Unit4sec
KIOSK SECURITY AND PENTESTING
Table of Contents
01
02
03
04
05
06
07
What is Kiosk?
Kiosk: Information Security Process Audits
Kiosk: Physical Security Audits
Kiosk: Network Security Audits
Kiosk: Operating System Security Audits
Kiosk: Application Security Audits
Escape Kiosk Mode to Operating System Level
Unit4sec
Kiosk?
First of all, what is this Kiosk?
Kiosk devices host computer terminals designed for user-specific information access, utilizing dedicated point-of-information software, while preventing end users from accessing "system functions.
Some kiosk devices offer a free, informative public service, while others serve a commercial purpose (e.g., shopping mall kiosks, check-in kiosks, ATMs). Touchscreens, trackballs, computer keyboards, and buttons are typical input devices for interactive kiosk devices.
Touchscreen kiosks are utilized as industrial devices in commercial applications, reducing queues, eliminating paper, and enhancing efficiency and service. Their uses are limitless, ranging from refrigerators to airports, health clubs to movie theaters, banking transactions to libraries.
Kiosk Devices
In our daily lives, we frequently encounter and use these devices, known as "kiosk" devices, when performing tasks such as airport check-in, querying the stores on different floors in shopping malls, and even using ATM machines for banking transactions.
Kiosk Audits
When it comes to the security hardening audits of these kiosk devices, and what should be inspected and which exploitation steps should be tested, in fact, penetration testing for kiosk devices is not significantly different from a standard PC audit. In general, in addition to the standard PC audit procedures, a few additional checks and assessments need to be conducted.
What is the objective of Kiosk Security and Pentesting?
The objective of penetration testing on kiosk devices is to assess the information security processes of kiosk devices, determine whether an anonymous user can gain physical access to kiosk devices, identify what data can be obtained once access is granted, ascertain the vulnerabilities present in the kiosk system, and determine the potential impact of malicious attackers utilizing these vulnerabilities.
Kiosk Security and Pentesting Main Topics
When listing the steps that need to be checked during kiosk penetration testing, the main topics are as follows:
Audit of information security processes for kiosk devices.
01
Audit of physical security for kiosk devices.
02
Audit of "security" and "log" policies at the operating system level of kiosk devices.
03
Conducting network tests on the local area network (LAN) where kiosk devices are located.
04
Identifying security vulnerabilities in the applications and services running on kiosk devices.
05
Unit4sec
Kiosk Security: Information Security Process Audits
Organizations housing kiosk systems in their infrastructure are recommended to establish information security process management and procedures for kiosk security audits, ensuring the sustainability of these security processes.
01: With the assistance of QR codes available to technical personnel, certain kiosk devices can be transitioned into an operating system mode. In organizations where this process is applied, the following audit items can be established.
02: Audit of "local admin" password management processes in kiosk devices is necessary.
03: In some kiosk devices, it is necessary to occasionally open the panels of the kiosk device due to the need for "paper replacement." Therefore, multiple personnel may have access to the keys that allow the opening of the kiosk panel.
Unit4sec
Kiosk Security: Physical Security Audits
01: Are the rear or front panels of the kiosk devices open? The panels of each kiosk device present in the test environment should be inspected.
02: Are physical alarms in use? Are there sensors on the front and rear panel locks of the kiosk? Do these panels generate instant alarms when opened or left open?
03: Are there USB ports on the kiosk device or inside the panels? Are the USB ports functional?
Unit4sec
Kiosk Security: Network Security Audits
01: Is Network Access Control (NAC) in use?
02: Are there unauthorized access controls between VLANs?
03: If Network Access Control (NAC) is in place, is it possible to bypass it?
04: If a connection can be established to the kiosk network, can NTLM hash information be obtained using LLMNR Poisoning?
05: If a connection can be established to the kiosk network, can a Man-in-the-Middle (MITM) attack be conducted using ARP Poisoning?
06: Is Internet Access Available? Is a Proxy Server in Use?
07: Are There any Misconfiguration on Firewall?
Unit4sec
Kiosk Security: Operating System Security Audits
01: Is the operating system properly licensed?
02: Is an up-to-date operating system in use?
03: Have operating system updates been applied?
04: Hard Disk Characteristics should be examined.
05: If the operating system is Microsoft Windows, is Windows Defender and Windows Firewall active?
06: Is access to the BIOS menu restricted with a password?
07: Is an Antivirus Installed? Can it be disabled or bypass?
08: Does the user operating the kiosk device have Local Admin privileges?
09: Is access to the BOOT menu restricted with a password?
10: Is the Administrator account active?
11: Is the Guest account active?
12: Is access granted to CMD or Powershell? If access is restricted, are bypass methods successful?
13: Local Security Settings on the kiosk operating system should be reviewed.
Unit4sec
Kiosk Security: Application Security Audits
01: Do the logs of the applications running on kiosk devices capture sensitive data?
02: Are there applications on the kiosk device that provide "Remote Access" functions?
03: Are outdated applications installed on the kiosk device?
Unit4sec
Kiosk Security: Escape Kiosk Mode to Operating System Level
01: Can the kiosk user access the Task Manager? If Task Manager access is possible, the kiosk application can be terminated, allowing access to the desktop.
02: To exit Kiosk mode, the ALT+F4 shortcut can be used directly. If the ALT+F4 command is successful, the Kiosk application can be closed, providing direct access to the operating system.
03: If any browser can be opened on the kiosk device, can file system exploration within the operating system be attempted by entering entries like "C:" in the URL section?
Kiosk Mode Bypass: Shortcuts Cheatsheet
BONUS
Kiosk Mode Bypass: SHELL COMMANDS Cheatsheet
Shell commands are commands that, when entered into the Run dialog, File Explorer, Search box, or Browser address bars, execute specific actions.
Another Kiosk Bypass commands that can be executed on the browser as listed below:
References: