Kiosk Security - 4 Rules to Reduce Risk

Over a million dollars was stolen from casino kiosks in a case released last week in the US. Here in New Zealand flaws in government kiosks allowed 'hackers' to access private information*. Here are 4 rules to reduce the risk of this type of breach.

Like car theft prevention, we can make kiosks less vulnerable on several fronts:

1. Lock doors and windows - choose custom kiosk hardware, no keyboard, no USB ports
2. Set alarm and ignition lock - choose software designed for Kiosks, not a browser 'repurposed' 
3. Park in a safe place - choose a secure and monitored location for the kiosk 

And

4. Don't leave your keys & wallet in the car - lock down network and OS so there is nowhere to go and nothing to take 

Finally, review security beyond the kiosk. The casino kiosk error seems to have been outside the kiosk software, in the bank transaction system, which allowed many withdrawals within 60 seconds to be taken from the same account and counted only once.

Kiosk Hardware: Keyboards allow instant access to a raft of commands which all need to be blocked in the OS. This creates vulnerability to changes to the OS and opens the way for omissions. A USB port allows the input of malicious software and provides an easy way to carry content away.

Kiosk Software: Browsers and other consumer applications are not designed for security. Kiwi Paul Craig, self proclaimed 'King of Kiosk Hacking' in his presentation at Defcon 19 says:

• 'the 'browser' component is typically a common browser library'
• consumer software trusts the person on the keyboard
• 'blacklists just don't work'

He demonstrates how to use his website, the 'Interactive Kiosk Attack Tool' to break into almost any a kiosk running a browser. Other standard applications such as notepad can also be used if they are accessible to the kiosk user and the kiosk software can be crashed.

Kiosk Location: A busy, well lighted area with an attendant nearby is helpful to kiosk users as well as a deterrent to those with malicious intent.

Kiosk Network: The kiosk network ideally is a separate network. If not, permissions to access the network must be locked down tight by the network administrator.

*MSD releases independent report into IT security breach

Author: Cath Sample