Airport Internet Kiosk Phishing
Feb 9th, 2009 by sherri
Walking through the Minneapolis airport, a friend and I came across something… not right.
  
|
Apparently, the “New and Improved” Internet Access GateStation kiosk had rebooted, and hung with the BIOS displayed. We laughed and walked closer to get a good look. |
|
Interesting. It was configured to boot off a USB floppy drive. There couldn’t be a USB port accessible… could there? |
|
Turned out there was a USB port… |
|
…Right next to the keyboard. Hmmm. |
|
That keyboard couldn’t possibly control the BIOS screen, though. |
|
Oh, wait. It did. We had inadvertently switched the boot device from “USB FDD” to “USB ZIP/Flash.” We could probably boot the kiosk off our own USB thumb drive if we wanted. |
|
The kiosk had two terminals. One screen was dead and the keyboard was connected to the BIOS display. The other screen appeared to be fully functional. The functional terminal advertised “Go to Web” “Get Email” and “Flight Info.” |
|
Clicking on the “Get Email” link brought up a payment screen. |
|
The kiosk accepted cash and credit cards. |
|
Even though there was clearly a very strange technical problem, people lined up to use the working terminal of the kiosk. Here is a photograph of one person who swiped his credit card and used the kiosk while we stood there, loudly discussing the potential security implications. |
Airport kiosk phishing, anyone?
Let’s review:
- The kiosk had a live keyboard connected to the BIOS setup
- A USB port was easily accessible and listed as a boot option
- The kiosk routinely processed highly valuable (and regulated) personal information, such as credit card numbers and email passwords
- Despite the fact that the kiosk had a super sketchy software error displayed on a screen 4′ high, people lined up to swipe their credit cards and type in their email passwords anyway.
- The BIOS was displayed and accessible the entire time we were at the airport (a few hours). Airport security staff sat in little carts right next to the kiosk, and didn’t seem interested in reporting the error to anyone. For all we knew, it could have been like that for days.
When a kiosk is bootable from an easily accessible USB port, this opens it up to a variety of attacks. If we were Evil, we could have created a bootable USB thumb drive with our own “New and Improved” Internet Access software (ie. a simple customized Linux distribution) and booted the kiosk off of that. The software could record credit card numbers and password, which would always run before any of the normal software, and store them on the thumb drive which we could later snatch. Given that people didn’t seem at all phased by glaring software glitches, our Evil software probably wouldn’t even have to be very good to successfully snag valuable financial and account information.
Even worse, if the internal hard drive was writable, we could have modified GateStation’s operating system and inserted our malicious code into the legitimate software. If we were really sneaky and willing to put in the effort, we might have been able to flash the Award BIOS and insert our own low-level malware, which would be extremely difficult to detect. This would be a sophisticated attack, but given the high payoff, criminals might consider it worthwhile.
The value of information entered into airport kiosks is very high, but often the level of security is not commensurate.
| Sherri Davidoff |
| PGP-signed text: 2009-02-08 (current) |
Or, for those a little more white hat. Free internet from the kiosk with your own small linux usbkey system.
And if the system is really that vulnerable, booting your own controlled OS is certainly more secure in the first place!
Please tell me you saw a reboot button you could press, or even a power plug you could yank. Ohhh, their system looks Win based, how about just hitting Ctrl-Alt-Del a lot!
Next time you found yourself at that airport (or others like it), you could come prepared with your own flash updater on a bootable ipod, and install your own BIOS by simply unplugging the unit temporarily. Then you’d naturally move to the next terminal, until you found one that ‘was compatible with your ipod’, updating all the bioses in the terminal.
After this, you’d naturally giggle all the way to your destination, basking in the thought you were the first hacker to think of this scheme.
Kiosk hacking can prove very fun simply from a “puzzle” point of view. I have a REALLY hard time not trying to “break out” of kiosks anytime one is around and accessible.
At one location, a friend and I may or may not have been disgruntled at the massive amounts of money they wanted to charge for internet access at a kiosk. After a few minutes we may have found that the main “pay” page was really an html file with images. Long story short, the link might have been modified to directly open IE if you clicked anywhere on the screen. We could have done anything. Internet kiosks are high value, and low risk for attackers, hopefully the companies will improve their security (without forgetting about USB ports heh). They could at least have the host company keep an “eye” on them for strange activity.
The link below is badass for messing with Kiosks.. hats off to Paul Craig for his excellent (and hilarious) talk at defcon and some great work on iKat.
http://ikat.ha.cked.net/