-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

<!-- 2009-02-08 -->Walking through the Minneapolis airport, a friend and I came across something... not right.
<table><tr>
<td>
<a href="http://philosecurity.org/wp-content/uploads/2009/02/broken-kiosk-internet-access.jpg"><img class="left size-medium" title="" src="http://philosecurity.org/wp-content/uploads/2009/02/broken-kiosk-internet-access-300x61.jpg" alt="" width="235" height="48" /></a>
<a href="http://philosecurity.org/wp-content/uploads/2009/02/broken-kiosk-enhanced.jpg"><img class="left size-medium" title="" src="http://philosecurity.org/wp-content/uploads/2009/02/broken-kiosk-enhanced-299x60.jpg" alt="" width="235" height="47" /></a>
<a href="http://philosecurity.org/wp-content/uploads/2009/02/broken-kiosk1.jpg"><img class="left size-medium" title="" src="http://philosecurity.org/wp-content/uploads/2009/02/broken-kiosk1-235x300.jpg" alt="" width="235" height="300" /></a>
</td>
<td>
Apparently, the "New and Improved" Internet Access GateStation kiosk had rebooted, and hung with the BIOS displayed. 
<br>
We laughed and walked closer to get a good look.
</td>
</tr>
<tr>
<td>
<a href="http://philosecurity.org/wp-content/uploads/2009/02/broken-kiosk-screen3.jpg"><img class="left size-medium" title="" src="http://philosecurity.org/wp-content/uploads/2009/02/broken-kiosk-screen3-300x190.jpg" alt="" width="300" height="190" /></a>
</td>
<td>
Interesting. It was configured to boot off a USB floppy drive. There couldn't be a USB port accessible... could there?
</td>
</tr>
<tr>
<td>
<a href="http://philosecurity.org/wp-content/uploads/2009/02/broken-usb-port4.jpg"><img class="left size-medium" title="" src="http://philosecurity.org/wp-content/uploads/2009/02/broken-usb-port4-300x179.jpg" alt="" width="300" height="179" /></a>
</td>
<td>
Turned out there was a USB port...
</td>
</tr>
<tr>
<td>
<a href="http://philosecurity.org/wp-content/uploads/2009/02/broken-kiosk-keyboard.jpg"><img class="left size-medium" title="" src="http://philosecurity.org/wp-content/uploads/2009/02/broken-kiosk-keyboard-300x100.jpg" alt="" width="300" height="100" /></a>
</td>
<td>
...Right next to the keyboard. Hmmm.
</td>
</tr>
<tr>
<td>
<a href="http://philosecurity.org/wp-content/uploads/2009/02/broken-kiosk-j3.jpg"><img class="left size-medium" title="" src="http://philosecurity.org/wp-content/uploads/2009/02/broken-kiosk-j3-173x300.jpg" alt="" width="173" height="300" /></a>
</td>
<td>
That keyboard couldn't possibly control the BIOS screen, though.
</td>
</tr>
<tr>
<td>
<a href="http://philosecurity.org/wp-content/uploads/2009/02/broken-kiosk-screen-switched2.jpg"><img class="left size-medium" title="" src="http://philosecurity.org/wp-content/uploads/2009/02/broken-kiosk-screen-switched2-300x188.jpg" alt="" width="300" height="188" /></a>
</td>
<td>
Oh, wait. It did. We had inadvertently switched the boot device from "USB FDD" to "USB ZIP/Flash."
<br>
We could probably boot the kiosk off our own USB thumb drive if we wanted.
</td>
</tr>

<tr>
<td>
<a href="http://philosecurity.org/wp-content/uploads/2009/02/broken-kiosk-screenshot2.jpg"><img class="left size-medium" title="" src="http://philosecurity.org/wp-content/uploads/2009/02/broken-kiosk-screenshot2-300x194.jpg" alt="" width="300" height="194" /></a>
</td>
<td>
The kiosk had two terminals. One screen was dead and the keyboard was connected to the BIOS display. The other screen appeared to be fully functional. The functional terminal advertised "Go to Web" "Get Email" and "Flight Info." 
</td>
</tr>


<tr>
<td>
<a href="http://philosecurity.org/wp-content/uploads/2009/02/broken-kiosk-payment-screen-partial.jpg"><img class="left size-medium" title="" src="http://philosecurity.org/wp-content/uploads/2009/02/broken-kiosk-payment-screen-partial-300x207.jpg" alt="" width="300" height="207" /></a>
</td>
<td>
Clicking on the "Get Email" link brought up a payment screen. 
</td>
</tr>
<tr>
<td>
<a href="http://philosecurity.org/wp-content/uploads/2009/02/broken-kiosk-credit-card2.jpg"><img class="left size-medium" title="" src="http://philosecurity.org/wp-content/uploads/2009/02/broken-kiosk-credit-card2-300x278.jpg" alt="" width="300" height="278" /></a>
</td>
<td>
The kiosk accepted cash and credit cards.</td>
</tr>


<tr>
<td>
<a href="http://philosecurity.org/wp-content/uploads/2009/02/broken-kiosk-use-anyway.jpg"><img class="left size-medium" title="" src="http://philosecurity.org/wp-content/uploads/2009/02/broken-kiosk-use-anyway-300x291.jpg" alt="" width="300" height="291" /></a>
</td>
<td>
Even though there was clearly a very strange technical problem, people lined up to use the working terminal of the kiosk. Here is a photograph of one person who swiped his credit card and used the kiosk while we stood there, loudly discussing the potential security implications.
</td>
</tr>

</table>
<br>
<h2>Airport kiosk phishing, anyone?</h2>

Let's review:
<ol>
	<li>The kiosk had a live keyboard connected to the BIOS setup</li>
	<li>A USB port was easily accessible and listed as a boot option</li>
	<li>The kiosk routinely processed highly valuable (and regulated) personal information, such as credit card numbers and email passwords</li>
	<li>Despite the fact that the kiosk had a super sketchy software error displayed on a screen 4' high, people lined up to swipe their credit cards and type in their email passwords anyway.	</li>
	<li>The BIOS was displayed and accessible the entire time we were at the airport (a few hours). Airport security staff sat in little carts right next to the kiosk, and didn't seem interested in reporting the error to anyone. For all we knew, it could have been like that for days. </li>
</ol>

When a kiosk is bootable from an easily accessible USB port, this opens it up to a variety of attacks. If we were Evil, we could have created a bootable USB thumb drive with our own "New and Improved" Internet Access software (ie. a simple customized Linux distribution) and booted the kiosk off of that. The software could record credit card numbers and password, which would always run before any of the normal software, and store them on the thumb drive which we could later snatch. Given that people didn't seem at all phased by glaring software glitches, our Evil software probably wouldn't even have to be very good to successfully snag valuable financial and account information.

Even worse, if the internal hard drive was writable, we could have modified GateStation's operating system and inserted our malicious code into the legitimate software. If we were really sneaky and willing to put in the effort, we might have been able to flash the Award BIOS and insert our own low-level malware, which would be extremely difficult to detect. This would be a sophisticated attack, but given the high payoff, criminals might consider it worthwhile.
<br>
The value of information entered into airport kiosks is very high, but often the level of security is not commensurate.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Use GnuPG with Firefox : http://getfiregpg.org (Version: 0.7.2)

iEYEARECAAYFAkmPxj4ACgkQSAUOoW73R4zDMwCfbOIlwX1Cmk7yvbmymnyw/efm
1sQAnipjbmTA1pbXV9Qs/BxyR1MNPXnH
=a/ab
-----END PGP SIGNATURE-----