Attacking Internet Kiosks

download Attacking Internet Kiosks

of 41

  • date post

    30-May-2018
  • Category

    Documents

  • view

    214
  • download

    0

Embed Size (px)

Transcript of Attacking Internet Kiosks

  • 8/14/2019 Attacking Internet Kiosks

    1/41

    Attacking Internet

    Kiosks

    Michael theprez98 Schearer

  • 8/14/2019 Attacking Internet Kiosks

    2/41

    References

    n This presentation is based upon the workof Paul Craig and his presentations

    about hacking Internet kiosks atDEFCON16, ShakaCon 2009, andBruCon 2009 (www.security-assessment.com)

  • 8/14/2019 Attacking Internet Kiosks

    3/41

  • 8/14/2019 Attacking Internet Kiosks

    4/41

  • 8/14/2019 Attacking Internet Kiosks

    5/41

  • 8/14/2019 Attacking Internet Kiosks

    6/41

  • 8/14/2019 Attacking Internet Kiosks

    7/41

  • 8/14/2019 Attacking Internet Kiosks

    8/41

    Internet Kiosk Hardware

    n Public internet terminals found in hotels,airports, train stations, libraries, etc.

    n Custom hard-shell case typically lackingphysical access to the computer

    n Restricted ability for input

    ((Floppy/DVD/USB/FireWire)n Secured to ground

    n Pay mechanism built into the kiosk

  • 8/14/2019 Attacking Internet Kiosks

    9/41

    Internet Kiosk Software

    n 40+ different commercial kiosk products;most are Windows-based

    n Windows is made to look like a kioskterminal

    n Implements standard Windows/Internet

    Explorer librariesn Windows Functionality Wrapped In A

    Kiosk Candy Shell

  • 8/14/2019 Attacking Internet Kiosks

    10/41

    Kiosk security

    n Kiosk vendors try to implement securityfeatures

    n Security is also a functional requirement,and taken seriously

    n Its also a selling point, secure Kiosks are

    not cheap kiosks

  • 8/14/2019 Attacking Internet Kiosks

    11/41

    Kiosk security model

    n Kiosk software is based on a Principal of LeastPrivilege A kiosk user must ONLY have access to browse the

    internet Kiosk software must prohibit all other activity

    n Security implemented through two approaches: Functionality reduction by activity blacklist

    n Prohibiting access to native OS functionalityn

    Anything not required to browse the internet User interface security/sandboxing

    n Graphically jailing a user into a kiosk interface/GUIn Kiosk software is ran in full screenn Start bar/tray menu removedn No ability to click out of, or escape the kiosk browser

  • 8/14/2019 Attacking Internet Kiosks

    12/41

    Kiosk security model examples

    n Browser runs in high security mode

    n Keyboard driver disables special shortcuts

    n Custom mouse disables right-clickn Timer monitors usage of blacklisted apps

  • 8/14/2019 Attacking Internet Kiosks

    13/41

  • 8/14/2019 Attacking Internet Kiosks

    14/41

  • 8/14/2019 Attacking Internet Kiosks

    15/41

    Core security issues

    n Blacklists dont work

    n Websites visited from the Kiosk are not

    factored into the security modeln Underlying browser technology

    implements security by User

    Interaction

  • 8/14/2019 Attacking Internet Kiosks

    16/41

    Blacklists dont work

    n 100 different ways to do anything on anyOS!

    n A Kiosk blacklist must stop EVERYmethod, they dont

  • 8/14/2019 Attacking Internet Kiosks

    17/41

    Windows is flexible

    File:/C:/windows

    File:/C:\windows\

    File:/C:\windows/

    File:/C:/windows

    File://C:/windows

    File://C:\windows/

    file://C:\windows

    C:/windows

    C:\windows\

    C:\windows

    C:/windows/

  • 8/14/2019 Attacking Internet Kiosks

    18/41

    Websites visited from the Kiosk are

    not factored into the security modeln Kiosk rely on default browser security

    policy when dealing with remote sites

    n This policy was not designed for aKiosk/public environment

  • 8/14/2019 Attacking Internet Kiosks

    19/41

    Browser technology implements

    security by User Interactionn Browser will trust the Kiosk user

    n Are you sure you want to run this?

    n Dont trust what I say!

  • 8/14/2019 Attacking Internet Kiosks

    20/41

    Attack vectors

    n Physical input Interacting with the kiosk GUI

    Using the keyboard and mouseClicking buttons, graphics, menus

    Typing values into the URL bar if available

    n

    Remote inputRemote browser content

    Input from a website

  • 8/14/2019 Attacking Internet Kiosks

    21/41

    Method of attack

    1.Escape the kiosk graphical jailMinimize or close the Kiosk browser

    applicationPop a command shell. : taskkill /IM

    KioskBrowser.exe

    Enable the hidden (real) Windows Start bar

    Get Back To Windows2.Download additional binaries to the kiosk

    Port scanner, Metasploit, rootkit, trojan,keylogger

  • 8/14/2019 Attacking Internet Kiosks

    22/41

    Physical escapes of kiosk jail

    n Use the URL bar to browse the file system

    n Invoke the File View control to enable

    Windows Explorer capabilitiesn IE Image Toolbar

    n Keyboard shortcuts (including kiosk-

    specific shortcutsn Etc.

  • 8/14/2019 Attacking Internet Kiosks

    23/41

  • 8/14/2019 Attacking Internet Kiosks

    24/41

    Remote escape solution?

    Interactive Kiosk Attack Tooln Kiosk reconnaissancen Display local browser variablesn

    Display remote server variablesn Invoke dialogs with JavaScript/HTMLn Use Flash to create Common Dialogsn Spawning applications

    n Downloading files using native Windowsfunctionality

  • 8/14/2019 Attacking Internet Kiosks

    25/41

  • 8/14/2019 Attacking Internet Kiosks

    26/41

    So you can imagine what

    happened next

  • 8/14/2019 Attacking Internet Kiosks

    27/41

  • 8/14/2019 Attacking Internet Kiosks

    28/41

    Predictably, SiteKiosk has

    blocked iKAT

  • 8/14/2019 Attacking Internet Kiosks

    29/41

  • 8/14/2019 Attacking Internet Kiosks

    30/41

    Solution 1: iKAT Portable

    n complete copy of the iKAT website

    n free of charge, no strings attached, 100%

    malware freen Run your own version, host iKAT portable

    and become a Kiosk wizard

    n extract it to a web server capable ofserving static content

  • 8/14/2019 Attacking Internet Kiosks

    31/41

    Solution 2: Change the address

    n Instead ofikat.ha.cked.net, tryikat2.ha.cked.net

  • 8/14/2019 Attacking Internet Kiosks

    32/41

    Success!so far

  • 8/14/2019 Attacking Internet Kiosks

    33/41

    Lets play around withSiteKiosk

  • 8/14/2019 Attacking Internet Kiosks

    34/41

    but

    n SiteKiosk has really gone overboard todevelop security countermeasures

    specific to iKATn It turns out that SiteKiosk can be exploited

    You can crash SiteKiosk with vbscript, but

    You still cannot run cmd.exe or access anysystem functions

  • 8/14/2019 Attacking Internet Kiosks

    35/41

    (I found this out about11:30PMlast night)

  • 8/14/2019 Attacking Internet Kiosks

    36/41

    Temporarily sidetracked, butdo you really think Im going to

    give up? SiteKiosk isnt theonly kiosk software outthere

  • 8/14/2019 Attacking Internet Kiosks

    37/41

    How about NetStopPro(to be fair, I started playing

    with NetStopProabout12:15amthis morning. Justso you dont expect too

    much)

  • 8/14/2019 Attacking Internet Kiosks

    38/41

  • 8/14/2019 Attacking Internet Kiosks

    39/41

  • 8/14/2019 Attacking Internet Kiosks

    40/41

  • 8/14/2019 Attacking Internet Kiosks

    41/41

    Attacking Internet

    Kiosks

    Michael theprez98 Schearer