I’ve asked our kiosk application developers to come up with their best ideas on how they would go about hacking a kiosk application and compiled a list for you reading pleasure. This is not intended to be a list of known exploits for any specific kiosk application, but rather a list of things our kiosk application developers would try if we were so inclined to hack a kiosk application. We choose to focus on hacking the kiosk application itself not the hardware. So brilliant ideas like tying the kiosk to the bumper of your pickup truck will not be included. Disclaimer, this article is for educational purposes only to help you improve the security of your kiosk applications so don’t try this on a kiosk without permission.
Interrupting the boot process
When you approach a kiosk it’s unusual that you’ll witness the operating system booting but it’s easy enough to make happen by performing a hard reboot (pulling the plug and reapplying power). By watching the kiosk boot you’ll learn what operating system the kiosk is running and the boot screens may give you some ideas on how to go about interrupting the boot process.
Some things to look for while the kiosk is booting:
- What operating system is it running?
- Does the boot process allow keyboard input (assuming a keyboard is installed)? For example can I enter the BIOS or configure the RAID controller?
- Will the BIOS allow the kiosk to boot from an alternative media like a DVD or USB drive? This is only relevant if the ports on the kiosk are exposed.
- Does the kiosk automatically log into a user account? In the case of Windows holding down the SHIFT key will often disable the auto-login and potentially allow you to log into a different user account. You may find that some user accounts are better protected than others.
Omitting a physical keyboard and blocking access to USB and PS/2 ports will prevent a hacker from inserting a physical keyboard and entering keystrokes to interrupt the boot process. Some BIOS can be password protected to prevent user tampering, which should be enabled if you’re running in a public environment. Password protecting the BIOS will help prevent a hacker from booting from alternative media or reconfiguring the boot process.
Some “kiosks” are no more than PCs or tablets sitting on a desk with all their USB ports exposed. If an attacker can insert a USB stick they can potentially load malware on the kiosk by taking advantage of a security flaw known as BadUSB.
It’s critical that all physical access to USB ports on your kiosk be blocked in order to prevent a USB stick from being inserted.
Typically a kiosks touchscreen keyboard will be fairly benign when it comes to the keys you’re allowed to use but a physical keyboard gives us more options that could wreak havoc on the operating system. Kiosk applications that collect a lot of information from customers (i.e. a job application kiosk) will often include a physical keyboard to speed up the data entry process. If the kiosk has any of its USB ports exposed then you may be able to attach a physical keyboard.
Keystrokes to attempt:
- System shortcuts like Ctrl-Alt-Del, Alt-Tab, Alt-F4, etc… may allow you to exit out of the kiosk application and gain direct access to the kiosks operating system. Search the web for shortcut keys specific to the kiosks OS and you’ll find massive lists of combinations to try.
- Hardware specific shortcuts like the Intel Video Drivers control panel Ctrl-Alt-F12
- Windows Accessibility shortcuts like sticky keys (press Shift five times) or high contrast mode (Left Alt-Left Shift-Print Screen) can render the kiosk nearly unusable if the user doesn’t know how to disable them.
If the hacker cannot utilize a physical keyboard then their options for entering system shortcuts will be greatly limited, assuming your touchscreen keyboard does not include modifier keys like Ctrl, Alt, Windows Key, etc… Kiosk lockdown software can also be utilized to block system shortcuts which is a must when using a physical keyboard.
Launching additional applications and dialog windows
In many cases the kiosk application developer does not want any other applications to be able to run because they could potentially allow the user to gain elevated access to the file system. For example clicking on an email link could launch a default mail application which may in turn allow the user to browse the file system through the use of email attachments.
Ideas for launching additional applications and dialog windows:
- Get a list of shortcut keys specific to the kiosks operating system and see if they open any dialog windows
- In the case where the kiosk makes use of a web browser to display it’s content you could try clicking on links for email addresses, phone numbers and PDF documents
- Any action that would bring up the “Save As” dialog and grant you the ability to explore the file system. For example printing a document may give you the option to print to a PDF or Microsoft XPS Document Writer which will then prompt you where you’d like to save the file.
A background watchdog process should be put in place to monitor dialog windows and automatically shut them down if they’re not contained in an approved whitelist. This requires intimate knowledge of the messaging used by your operating system so by far the easiest way to accomplish this is by utilizing a good kiosk lockdown software.
Manipulating the web browser
If the kiosk makes use of a web browser to display its content you may be able to gain access to the file system or view websites other than what the kiosk application developer intended.
Things to try on a kiosks web browser:
- Browsing to the local file system (i.e. “C:”)
- Browsing to other websites. If the URLs are filtered you could test the robustness of the filtering by encoding the URLs.
- Clicking on links for email addresses, phone numbers and PDF documents may launch other applications or dialog windows granting you access to the file system.
- Trying to get the web application to display an error page to gain more information about the application.
- Attempting SQL injection on text fields (search the web for “SQL injection” it’s a large subject)
In order to control the content displayed on your kiosk the web browser surfing should be restricted to a whitelist. Typically a whitelist will allow you to write regular expressions to create complex rules to control exactly what URLs are reachable on your kiosk. Website filtering can be accomplished through the use of a proxy, if one is available, or by using a kiosk lockdown software. Your kiosk application should also avoid displaying detailed error messages but instead display a generic error message about contacting customer support and an error code.
Testing the watchdog
In many cases kiosk lockdown software will employ a “watchdog” service that will ensure that the kiosk application is always running and restart the kiosk application if it crashes. This is not always the case though so if you can find a way to crash the kiosk application you may find yourself sitting at the Windows desktop.
The key is to find a kiosk lockdown software with a watchdog which ensures that your kiosk application is always running.
Looking over someone’s shoulder to sneak a peek at their password or other sensitive information is referred to as “should surfing.” Here’s a hi-tech example of using an iPhone and infrared camera to do just that.
The video suggests that you touch as many false keys as possible to make it difficult for the thief to determine which keys are part of your PIN. They suggest laying your hand across all the keys while entering your PIN.
I hope that our ideas on hacking kiosk applications will help you improve the security of your kiosks and provide a safer experience for your customers. If you need help securing your kiosk application please consider our KioskSimple kiosk lockdown software. Our kiosk consultants are also happy to work with your developers to harden your kiosk application.
- Kiosk Idle Timeout: What Happens When They Walk Away… - May 25, 2019
- How to Plan Your Payment Kiosk Workflow - May 4, 2019
- Selecting Kiosk Payment Devices, Don’t Paint Yourself into A Corner - April 25, 2019