NZ Security Consultant develops hacking tool

NZ Security Consultant develops hacking tool for public kiosk terminals

Wellington 13th November 2008 - Security Consultant, Paul Craig from Security-Assessment.com, released some breakthrough research at the world’s largest hacking conference, DEF CON 16 in Las Vegas in August this year.

This research highlighted the potential insecurities associated with Internet Kiosk Terminals and yielded an attack methodology, the first of its kind.

The toolset developed as part of Paul’s research, dubbed iKAT (interactive Kiosk Attack Tool), highlighted the potential for a “would be” hacker to compromise any Windows kiosk terminal in sub 10 seconds.

Using the methodology a user could gain access to execute arbitrary commands on the kiosk. A potential application of this approach could be the compromise of a shared terminal in a corporate reception area, which in turn could be used to launch an attack on the internal corporate network.

Internet kiosks are gaining popularity appearing in public places such as airports, hotels and lobbies but are rarely researched by security professionals for potential weaknesses.

This popularity combined with a poor security visibility makes them an ideal target for malicious users.

The idea came to Paul during a long stopover at Hong Kong airport in 2007. “I noticed the queue of people waiting to use a hub of Internet kiosks. I thought, those kiosks sure are popular, I wonder if I could hack it?”

“I set myself a personal objective to find every possible method of hacking an Internet kiosk and become the ‘King’ of Internet Kiosk Hacking!”

Kiosks are typically built in tough hard-shell cases with a fibreglass or wooden shell. The lack of physical access to the computer case means that all input devices (Floppy/DVD/USB/FireWire) are hidden. Kiosks are often bolted to the ground or padlocked. The general public are not trusted and the kiosk is designed to prevent theft or malicious use.

The security vulnerability originates from the operating system and browser software running on the kiosk. The majority of kiosks run commercial kiosk software on Windows. More than 44 commercial Windows Kiosk products are available on the market. These are marketed as a quick way to “Turn that old PC into instant revenue! ….buy the $59.99 Shareware, install it and you have an Instant Kiosk!”

Paul used native Windows functionality to bypass access controls on the kiosk terminal. This in turn allowed him to take direct control of the kiosk terminal and execute arbitrary commands.

It is also worth noting that during this security research Paul discovered multiple unpublished flaws in browser plug-ins (such as Adobe Flash), and commercial kiosk platforms. These were used as attack vectors to provide additional control over the kiosk terminal.

In addition to presenting his talk at DEF CON 16, Paul has showcased the attack methodology around the globe at various security conferences, including Hack.lu Luxembourg, Hack In the Box Malaysia, Kiwicon 07 Wellington.

What is DEF CON?

DEF CON[1] (also written as DEFCON or Defcon) is the world's largest annual hacker convention, held every year in Las Vegas, Nevada. The first DEF CON took place in June 1993, and in 2008, over 8500 people attended DEF CON 16.

Many of the attendees at DEF CON include computer security professionals, journalists, lawyers, federal government employees, crackers, and hackers with a general interest in computer code and computer architecture. The event consists of several tracks of speakers about computer- and hacking-related subjects, as well as social events and contests in everything from creating the longest Wi-Fi connection and cracking computer systems to who can most effectively cool a beer in the Nevada heat. Other contests include lockpicking, robotic-related contests, art, slogan, coffee wars, and Capture the Flag. Capture the Flag (CTF) is perhaps the best known of these contests. It is a hacking competition where teams of hackers attempt to attack and defend computers and networks. CTF has been emulated at other hacking conferences as well as in academic and military contexts.

DEF CON 16 was held in August 8-10 at the Riviera Hotel & Casino in Las Vegas.

This event is organised by the security community and speakers can apply for the opportunity to present their research. Organisers give preference to: unique research, new tool releases, Ø-day attacks (with responsible disclosure), highly technical material, social commentaries, and ground breaking material of any kind.

About Security-Assessment.com

Security-Assessment.com specialises in information security advisory and assessment services.
Based in Wellington and Auckland but engaged in projects across New Zealand and the Asia Pacific.

The services offered include independent security advisory, assessment and assurance services to help organisations establish and maintain a secure environment, an effective enterprise security strategy and stay ahead of the game in compliance requirements.

These services cover the complete strategic framework for enterprise security requirements;
• Management & Governance
• Risk Assessment
• Policies and Standards
• Compliance and Awareness
• Security Assurance
• Incident Management
• Performance and Metrics

Security-Assessment.com is a Qualified Security Assessor under the Payment Card Industry Data Security Standard.

In 2007, security-assessment.com (www.security-assessment.com) was acquired by Datacraft NZ (www.datacraft.co.nz) to compliment their existing network security capability. Datacraft is celebrating their 30th year of operation in New Zealand.

Paul Craig is a principal security consultant at Security-Assessment.com in Auckland, New Zealand. Paul specializes in application penetration testing, security research and exploit development. In the past Paul has released multiple critical advisories from major project vendors such as Microsoft, Adobe, HP and 3Com, authored and co-authored several best-selling books on security, and spoken at various security conferences around the globe (including Syscan, Kiwicon, VNSec, RuxCon, Defcon, Hack.lu, Hack In The Box).

Further background material is available online –
• http://star-techcentral.com/tech/story.asp?file=/2008/10/31/technology/20081031121136&sec=technology
• http://itradio.com.au/security/wp-content/uploads/RB82.mp3 (Listen to the first 10 minutes for Paul’s talk at Kiwicon 08, where he talks about releasing iKAT at Defcon.

About Datacraft
Datacraft is a wholly owned subsidiary of Dimension Data plc (LSE:DDT), a US$4.5 billion leading global IT solutions and services provider. Datacraft operates in over 50 offices across 13 Asia Pacific countries. We help clients plan, build, support, manage, improve and innovate their IT infrastructures. Datacraft combines an expertise in networking, security, data centre, storage, Microsoft solutions and contact centre technologies, with advanced skills in consulting, integration, training and managed services to craft IT solutions for businesses. For more information, please visit www.datacraft-asia.com.

[1]From Wikipedia - http://en.wikipedia.org/wiki/DEF_CON

ENDS

© Scoop Media