September 16, 2016 by Canadian Underwriter
Researchers from cybersecurity company Kaspersky Lab said on Thursday that they have found vulnerabilities and security deficiencies in digital kiosks, interactive terminals and speed cameras that make them susceptible to cyberattacks.
Modern cities are complicated ecosystems made up of hundreds of different components, including digital ones, Kaspersky Lab noted in a statement. Aimed at making life more convenient and safer for citizens, they can also pose a certain degree of threat to people’s data and safety, as illustrated in the findings of the research conducted by Kaspersky experts.
During their examination, the researchers found a number of digital kiosks and interactive terminals used in modern cities for different purposes – from paying for different services through to entertainment – and discovered that a lot of them contain vulnerabilities that can expose private user data and be used to spy or spread malicious code. Along with kiosks, specialists researched speed cameras and their supporting infrastructure. As a result, they discovered that malicious users could easily access these cameras and manipulate the data collected, Kaspersky said in the statement.
Ticket terminals in movie theaters, bike rental terminals, service kiosks in government organizations, booking and information terminals at airports and passenger infotainment terminals in city taxis might all have a different appearances, but inside most of them are the same: each terminal is either a Windows-based or an Android-based device. The main difference in comparison to ordinary devices, Kaspersky explained, is the special kiosk-mode software that runs on public terminals and serves as the user interface.
“This software gives the user easy access to specific features of the terminal while also restricting access to other features of the device’s operating system, including launching a web browser and then virtual keyboard,” the statement said. “Accessing these functions provides an attacker with numerous opportunities to compromise the system, as if they were in front of a computer. The research showed that almost any digital public kiosk contains one or multiple security weaknesses which allow an attacker to access hidden features of the [operating system].”
In one particular case, the user interface of the terminal contained a web link. The attacker only needed to tap on it in order to launch the browser and then – through the standard help dialogue – launch a virtual keyboard. In another case – at an e-government service kiosk – the scenario required the user to touch the “print” button. After that, for several seconds the usual browser’s print dialogue window would be opened, and if quick enough, the attacker would tap the ‘change’ [printing parameters] button to enable him to jump into the help section. From there, they could open the control panel and launch the on-screen keyboard.
“As a result, the attacker gets all of the devices needed to enter information (the virtual keyboard and the mouse pointer) and can use the computer for their own malicious purposes, e.g. to launch malware, get information on printed files, obtain the device’s administrator password, etc., and these are only a few of the weaknesses discovered by Kaspersky Lab researchers.”
“Some public terminals we’ve investigated were processing very important information, such as user’s personal data, including credit card numbers and verified contacts (for instance, mobile phone numbers),” said Denis Makrushin, security expert at Kaspersky, in the statement. “Many of these terminals are connected with each other and with other networks. For an attacker, they may be a very good surface for very different types of attacks – from simple hooliganism, to sophisticated intrusion into the network of the terminal owner. Moreover, we believe that in the future public digital kiosks will become more integrated in other city smart infrastructure, as they are a convenient way to interact with multiple services. Before this happens, vendors need to make sure that it is impossible to compromise terminals through the weaknesses we’ve discovered.”
Another part of the research was dedicated to cities’ speed control cameras. Using the Shodan search engine, researchers were able to identify multiple IP addresses belonging to such devices and openly accessible from the web. “No passwords were in use, and anyone would be able to see the footage from cameras and more,” the statement said. “Researchers discovered that some of the tools used to control these cameras are also available to anyone on the web.”
Vladimir Dashchenko, another security expert at Kaspersky, said that in some cities, speed control camera systems track certain lines on the highway – a feature that could be easily turned off. “So if an attacker needs to shut down the system at a certain location for a period of time, they would be able to do that,” Daschenko said. “Considering that these cameras can be, and sometimes are, used for security and law enforcement purposes, it is really easy to imagine how these vulnerabilities can assist in crimes like car theft and others. It is therefore really important to keep such networks protected at least from direct web access.”
The text of the research and advice on how to protect IT systems of smart cities from being compromised is available at https://securelist.com/analysis/publications/76060/fooling-the-smart-city/.