How Do You Secure A Kiosk? Not Like This.

So I stopped by the Branson (Missouri) Regional Airport recently, and I spotted this kiosk:


A one-browsered bandit
Click for full size

It offers the user the opportunity to enter some sort of contest to go to Nashville. It’s obviously a Web browser in kiosk mode, but this one has a full keyboard with a trackball and two mouse buttons. Uh oh.

So I click the Contest Rules link at the bottom and get the contest rules, which has a naked link at the top that takes you back to the form. But hover over the link and right click and…. Uh oh.


Right click is wrong
Click for full size

What happens if I open that in a new window? Hello, Internet!


Hello, Internet!
Click for full size

So a user has complete access to the Internet. Go where you want. Get all the malware you want. I didn’t try to see if a regular download and install worked, but I would not doubt it. What happen if I ALT+TAB?


Right click is wrong
Click for full size

Lookie there! Lookie there! It’s the command line. A little CTRL+C action and I have access to issue commands to the machine and maybe even the network.

So is that Cat-5 cable running out of the back of the box connected to the airport network itself or a dedicated safe portal to the Internet? Given what we’ve seen here, what do you think?

If you’re ever called to check out a kiosk application, not only should you run through the form the kiosk will host, but you should get a kiosk itself and run it through its paces and look outside the confines of the application to look for security pitfalls.

You need to check out the user interface action. This kiosk gives the user all the normal tools that users need for full input opportunity to the Internet. Some kiosks only have touchpads or touchscreens. Here are a couple of things to think about:

  • Know your keyboard shortcuts. Most people don’t know these keyboard shortcuts, but they do things to your active window (even your kiosked browser). What can you do with that?
  • Know your internal browser behavior. I remember seeing a kiosk with only a touchscreen that offered the Web sites of a building’s residents. Within a touchscreen environment, you would think you’re limited to navigating through links in the browser window. You would be wrong. mailto: links trigger the helper application associated with e-mail. What can you do when you try that?
  • What happens when you unplug the machine and plug it back in? It reboots, probably, affording you the ability to go into alternate bootup scenarios and whatnot. Should your user have access to that? Probably not.

To begin vetting kiosks, you need to think outside the terms of your application and think in terms of the technologies that encapsulate it. The better you understand those and can identify the ways users could interact with the whole kiosk, the better you can prevent them from doing so inappropriately.

8 Responses to “How Do You Secure A Kiosk? Not Like This.”

  1. jstrazzere Says:

    Nice, work!

    Real-world examples of a kiosk-gone-bad, with good thoughts on how to do better.

  2. porklord Says:

    Love it.

    I ran into one of those for some travel deal that had a full surround sound setup. They had right-clicking blocked but I could still F11 to get the address bar. I took the opportunity to go to my site and load up my band’s mp3s. Then I f11’ed back out so the rep wouldn’t know how I did it. You could hear the bass all the way at the other end of the mall.

  3. The Director Says:

    That’s the nicest thing you’ve ever said to me, Joe.

    Are you looking for work?

  4. The Director Says:

    Always with a quip, this guy. Seriously, though, I’m glad you liked the post. I’m also glad that the TSA didn’t take me to a windowless room in the airport and confiscate my camera.

  5. jstrazzere Says:

    Are you looking to outsource some of your hate? (I don’t think I’d fit the hater profile.)

    😉

  6. jstrazzere Says:

    “I’m also glad that the TSA didn’t take me to a windowless room”

    You mean “yet”.

  7. The Director Says:

    “This time.”

  8. dsynadinos Says:

    Years ago, when I worked at CompuServe, I visited the Center Of Science and Industry (COSI) in Columbus, Ohio. In their “technology” area, they had a kiosk setup running DOSCIM. It was “locked down”, so that users could only browse a few, selected forums. However, having “insider knowledge”, a few keystrokes later I was in the “CB Simulator” typing, “Hi, everyone! I’m at a museum!”. After navigating to one of the “adult” forums, I left the kiosk. You know…to teach them a lesson. *ahem*


wordpress visitors