USB ports exposed running software for kiosks. If this describes your tablet kiosk then you should consider one of these secure kiosk tablet enclosures to cover up those vulnerable USB ports.
For more information on securing your kiosk application please see my article on How to prevent the hacking of kiosk applications.