Internet kiosks – harmful to your health?

I’m in Wellington, New Zealand, attending the fourth annual Kiwicon event. Like Ruxcon in Australia, Kiwicon is a grassroots hacker* conference.

The accessibility and popularity of the event – it takes place over a weekend, and costs just NZ$55 (about $40 USD/AUD/CAD) to attend – is obvious in the growth in delegate numbers. From around 80 attendees in its first year, Kiwicon has grown to a festive, friendly and well-informed crowd of 350.

Despite the low price, the quality of both delegates and speakers is world-class.

I’ve just come out of a talk by Paul Craig, renowned internet kiosk hacker and security expert. You can find internet kiosks all over the world in hotels, airports, libraries, convenience stores, shopping centres, universities. As it happens, there are no fewer than 16 kiosks in the lobby of the building where Kiwicon is being held.

Internet kiosks can be useful. Most of them offer pay-as-you-go internet access service, often coin-operated, conveniently allowing you to jump online. If you don’t have a laptop handy, kiosks sound like a great way to read the latest news, communicate with friends, check your investments and make those all-important Facebook posts.

Because they’re a shared resource, kiosks are supposed to restrict your browsing. This is so that you don’t leave anything behind for the next user to grab hold of, and so that you can’t install something to compromise the safety of the next user.

But Paul Craig’s talk made it quite clear that using most kiosks for anything to do with personal information is incredibly risky. They simply do not provide the safety and security they are supposed to. During the talk, he gave a live demonstration of how easily he could subvert the security of five different popular kiosks, both Windows and Linux based. He was able to get a command shell, install arbitrary software, change security settings – whatever he wanted. The kiosks were all, in a word, pwned.

The problems stem not from the fundamental impossibility of building a safe kiosk, but from the demands of the average kiosk users. It’s not enough for a kiosk vendor to provide very basic features, such as the ability to send and receive simple internet messages.

Kiosk users demand access to a full-featured, familiar browser, such as Firefox or Internet Explorer, with an extensive range of add-ons. Just viewing a web page is not enough – users also want to be able to download and read PDFs, view documents and spreadsheets, watch Flash videos, and much more. This complexity, as usual, ends up being the worst enemy of security.

Interestingly, Paul noted that he has carried out similar penetration tests against photo kiosks – those devices in camera shops into which you plug a phone or USB stick to print out pictures – entirely without success. (I was slightly surprised to hear this, since photo kiosks are regularly implicated in the accidental spread of USB malware.)

Paul suggested that the greater resilience of photo kiosks can be explained very simply: they have a better-defined and smaller set of functionality, and thus a much smaller attack surface.

In short, kiosks have become too complex to be made secure. I’d suggest that you use them only for the most general browsing tasks. Internet banking, access to on-line accounts such as social networks, and the like, are all definite no-nos.

Sometimes, those Tweets will simply have to wait.

[*] For a rational explanation of the meaning of hacker, watch this video:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)