Help Yourself! Exploiting Self-Service Kiosks

my absolute pleasure to uh introduce an old colleague of mine uh Dr. Jacob Steedman um with his talk. Here you go, Jake. Thanks very much. >> Thanks everyone. Thanks for sticking around for uh help yourself exploiting self-service kiosks. Uh I'm Jacob Steedman. Uh I'm an ethical hacker here in Belfast, a former CTF competitor and current CTF creator. Uh Dr. Jacob to my American colleagues. it seems to be and uh I'm currently a senior pentester at Rapid 7. Um so some of the key takeaways from this talk uh basic uh chaos hacking techniques. So we're going to look at how chaos king techniques kind of span a range of different security areas including physical security, application

security, hardware and local host exploits uh and then breached into the network layer as well. uh once you've exploited that kiosk uh and hopefully you'll see ways in which you can expand these concepts to uh your infrastructure or your organization as a whole. Um I've been considering doing this talk for a couple of years and it was actually performing physical in physical security engagements that made me think actually this is more relevant than just the the kiosk. Um and it wouldn't be a hacking talk without the obligatory computer misuse act slide which I didn't put into a previous preview of this talk um and was told to put in. So, here it is. [laughter] Don't try this out in the

wild. Um, there are plenty of different lab environments you can practice these kinds of things, and we'll show you one at the end that we've got set up upstairs. So, what are we talking about when we say self-service kiosks? It's kind of a a vague description. Uh, covers a broad range of devices and that that's intentional. So, we're not targeting any one device throughout this talk. It's a look at um all sorts of devices that you see out uh and about these days and they're becoming increasingly popular whether you love them or hate them. Um, if you're ordering fast food, uh, if you're trying to pick up furniture, if you're at a hotel, walking around the

street, they're just popping up everywhere, um, a coffee machine, um, and we'll see an interesting example that I've seen of a kiosk hack on a coffee machine before. And then, of course, the infamous self-service checkout at supermarkets. Um, in terms of hacking, then what are we talking about when we're talking about help uh, self-service kiosk hacks? So, breaking out of the intended kiosk application. Uh, you can see in the bottom left image, trying to get a shell as a way of demonstrating that you've broken out of that and you've got access to the underly operating system. Um, another fun example that someone in the community sent me was people watching videos on the handheld scanners in

supermarkets. Um, and as I mentioned, uh, playing Doom on a coffee machine, which uh, someone here achieved. [laughter] Uh so first of all let's uh rather than looking at the exploits first and then talking about how to secure them, let's look at how uh kiosks should be secured and some of the controls that might be in place. Uh and then we'll circle back and look at how we can break through those controls and start hacking these devices. Um so from the the physical layer access is actually required. So you're you're given this um but it should be strictly uh limited and monitored. So access to the ports, access to the PAR should all be limited

uh or restricted behind secure housing and uh if possible a human presence should be made within the vicinity of the device to monitor how it's being used. Um at the application layer then it's a full fully functioning application. So you need to consider everything that goes into building a secure app. I mean this is like multiple talks in and of itself but the whole secure software development life cycle needs to be addressed and defining your security requirements conducting threat modeling and testing and making sure the actual application is secure so that malicious actors can't break through that and get to the under OS. Um then at the local host level if they do manage to break out of that um can

they get into a user uh instance? kind of elevator privileges to be an admin. Um, you need to make sure it's hardened using like the C CIS benchmarks that uh provide a whole list of criteria for making sure these can't be uh broken out of. In some instances, you'll find that they're actually just like an iOS device or a Android or an Android device. Uh, in which case mobile device management could be a really uh secure solution to making sure that interactions with these things can't happen. Uh so at the network level then you're trying to think does it require internal or external network access. If it does you need to firewall it entirely restrict it. Um you should have network

network segmentation in place to make sure that your kiosk devices aren't interacting directly with management PCs or backend servers that they don't need access to or other users within your organization depending on the the environment that it's being put in. Um and then restrict and remove outbound access if that's not required. Um, and we'll see why that sort of stuff's important in a minute. So, in summary, for the security side of things, you need to make sure it's in a secure housing, restrict ports unnecessary access that isn't required, and limit network access as much as possible. Um, and whenever that doesn't happen properly, we'll see how some hacks can be achieved. So, from the physical uh level, this is kind of a

freebie. They actually want you to access it. They give you access and they don't a lot of times, most times they don't even tell you how to use these things. they just give you access and then you have to figure out what is and isn't allowed yourself. Um so what you're looking for in this case is like are there exposed cables? Are there exposed ports? Are there exposed locks? And if there are exposed locks, what's behind those locks and can you bypass them? Um in terms of ports, then we're looking for things like this. So what what ports are exposed on the device? Um if you can get access to these, you can plug in peripherals that can let you

break out of the intended kiosk mode. um or uh plug in malicious USBs and other devices directly into it. Um one thing to note is that our old friend here USBC has come along and it's one port to rule them all but it actually isn't and you'll we've found instances before where when we're testing devices and trying to uh break in through the USBC port because there are different types of USBC ports that all just look the same but are label slightly different. Certain payloads don't work through say just a data only USBC port. you need like data and par. Um, so that's fun. Um, in terms of malicious USBs, then can anyone identify which of these three is

a malicious USB? Not make people call out like, but uh, spoiler, they're actually all malicious. So the and they actually are legitimate malicious USBs, not just theoretical. The first one's a bash bunny. Um, it can house ducky scripts and is operated on a small Linux device as well. Uh the second one's a classic USB rubber ducky. We'll see how that operates in a second. And then the third one is um a bootable Cali Linux USB. We'll take a look at that in a minute as well. Um so in terms of ducky scripts then you can basically preload these malicious USBs with scripts that will interact with the target device as if it was a keyboard being plugged into it. So a

simple example is you plug the USB in and it types hello world into the current cursor context. Um you might look at that and think so what? But if we take a look at a slightly more complex version of this script. Um in this one it's using the the Mac GUI space to open the command prompt and then um enter in terminal. Uh once you get terminal access then you can type in full reverse shell strings and get command line access to the target system. Uh a lot of the time you might think that this sort of stuff would all be disabled on these devices if it's not required. But in practice, if people are certain

that the kiosk mode application can't be broken out of, then they'll often overlook the next layers of security that are required to make sure it's a fully secure device. At the application level, then you've got kiosk escapes, um application level vulnerabilities like local file inclusion or OS command injection, and then broken access control issues. Um, we'll look now at how this can affect uh the kiosk. So, if you're intended to do like a single finger or single digit press on the screen, um, just start interacting with the device and see, okay, well, what happens if I do a double digit press, a swipe from the corners, uh, and you can get kind of creative in the ways you

want to try and interact with this to try and uh, see what happens if you do a palm press or whatever that we cuped hand is. Then the other thing is if it's opening um an on-screen keyboard in which for you to put um user input into the into the the kiosk application is it opening a full keyboard like this that has the uh windows key and in which case you can press window Windows key and R to open the run um prompt and then run command and you've got a shell again popping straight into the the terminal. Um so local exploits then you're looking at the underlying operating system access. Can you hijack the the boot

sequence, which we'll look at in a second. Um, can you elevate your privileges once you get into the operating system? Uh, and can you create persistence? So, if you're able to exploit one of these devices, you don't want to have to go through the same sequence every time of trying to exploit the device. So, what you want to do is exploit it once and then create a reverse shell or connection out and put in some persistent script that'll constantly try and loop through that. So, you don't need to keep on performing the full exploit chain every time. Um so hijacking the boot sequence then this is something that we've done recently. Uh if you can just do as

simple as turn the device on and off and during that reboot sequence try and hijack that that boot process put in your malicious USB that's running a bootable Cali and then you've got a full Cali instance running on the device. Um that might not matter so much if it's a completely isolated device but if it's connected to a network then you've got a full CI box on the target victim's network. If you can't uh use the power button, try pulling out the power cable, putting it back in. Um, and if that doesn't work, maybe a little bit extreme, but turn off the part of the building, turn it back on, and see see if you can

create the boot sequence that way. I mean, it is maybe this is a bit of an extreme thing to test, but it is something that be should be considered when you're developing these systems. Interrupts could happen and what happens whenever it's waiting to the boot sequence. Uh so from the network level then you're trying to basically break out of the the kiosk into the rest of the network. Um try and target backend servers, management PCs, identify whether they run this in a flat network where all the devices are on the same uh VLAN or if it's segmented as it should be into like the guest network, the IoT network, uh internal devices and maybe a

secure network for like employees of the of the company. uh from the network level. Then what we're trying to do is see what's in the neighborhood. So once you get onto the device, find your own IP, start looking for other devices that maybe are connected to that range or other internal network ranges, um and see what's there. So in this instance, say it's connected to a switch and local network. You've got user PCs or employee PCs, uh a database, IoT devices connected, it's also connected to a Wi-Fi router. It's connected out to the internet as well. Okay, great. What can we do then? and we can create a reverse shell out to our external malicious server. Uh, and now we've got

persistent access into this network and can begin tunneling our attack traffic from our malicious device through the target the initial foothold within their network and then attacking the rest of the services. So it's it's a really serious stuff. Um so a bit of a summary then from that is like you're looking for open ports um par sequence cycling different interactions that you can do to break out of the intended uh use cases of the device like multi-finger presses or swiping up from the corner of the screen. Uh and then once you exploit that what else is is in the network and can you proliferate through the network um uh and target different areas. So they have to have another CMA at this

point to say don't don't try this again in the wild. Um where can you try these kind of things uh become a pentester become a vulnerability researcher uh practice some CTFs or events like pong their own. >> Uh bug bounty is obviously becoming increasingly popular. So you can make uh good money just by running uh entering into bug bounty programs and attempting these things on uh devices that have been put up there as part of a a scope test or at hacking conferences like this one. So we've actually developed a hackable kiosk to come here. I couldn't get an image of the kiosk set up this morning because it was swarmed by people wanting to try it already. But uh it's

up near the battlebots. Come come along and have a go at that. Um we had community sponsorship for some prizes. So, uh, there's going to be a a scoreboard and at the end of the day, we'll have a number of different prizes, uh, cash prizes for people at three different levels. So, if you're able to find one vulnerability in the system, um, we'll enter into the script kitty prize draw for £25. If you're able to uh, perform two vulnerabilities or find a user flag in the system uh, and pick the lock that's part of it, we'll enter into the ethical hacker uh, prize draw for 50. Um, if you're able to find the two flags, the user flag, the admin

flag, pick the lock, um, or find multiple vulnerabilities, and you get everything reset to the initial state that it was at, so there's no, uh, no way to identify that you've been tampering with the system, you'll be entered into the nation state prize fund for 100 pounds. Um, I also give out spot prizes today. So if anyone can identify a new vulnerability in the system that I wasn't aware of, uh 25 pound spot prize there and then. Um that was a bit of a race through that. So I think we've got some time for questions if anyone's got any questions and if not you can come and see me at the kio stand at some point today. Um

thanks very much u Jacob Steman. Uh if anyone gets uh cyber security fatigue, wants to talk about something else to put some point today. I'm a bit of a D&D nerd as well and a climber. So talk to me about these things as well. Security and nothing else. And thanks. [applause]

>> Thank you so much, Jacob. Did you have you've had people attempting >> already this morning? so far this morning. Um, not too much luck, but hopefully you've got a couple more ideas from the the kiosk, the demo there. So, uh, come along, have a look as well. Enumeration is always a big part of hacking, so just look around and see what people are doing and have a look before actually trying it. >> Okay, there you go. You've got some hints in the talk. Give it a