Kiosk Hacking: 8 Tips to Harden Your Kiosk Security

Kiosk hacker

It recently came out that a McDonalds kiosk in Australia was hacked. The following video shows two young men tricking the kiosk into giving them free food.

McDonald’s kiosk hack

Kiosk hacking has become common place in the news. In addition to the McDonald’s kiosk hack, HR kiosks have recently been hacked and there have also been incidents with smart city kiosks being hacked.

Self-service kiosks are everywhere from street corners to grocery stores and hackers are gunning for your customer’s data. Payment kiosks in particular are attractive targets because cardholder data is easy to monetize.

In this article I’m going to cover several techniques for hardening your kiosks security. Many of these kiosk hardening techniques involves functional changes to your kiosk application, so you’ll need to get your developers involved.

Prevent PIN theft

It’s frighteningly easy to steal someone’s PIN number using an iPhone and a thermal camera.

Flir makes one such thermal mobile camera that can be used to easily determine the PIN number someone entered.

The following video demonstrates this technique and explains how metal PIN pads, like those commonly found on ATMs, can be used to prevent PIN theft.

Shows how PIN theft works with thermal mobile camera and an iPhone

Password protect the BIOS

The BIOS firmware comes pre-installed on a personal computer‘s system board, and it is the first software to run when powered on.

Wikipedia

The BIOS is the first screen that appears when your computer boots and determines the boot order, among other things. From a security standpoint this is of particular concern because we don’t want a hacker to be able to reconfigure the computer to boot from a USB drive, or other media, instead of the kiosk’s hard drive.

Booting from another media would allow the attacker to run malware instead of the kiosk’s operating system. Fortunately, protecting the BIOS is simply a matter of configuring a password so the BIOS settings cannot be modified.

Here’s a tutorial video of how-to password protect your BIOS.

Tutorial video of how-to password protect your BIOS

Restrict keyboard input

The operating system has many keyboard shortcuts that will allow an attacker to exit out of your kiosk application and access the desktop.

There are many such hotkeys (i.e. Ctrl-Alt-Del in Windows) and we want to restrict the keyboard input to prevent a hacker from exiting your kiosk application.

Avoid the use of a physical keyboard when possible and instead opt for an onscreen keyboard with the system keys removed.

As an added layer of security, you can use a keyboard filter driver to filter out system hotkeys.

Prevent the mouse right-click

Right clicking the mouse will prompt the user with a series of options. Some of which could be used to close or compromise your kiosk application. This is particularly true if your kiosk is running a web browser.

Limiting the user to only clicking the left mouse button will help mitigate this risk.

The easiest way to achieve this is by having your kiosk application filter or ignore the right mouse click.

Block physical access to USB ports

By allowing a hacker access to the USB ports they can potentially load malware to hijack your kiosk.

The following video explains how BadUSB works and suggests some techniques for protecting your USB ports on a laptop.

For a kiosk, all the USB ports should be made inaccessible through the use of a secure kiosk or tablet enclosure. Many secure enclosure options are available for both tablets and kiosks.

Explains how BadUSB works and suggests some techniques for protecting USB ports on a laptop.

Prevent access to the file system

It’s important to ensure that hackers cannot access the file system of your kiosk. There are multiple ways to get to the file system, particularly if your kiosk is running a web browser.

One method is by simply entering the file path into the web browser address bar like shown below. I now have access to browse the file system and access potentially sensitive information.

File system accessed through the address bar in Chrome

Other opportunities to access the file system include, but are not limited to, the print dialog and right clicking the mouse.

You’ll also want to monitor for popup windows and automatically close any dialog boxes.

Restrict access to external websites

If your kiosk is running a web browser then you’ll want to restrict the user to only viewing your website.

The most straightforward way of accomplishing this is through the use of a whitelist.

A whitelist list is an acceptable list of websites or web pages, depending on how granular you want to get, which the browser will allow to be displayed.

If the user attempts to navigate to a page not in the whitelist then the page will not be displayed.

Incorporate a watchdog

Use a kiosk watchdog to keep your kiosk healthy

A watchdog refers to a service running in the background which ensures that your kiosk application is always running.

If your kiosk application crashes, uses up too much memory, or stops behaving for any reason, the watchdog will restart it.

In Windows the watchdog should be a Windows Service that automatically runs at startup. The watchdog will be implemented differently depending on your operating system, but the underlying objective is the same.

Wrapping Up

Anytime you’re deploying a kiosk, protecting customer data should be a top concern.

Payment kiosks in particular are attractive targets for hackers because cardholder data is easy to monetize. But payment kiosks aren’t the only kiosks at risk.

In order to implement the techniques in this article you’re going to have to modify your kiosk application. It’s time to get your developers involved so you can start protecting your customers and your reputation.

Follow me

Andrew Savala

Andrew Savala is the CEO of RedSwimmer, with a background in designing and deploying complex payment kiosk systems.Andrew offers high-value, strategic consulting services to companies looking to develop their payment kiosks.
Andrew Savala
Follow me

Author: Andrew Savala

Andrew Savala is the CEO of RedSwimmer, with a background in designing and deploying complex payment kiosk systems. Andrew offers high-value, strategic consulting services to companies looking to develop their payment kiosks.