Talk 1 - A. Koureleas, G. Tyritidis - Hacking your favorite Kiosk

[Applause] hello everybody hello thanks so welcome to hacking your favorite kiosk this is aristotelis he's a penetration tester at 12 sec he plays guit and he also sings uh you can find him on LinkedIn yeah you know he's a boomer he doesn't have Twitter that's why we bully him and that's all uh this guy is George he also plays guitar we had a band also uh that we can play together uh he's also penetration test at 12 sec and he's not a boomer because uh he has [Music] okay moving on with the most important question of the presentation what is a Kos this is a kios moving on how to attack a kios okay this is how to attack a

Kos moving on and now let's talk about how to how to hack a Kos or maybe one more way to hack a Kos test H okay uh let's discuss a little bit more what is what the kios k what do we mean in this presentation kios uh kios can be found in various locations including coffee shops restaurants libraries Etc uh they are windows or Android machines uh the basic detail they have is that uh they are in a isolated s environment which uh uh which logs a specific application it doesn't allow users like uh public users like you and me to interact with the basic operating system of the device but only with a specific

application applications

um ah okay yes uh another thing about Kos is uh uh that uh so sorry for we had a project of T that that was around test so we started uh researching on the topic and uh trying to figure out what to do so we started with the uh Google sense or what the key device is yes I as you can see uh the first thing that came up was uh a feature that Windows have called the kosk mode uh we did a little bit more research about uh our project and uh we see that is likely to to meet a Windows operating system a k device uh with Windows operating Sy operating system so uh we started our

preparation uh we first uh start to we set up a Windows a virtual Windows lab um we used the the Kos mode uh the Kos mode that Windows have and also a tool called front face lock down tool that Lo for us the Microsoft Edge web browser uh basically what we did was set up a simulation of kiosk uh which uh was internet uh web brows Kos if you want uh with a keyboard to write comments or Google and the mouse to navigate through the uh through the through the system uh and then we try to escape from uh this uh isolated environment okay uh this is just a video how how did we manage to attack this

this attack worked for us on this specific example I gave you on this specific simulation of kios that we made um basically what we did I'm going to explain it now from the start uh we have in a Kos mode a web a website our website uh by pressing F1 we redirect ourselves in Microsoft Edge homepage from there we try to download the file so the file explorer would would pop up and from them we just uh call the CMD prompt and that's it we we escape the the the lockdown environment and we have access to the Windows operating system okay the next thing that we did was to uh to arm our tools to prepare our RI

and Bas bani USBS and fli zero and uh to write goat to perform to basically to have an attack a physical attack in case we have a USB ports Exposed on the mine um for those of you who never heard B USBS uh B USBS are are emulate an input uh an human input device like a keyboard or a mouse uh when you plug plug uh into a computer about usb uh automatically automatically sends keystrokes to the device and eventually uh we'll download or execute malware among other nice stuffs anyway I won't analyze it further because uh we didn't use them actually so much if uh you will see you will see later on that

you didn't use use them so much um just think evil when you hear about space Okay so also made a b USB with C Linux operating system uh just to mount the hard drive uh the next thing we grabbed this USBS we grabbed our F zero we grabbed the a USB cable and ethernet cable and we we put it all together in a big bag yes like that okay to be honest the back wasn't shig was there small things anyway anyway we were ready and we were off to go to the client uh George is going to help me with this presentation so um we head it to the client and then we were wondering what

to do so we created a small checklist to help us uh um go through the engagement we should answer all these three questions which way is staring are there any exposed physical ports do we have power supply access so we started by trying to answer the first question yes we had access to physical ports yes we have access to power supply we could unplug and plug in the device and so we thought what's the easiest way to check which operation system uh operating system runs behind the device simply by rebooting it so we unplugged it and plugged it back in and then it automatically rebooted and we saw that it was an Android system okay now

what um to organizer thoughts uh we categorize our attacks on um what we what we can do once our attack are face on a mobile device on a Kos mobile device so we categorize them at application Level attacks OS level attacks and Hardware level attacks when we are talking about application Level attacks we mean about all the mobile app attack surface that you should have on a mobile La penetration test um and also in the scope is uh crashing the application because this would help us to exit isolated enironment and um yeah that this uh ass crust and finally we can use um protocol handlers to escape um a a browser maybe if we have like um access to a browser

and then we could inut a link the link would be like uh m 2 tet and then this would maybe help us to exit by the way this is a great tool made by a very cool guy called Paul Greg he made a presentation of Def about this you can check this out this is really good okay uh about operating system level attacks do we have an isolated environment is there any application that maybe isolates another app what happens are the gestures enabled can we swipe down with three fingers and maybe exit or minimize application are the keyboard shortcuts enabled if you don't already know if you plug a physical keyboard inside an Android and in um an Android uh

environment you can like navigate from there too so if you press the home button or your keyboard you can just minimize an application what's the reboot Behavior does the device automatically opens the isolate environment does someone need to manually open it using a pin or something and pin for forcing is um when we say enforcing we mean that every uh basically most of the kios isolated um devices have a pin that allows the developers to exit from it so in most of the cases the pin is four digits code so you can just force it the next the application the intended way and finally Hardware level attacks uh do have secure logs in place that

restrict taxes from um physical ports like USBS ET do we have exposed physical ports and finally is the power supply exposed yeah and now let's talk about how did we escape we escaped with all the previous techniques mentioned so let's summarize them we made the application crash um us using various ways one of them was to it was an ordering system where where you could like write a comment uh on your food to specify like I don't got so much ketchup or something and then if you if you wrote A very huge comment the application couldn't handle it and then when you tried to send it it crashed so that allowed us to escape uh we would also Escape through

Android's uh P keyboard fees because you already know that in your uh Google keyboard you have like some buttons so you can just go to the settings from there we could do that too just as we able to do we had physical um access to um physical ports so we could just plug in our keyboard and press the home button or our keyboard and then the application just texed it and also the very weird thing was that when you we rebooted the device it didn't automatically open the isolated environment and someone needed to come to open it and then like restick the axess and finally the PW forcing as mentioned before they dided way for them

to to exit the isolated application was uh by pressing five times at the bottom right corner so if you pressed five times at the bottom right bottom right corner a small menu would pop up that asked you for a pin and said and the pin was actually one it was not four digit it was just one thank you and let's move on to the post exploitation okay now we're in okay we have an Android operating system and we are in let's take a breath to do our most exploitation attacks the most important rot the device uh to do that there there are some steps that we are going to follow uh the steps are first you must enable USB

debugging uh all the ad devices by default have a disabled uh USB debugging you know there is a trick I don't know if you know it but you can press the build number and open a a hidden menu that call developers options and from there anyway you can enable usbd biking that's what we did we enable usbd biking in order to connect our uh device attacking device with the Android the next step is to enable o UNL uh What uh this is a feature actually that um the manufacturer made for us for the for every public user so in order to uh avoid the the simple user destroying the device messing up the device so they they made this future

the actually locks the boot loader that's important anyway we we also you can see in the left uh screenshot that we managed to enable om unlock to basically unlock the boot loader of the device and uh the next step was uh to reput the device into safe mode this happened because we would disable the boot loader uh so in the right uh screenshot you can see uh the device in safe mode from there it was very easy because uh the Android operating system that we have uh was outdated so by simply using the Kingo root application Kingo root application uh we managed to have root access okay let's go to the second po exploitation that persistence

it's important also uh persistance through ad ADB ATP is also debugging like USB debugging but you can do it uh Wireless also through the N world without the cable the USB cable um also you can mark your attacking PC your attacking yes device as a safe device and you can connect to the victim device to the Android device uh without credentials just by hitting the device uh so you can use that for persistance also through Network Etc persistance through malk uh this is uh we uh the way that we did it was with the with a simple APK that we made using msf Venom you can see simp command we made the malicious a reverse actually

APK and uh as you can see uh we got sell like that you can also have the application running forever you can uh log the application to run every time the machine boots you can do a lot of stuff and have resistance forever okay Z rits exploit kiosk nearby devices which are connected to the same network using the kiosk okay counter measures can you help me with that thank you let's talk about counter measures how should how can we avoid our Kos get H um things are simple uh we should start with secure coding practices uh sanitizing our for example uh we should have a stable application an updated environment and use a proper kiosk application that

helps us isolate uh our environment so anyone cannot exit at the operating system context um should not expose uh physical ports like uh USB ports buttons and stuff like that and we we should also do not have access to the power supply I think that's all yeah these are the references that we talked about in the presentation you can have the PowerPoint later so you can have them and that was for us do you have any

questions

thank