NZ Security Consultant develops hacking tool for public kiosk terminals
Wellington 13th November 2008 - Security Consultant, Paul Craig from Security-Assessment.com, released some breakthrough research at the world’s largest hacking conference, DEF CON 16 in Las Vegas in August this
This research highlighted the potential insecurities associated with Internet Kiosk Terminals and yielded an attack
methodology, the first of its kind.
The toolset developed as part of Paul’s research, dubbed iKAT (interactive Kiosk Attack Tool), highlighted the potential
for a “would be” hacker to compromise any Windows kiosk terminal in sub 10 seconds.
Using the methodology a user could gain access to execute arbitrary commands on the kiosk. A potential application of
this approach could be the compromise of a shared terminal in a corporate reception area, which in turn could be used to
launch an attack on the internal corporate network.
Internet kiosks are gaining popularity appearing in public places such as airports, hotels and lobbies but are rarely
researched by security professionals for potential weaknesses.
This popularity combined with a poor security visibility makes them an ideal target for malicious users.
The idea came to Paul during a long stopover at Hong Kong airport in 2007. “I noticed the queue of people waiting to use
a hub of Internet kiosks. I thought, those kiosks sure are popular, I wonder if I could hack it?”
“I set myself a personal objective to find every possible method of hacking an Internet kiosk and become the ‘King’ of
Internet Kiosk Hacking!”
Kiosks are typically built in tough hard-shell cases with a fibreglass or wooden shell. The lack of physical access to
the computer case means that all input devices (Floppy/DVD/USB/FireWire) are hidden. Kiosks are often bolted to the
ground or padlocked. The general public are not trusted and the kiosk is designed to prevent theft or malicious use.
The security vulnerability originates from the operating system and browser software running on the kiosk. The majority
of kiosks run commercial kiosk software on Windows. More than 44 commercial Windows Kiosk products are available on the
market. These are marketed as a quick way to “Turn that old PC into instant revenue! ….buy the $59.99 Shareware, install
it and you have an Instant Kiosk!”
Paul used native Windows functionality to bypass access controls on the kiosk terminal. This in turn allowed him to take
direct control of the kiosk terminal and execute arbitrary commands.
It is also worth noting that during this security research Paul discovered multiple unpublished flaws in browser
plug-ins (such as Adobe Flash), and commercial kiosk platforms. These were used as attack vectors to provide additional
control over the kiosk terminal.
In addition to presenting his talk at DEF CON 16, Paul has showcased the attack methodology around the globe at various
security conferences, including Hack.lu Luxembourg, Hack In the Box Malaysia, Kiwicon 07 Wellington.
What is DEF CON?
DEF CON (also written as DEFCON or Defcon) is the world's largest annual hacker convention, held every year in Las
Vegas, Nevada. The first DEF CON took place in June 1993, and in 2008, over 8500 people attended DEF CON 16.
Many of the attendees at DEF CON include computer security professionals, journalists, lawyers, federal government
employees, crackers, and hackers with a general interest in computer code and computer architecture. The event consists
of several tracks of speakers about computer- and hacking-related subjects, as well as social events and contests in
everything from creating the longest Wi-Fi connection and cracking computer systems to who can most effectively cool a
beer in the Nevada heat. Other contests include lockpicking, robotic-related contests, art, slogan, coffee wars, and
Capture the Flag. Capture the Flag (CTF) is perhaps the best known of these contests. It is a hacking competition where
teams of hackers attempt to attack and defend computers and networks. CTF has been emulated at other hacking conferences
as well as in academic and military contexts.
DEF CON 16 was held in August 8-10 at the Riviera Hotel & Casino in Las Vegas.
This event is organised by the security community and speakers can apply for the opportunity to present their research.
Organisers give preference to: unique research, new tool releases, Ø-day attacks (with responsible disclosure), highly
technical material, social commentaries, and ground breaking material of any kind.
Security-Assessment.com specialises in information security advisory and assessment services.
Based in Wellington and Auckland but engaged in projects across New Zealand and the Asia Pacific.
The services offered include independent security advisory, assessment and assurance services to help organisations
establish and maintain a secure environment, an effective enterprise security strategy and stay ahead of the game in
These services cover the complete strategic framework for enterprise security requirements;
• Management & Governance
• Risk Assessment
• Policies and Standards
• Compliance and Awareness
• Security Assurance
• Incident Management
• Performance and Metrics
Security-Assessment.com is a Qualified Security Assessor under the Payment Card Industry Data Security Standard.
In 2007, security-assessment.com (www.security-assessment.com
) was acquired by Datacraft NZ (www.datacraft.co.nz
) to compliment their existing network security capability. Datacraft is celebrating their 30th year of operation in New
Paul Craig is a principal security consultant at Security-Assessment.com in Auckland, New Zealand. Paul specializes in application
penetration testing, security research and exploit development. In the past Paul has released multiple critical
advisories from major project vendors such as Microsoft, Adobe, HP and 3Com, authored and co-authored several
best-selling books on security, and spoken at various security conferences around the globe (including Syscan, Kiwicon,
VNSec, RuxCon, Defcon, Hack.lu, Hack In The Box).
Further background material is available online –
(Listen to the first 10 minutes for Paul’s talk at Kiwicon 08, where he talks about releasing iKAT at Defcon.
Datacraft is a wholly owned subsidiary of Dimension Data
plc (LSE:DDT), a US$4.5 billion leading global IT solutions and services provider. Datacraft operates in over 50
offices across 13 Asia Pacific countries. We help clients plan, build, support, manage, improve and innovate their IT
infrastructures. Datacraft combines an expertise in networking, security, data centre, storage, Microsoft solutions and
contact centre technologies, with advanced skills in consulting, integration, training and managed services to craft IT
solutions for businesses. For more information, please visit www.datacraft-asia.com
From Wikipedia - http://en.wikipedia.org/wiki/DEF_CON