McDonald's hack sends a wakeup call to kiosk, ATM deployers alike

A recent, widely sharedvideoon YouTube showed two young men in Australia tricking a McDonald's restaurant kiosk into giving them free food.

To ATM operators, this might seem like small French-fried potatoes compared with the types of losses that have resulted from black box attacks on ATMs around the world. Still, the incident highlights once again the importance of taking even the simplest steps to safeguard payment kiosks and ATMs against logical attacks.

The following blog, which previously posted on Kiosk Marketplace, a sister publication to ATM Marketplace, describes eight basic and highly effective ways that kiosk and ATM operators can protect themselves against both financial and reputational losses.

Kiosk hacking has become commonplace in the news. In addition to the McDonald's kiosk hack, HR kiosks have recently been hacked and there have also been incidents with smart city kiosks being hacked.

Self-service kiosks are everywhere from street corners to grocery stores, and hackers are gunning for your customer's data. Payment kiosks in particular are attractive targets because cardholder data is easy to monetize.

There are several techniques for hardening your kiosks' security. Many of these kiosk hardening techniques involve functional changes to your kiosk application, so you'll need to get your developers involved. 

1. Prevent PIN theft

It's frighteningly easy to steal someone's PIN number using an iPhone and a thermal camera.

Flir makes one such thermal mobile camera that can be used to easily determine the PIN number someone entered.

This YouTube video demonstrates this technique and explains how metal PIN pads, like those commonly found on ATMs, can be used to prevent PIN theft. 

2. Protect the BIOS

The BIOS is the first screen that appears when your computer boots and determines the boot order, among other things. From a security standpoint this is of particular concern because we don't want a hacker to be able to reconfigure the computer to boot from a USB drive, or other media, instead of the kiosk's hard drive.

Booting from another media would allow the attacker to run malware instead of the kiosk's operating system. Fortunately, protecting the BIOS is simply a matter of configuring a password so the BIOS settings cannot be modified.

Here's a tutorial video of how to password protect your BIOS.

3. Restrict keyboard input

The operating system has many keyboard shortcuts that will allow an attacker to exit out of your kiosk application and access the desktop. 

There are many such hotkeys (i.e., Ctrl-Alt-Del in Windows) and we want to restrict the keyboard input to prevent a hacker from exiting your kiosk application.

Avoid the use of a physical keyboard when possible and instead opt for an onscreen keyboard with the system keys removed.

As an added layer of security, you can use a keyboard filter driver to filter out system hotkeys.

4. Prevent the mouse right-click

Right clicking the mouse will prompt the user with a series of options. Some of which could be used to close or compromise your kiosk application. This is particularly true if your kiosk is running a web browser.

Limiting the user to only clicking the left mouse button will help mitigate this risk. 

The easiest way to achieve this is by having your kiosk application ignore the right mouse click.

5.Block physical access to USB ports

By allowing a hacker access to the USB ports, they can potentially load malware to hijack your kiosk.

For a kiosk, all the USB ports should be made inaccessible through the use of a secure kiosk or tablet enclosure. Many secure enclosure options are available for both tablets and kiosks.

This video which how BadUSB works and suggests some techniques for protecting your USB ports on a laptop.   

6. Prevent access to the file system

It's important to ensure that hackers cannot access the file system of your kiosk. There are multiple ways to get to the file system, particularly if your kiosk is running a web browser.

One method is by simply entering the file path into the web browser address bar as shown below.

I now have access to browse the file system and access potentially sensitive information.

Other opportunities to access the file system include, but are not limited to, the print dialog and right clicking the mouse. 

You'll also want to automatically close any dialog boxes.

7. Restrict access to external websites

If your kiosk is running a web browser, then you'll want to restrict the user to only viewing your website. The most straightforward way of accomplishing this is through the use of a whitelist, an acceptable list of websites or web pages, depending on how granular you want to get, which the browser will allow to be displayed if the user attempts to navigate to a page not on the whitelist. If the website is not on the whitelist, the page will not be displayed.

8. Incorporate a watchdog

A watchdog refers to a service running in the background which ensures that your kiosk application is always running.

If your kiosk application crashes, uses up too much memory, or stops behaving for any reason, the watchdog will restart it.

In Windows. the watchdog should be a Windows service that automatically runs at startup. The watchdog will be implemented differently depending on your operating system, but the underlying objective is the same. 

photo: Unsplash

Anytime you're deploying a kiosk, protecting customer data should be a top concern.

Payment kiosks in particular are attractive targets because cardholder data is easy to monetize. But payment kiosks aren't the only kiosks at risk.

In order to implement the techniques in this article you're going to have to modify your kiosk application. It's time to get your developers involved so you can start protecting your customers and your reputation.