A kiosk is a small machine with an interactive display screen that businesses place in public areas such as government agencies, banks, department stores, and restaurants to provide information or offer self-service options. The use of kiosks keeps increasing in corporates and organizations for its advantages like self-service.
As risks always accompany new technologies, security threats to kiosks are constantly raised. Kiosks are very suitable to be targeted by attackers because they store and process personal information as their primary purpose is reservation and payment services. Some kiosks are sold without adequate security measures installed. There are several other ways to hack kiosks. However, this article deals with detecting kiosk systems and admin pages exposed to attack surfaces to prevent threats.
Admin Page of the Kiosk Exposed on the Internet
One of the reasons for kiosk hacking is the exposed kiosk admin page on the internet. Kiosk distributors or organizations using kiosks offer services like reservation and payment to the end user. The kiosk must block external access, and the admin page has to be secured with an authentication system.
However, several kiosks are exposed to attack surfaces, and you can find those by searching the keyword ‘Tile: Kiosk management console UI‘ on the OSINT search tool Criminal IP.
Search Query : Title: Kiosk management console UI
With the other keyword, “Title: KIOSK Management System“, it was possible to find the website that shows the admin page of the kiosk like the image below.
Search Query : Title: Kiosk Management System
Also, you can search “Title: Kiosk Terminal Management System“ and get the below result with information for the authentication page of the kiosk.
Search Query: Title: KIOSK Terminal Management System
Targeting the Kiosk Operated by Specific Corporate
Hackers can find the kiosk that operates by a specific company or organization. If they succeed, hackers can cause system errors, take customer information from a connected server, and even infiltrate the main server for a severe attack.
By adding ‘Hotel’ with the keyword, it was possible to find the kiosk system of a hotel located in Malaysia.
Search Query: Title: Uptown Kiosk – Hotel System
Even you can find the kiosk with the specific title of the company by searching it with the keyword above. The image below shows the information on the German vehicle company’s kiosk system in Korea.
Kiosk without Authentication, Easy to Hack
The kiosk system exposure is a critical security issue. We even found the kiosk system without a proper authentication procedure. It was defenseless.
The website searched on CIP seems to be a kiosk system for company S. It shows a critical security issue that allows one to enter the website without the authentication procedure.
The image below is the theater admin system for a kiosk. It can be accessed without authentication, making it vulnerable to hacking.
The purpose of kiosk is to increase the efficiency of the company and the convenience of the customer. However, it is necessary to keep it safe from the cyber attacks to avoid severe damage. The fact that various IoT devices such as kiosks can be easily found through the OSINT tool means that hackers can also easily attack assets that are exposed to the attack surface. Enterprises and institutions are advised to thoroughly ensure that all assets are exposed with an attack surface management solution such as Criminal IP ASM, and consider security when introducing IoT equipment such as kiosks. If the kiosk is outdated, consider replacing it. Also, you should check the regular security patch updates for kiosk system.
Please refer to Default welcome page exposure: A Significant Security Risk, for more information.
Source : Criminal IP (https://www.criminalip.io/)
Related article :