An investigation by cyber-security firm Kaspersky revealed that digital kiosks and interactive terminals used in modern cities contain vulnerabilities, capable of exposing private user data required for spying and spreading malicious codes.
Apart from digital Kiosks, the researchers also examined speed cameras and supporting infrastructures used in metropolitans, revealing that any malicious hacker or cyber criminal can easily access these cameras and manipulate data.
Most urban cities have a chain of complicated ecosystems, composed of hundreds of different digital infrastructure including Digital Kiosks and speed cameras. Though these components are aimed at making life simpler for citizens, the research shows the alarming threats they pose to private data.
For instance, ticket terminals in movie theaters, bike rental terminals, service kiosks in government organizations, booking and information terminals at airports, and passenger infotainment terminals in city taxis might all have a different appearance, but inside most of them are the same.
Most terminals inspected were either Windows or Android-based device. According to the research firm, the main difference in comparison to ordinary devices is the special kiosk-mode software that runs on public terminals and serves as the user interface.
This special software gives users easy access to specific features of the terminal whilst at the same time restricting access to other features of the device’s operating system, including launching a web browser and then virtual keyboard.
Although these specialised kiosks provide convenience to users, they are also responsible for providing attackers with numerous vulnerabilities to exploit, just like any other personal computer (PC).
The research pointed out that all digital kiosks contain one or more multiple security weaknesses, which allow an attacker to access hidden features of the OS.
In one case the user interface of one such digital terminal contained a web-link, which made the job much simpler for attackers. An individual only needs to tap on the link to launch the browser and then launch a virtual keyboard.
In another case – at an e-government service kiosk – the setup required the user to touch the “print” button. After tapping on the print button, the browser’s print dialogue window would stay open for quite a few seconds, enabling the attacker to quickly click the change (printing parameters) button and jump into the help section.
After gaining access to the help section, the attacker could open the control panel and launch the on-screen keyboard. This provides the hacker with all of the devices needed to enter information — the virtual keyboard and the mouse pointer.
With all the components unlocked, the hacker can use the kiosk for their own mercenary purposes — to launch malware, get information on printed files, obtain the device’s administrator password, etc. And these are only a few weaknesses discovered by Kaspersky Lab researchers.
Denis Makrushin, security expert at Kaspersky Lab, pointed out that several public terminals investigated by the team were processing very important information, including personal data, credit card numbers and verified contacts.
“Many of these terminals are connected with each other and with other networks. For an attacker they may be a very good surface for very different types of attacks – from simple hooliganism, to sophisticated intrusion into the network of the terminal owner,” said Makrushin.
“Vendors need to make sure that it is impossible to compromise terminals through the weaknesses we’ve discovered,” he added.
The next part of the research was dedicated to speed control cameras used in major cities. After using the Shodan search engine, researchers identified manifold IP addresses belonging to such devices and openly accessible from the web.
These speed cameras were not password-protected and anyone would be able to see the footage from cameras and more. The team of researchers discovered that some tools used to control these cameras are also available to anyone on the web.
Vladimir Dashchenko, security expert at Kaspersky Lab, said speed control camera systems in some cities track certain lines on the highway — a feature which could be easily turned off.
“Considering that these cameras can be, and sometimes are, used for security and law enforcement purposes it is really easy to imagine how these vulnerabilities can assist in crimes like car theft and others,” said Dashchenko.
