"It's scary how easy this is to do"
Digital kiosks are everywhere those days, often showing interactive maps or other information and can be navigated by touching the screen. In the back-end, there is usually a web browser with a page open in full screen and some special software. The goal of this research project is to determine how easy it is to jailbreak a kiosk to a Windows desktop.
Digital kiosks provide information for a lot of people, and in some cases thousands see and/or interact with them on a daily basis, a bad actor can leverage this to their advantage to misdirect people to a fraudulent site where, depending on kiosk location and use, sensitive information can be harvested and payment be collected as a part of a fraud scheme. The damage can be very serious. By determining the risks, a assessment can be made of how bad the consequences can be of a compromised kiosk.
The path from the kiosk interface to a Windows (often) or Linux (rare) desktop is usually divided in three steps, entry, escalation and persistance. The first step is usually the hardest and requires genuine creativity, patience and unusual ways of thinking. Escalating privileges is often the matter of knowledge of the OS and persistance is generally pretty easy. From there, anything is possible, including further lateral movement in the network the kiosk is in, which could give access to other infrastructure and systems.
Some kiosks have USB ports, but surely the people who made the kiosk do not expect someone to come and plug a keyboard in, which is EXACTLY what to do. From there, Alt+F4, WinKey, CTRL+ALT+DEL and other key combinations can be pushed. Tapping on the corners of the screen can also reveal the hidden Windows button, which opens the tray and gives direct access to desktop. Swiping from the sides can open additional interfaces. Pressing and holding or using multiple fingers on the touchscreen can also reveal some interesting results.
From there, the task is to find a way to exit/crash the browser/app of the kiosk. Methods include: entering a encoded string terminator, entering the EICAR string, gaining access to the URL entry prompt and loading a memory bomb/crash page, or simply closing the borwser with conventional means, in some cases, the first part of the entry step is already allowing for full desktop access.
This step assumes desktop access. From there it is worth checking if the kiosk uses a admin account by default, and some do, move on to the next step. In other cases downloading and running a UAC/Root bypass tool of choice is easy. At this point the kiosk is basically at one's mercy.
Congratulations, the thing is truly pwnd. So, at this point one can install their own backdoor and leave the machine. But this was not researched as it falls outside of project scope. The reader can fill this part in.
A compromised kiosk can harvest information, mislead users, can be used to display malicious advertising and a lot more, the bounds are endless.
It is very likely that a targeted kiosk is located on a secure network, from where lateral movement can occur to other systems in the network and control can be gained of other networks, from there, things can go really, wrong. Network administrators should treat kiosks as back entrances into their network open to the public and secure them accordingly against jailbreak methods described here. In addition, it makes sense to put the kiosk on it's own network with strict filtering rules and only permit what is necessary for the kiosk to operate.
When I jailbreak a kiosk I usually open my site fullscreen and walk away. I do not do anything further as I am not evil.
I was in Victoria, Gozo the other day and I saw someone age 14-16 who managed to get to the desktop of a interactive map and was trying to get the Windows key. Note the kiosk was in the building of the Ministry For Gozo. All I can say is: BOLD. Later the kiosk was put back to the original state but I went along and 'secured' it.