In preparation for a story on KioskMarketplace.com, editor Elliot Maras submitted several questions to Olea Kiosks about kiosks and the issue of anti-hacking security. He gave us permission to share our full answers, which are published below.
What are the biggest hacking threats to self-serve kiosks?
Several come to mind. Running an obsolete operating system and not applying security patches are two obvious ones. Vulnerabilities also are created when unauthorized people have physical access to components or the ability to power the kiosk on and off.
Historically, security kiosks often have been placed outside the company LAN, but increasingly that practice is reversing itself, and increasingly more kiosks are placed on the LAN. They pass data to a server and the data store inside the corporate LAN becomes the weak point that is comprised.
Companies can strengthen weak points by installing lockdown software, which in addition to security often provides audit, reporting and monitoring capabilities.
Can kiosk software prevent hacking?
If you mean a lockdown, then yes, almost all the time. Many company IT departments though will want to create their own solution. It saves a little bit of money, so accounting usually buys in as ally, but it’s not always so effective.
One thing that the WannaCry incident shows is the increasing hacking capabilities of hackers. How can kiosk manufacturers and operators/deployers make sure their system software remains protected?
Fortunately, there are many steps they can take to protect themselves:
- Windows users should upgrade to Windows 10. It has a habit of auto-updating patches, which can be a concern for some users. Anyone who wishes to avoid the automatic updating feature of Windows 10 can investigate Microsoft’s new Redstone IOT operating system, which allows for the manual application of patches.
- Run virus and malware software, if only Windows Defender. That is actually the best of all for Windows and it’s free.
- Install lockdown software, which puts the PC into “protected mode user” so admin (or root) is not available for privileged operations. If the kiosk is on the network, though, its safety is in part in the hands of the central server and the LAN and how well they are protected.
- Rethink their password strategy. Passwords are way too easy either at corporate level or at ad hoc level.
One of the most obvious vulnerabilities—malware carried into a facility on a employee’s or guest’s USB drive—can be combated when facilities deploy kiosks such as Olea’s Malware Scrubbing Kiosk with Metadefender software by OPSWAT.
Companies are installing these kiosks at their entrances and requiring visitors and employees alike to scan every portable media device coming into the company that will be plugged into a computer inside of the building.
Hypothetical: I bring a USB drive to the office that has an Excel document on it that I started at home but need to finish at work. Without my knowledge, however, my son borrowed the drive the night before to download some music from the darker side of the web, which also came with a virus. Now, if I’m not stopped to scan the drive before putting it into my work PC, I may inadvertently create havoc across the company when that stowaway virus is unleashed through the network.
There is a more sinister scenario, too: Do you know how easy it would be to drop a few attractive but infected USB sticks in a parking lot to get a receptionist or any other employee to take one inside to see what’s on it? People are snoopy by nature, and everybody likes a nice-looking thumb drive.
Are kiosk hardware manufacturers showing more concern about preventing kiosk software hacking based on your experience?
Definitely. And they are smart to be doing so.
Other comments?
You always get hacked. And you are always going to get hacked. You just have to exercise due diligence to lower that probability and be prepared to redouble your effort the next time. It never stops.
