A Kiwi website delivering an attack tool that targets internet kiosks and terminals has received more than 14,000 unique visitors.
The site, developed by New Zealand security consultant Paul Craig, who works for consultancy Security-Assessment.com, released his kiosk research at the world’s largest hacking conference, DEF CON, in Las Vegas in August.
That research led to him developing a toolset dubbed iKAT (interactive kiosk attack tool) that, when downloaded from the website, produces a command shell that allows the user to compromise a terminal by by-passing the security access controls.
The reaction among the DEF CON audience was immediate, Craig says.
“They ran out of the room to the hotel kiosks, which were all hacked within 10 seconds,” he says. “They continued hacking them. The hotel called in their IT people, then the cops, who stopped people using the terminals. They also stopped them using their mobile phones because they thought they had something to do with it.”
Craig undertook the research after noticing long queues at internet kiosks at Hong Kong airport. “I set myself an objective of finding every possible method of hacking a kiosk.”
The security vulnerability originates from the operating system and browser software running on the kiosk, the majority of which run commercial kiosk software based on Windows.
Craig used native Windows functionality to bypass the access controls and execute arbitrary commands.
DEF CON is organised by the security community, and speakers can apply for the opportunity to present their research.
Craig says his attack methodology is being observed and used by the kiosk vendor community.
“It’s also being used by a lot of security consultants.”
He says that the methodology can also be used for Citrix terminals.
Craig says he’s not aware of any New Zealand kiosks being hacked. There are no kiosk software developers in New Zealand.
Rather, the software is downloaded from overseas and installed in a physical shell.
Security-Assessment.com specialises in information security advisory and assessment services. It was acquired by Datacraft NZ in 2007.