14 DAY TRIAL // A security researcher has identified vulnerabilities in multiple models of Internet kiosks, suggesting that the use of such devices for anything that involves usernames and passwords is unwise.
Internet kiosks are machines set up in public places like airports, libraries, universities, conference centers and so on, to allow paid Internet for people who need top get online but don't have a laptop or smartphone with them.
The operating system on these devices is usually locked down in order to prevent people from installing unauthorized programs that would compromise the security of future users.
However, during his talk at the Kiwicon hackers conference in New Zealand this week, local security consultant and researcher Paul Craig demonstrated flaws in five different popular kiosks, running both Windows and Linux, that could be exploited to do exactly that.
The hacker was able to gain full system access, which allowed him to execute arbitrary code and alter the default security settings of the machines.
"Paul Craig's talk made it quite clear that using most kiosks for anything to do with personal information is incredibly risky. They simply do not provide the safety and security they are supposed to," said Paul Ducklin, Sophos' head of technology for the Asia Pacific region, who was in the audience.
He explains that the problem with such kiosks is their large attack surface, which stems from a need to also enable other activities aside from simple browsing.
"Just viewing a web page is not enough - users also want to be able to download and read PDFs, view documents and spreadsheets, watch Flash videos, and much more. This complexity, as usual, ends up being the worst enemy of security," Ducklin notes.
Craig also tested the security of photo kiosks, similar machines that are found in camera shops and allow users to print pictures stored on USB devices.
Such machines have been known to be carriers of USB malware, however, when it comes down to being hacked, they are apparently more secure than Internet kiosks.
The researcher said this is because these devices have a better-defined functionality and there's not much on them an attacker could try and exploit.
Ducklin concludes that as far as Internet kiosks are concerned, "Internet banking, access to on-line accounts such as social networks, and the like, are all definite no-nos."