Information kiosks used by Southern Rail in stations with fewer staff are wide-open to cyber-attacks, according to a security researcher. He says that there are significant issues with the certificate upload process of the machines, which could lead to uploading of a compromised certificate for criminal activities, adding that it highlights a relaxed use of escalated privileges. IT security experts from AlienVault, ESET and Positive Technologies commented below.
Javvad Malik, Security Advocate at AlienVault:
“Generally speaking, I’m reminded of the old Microsoft article regarding the 10 immutable laws of security https://technet.microsoft.com/library/cc722487.aspx . Laws 2 and 3 are most relevant in this scenario where a bad guy can alter the operating system and has unrestricted physical access to the computer.
Any public facing device and software will always be a target for attack by criminals. The onus is always on the company to lock down and harden systems as well as have monitoring controls.
Kiosk security is somewhat easier because there are only a limited number of legitimate actions anyone should be able to take, all other actions should be blocked or closely monitored. Running virtual instances that can be rebuilt every night can also help in reducing any exposure that may arise from systems that have been compromised.”
Mark James, IT Security Specialist at ESET:
“Sadly keeping security up together is not always as simple as it seems. As systems develop and mould into the gateways we use each and every day to achieve our tasks, the underlying software often is cobbled or stuck together as more and more is added. When it comes to making it safe and secure it’s not as easy as your average desktop PC. But when the public are using these gateways to hand over private and financial details we would expect them to be as safe as possible.
For the company that owns said hardware quite often it’s down to cost. Where do we spend the money? Keeping the public happy with service and schedules or using some of that money to upgrade systems and security? Often, the latter will take a backseat but they directly affect each other. If systems are susceptible to attack and user details are stolen then public perception and trust may greatly influence future sales. Security is all about layering defences, forming a good secure base operating system, maintaining a regular patched environment, installing a good internet security product and then forming hardware and software layers on top. If your foundations are flawed then the rest may not necessarily help you and you’re still wide open for attack. You cannot cut corners, you have to spend money and you have to take security seriously, it needs to be by design and not an afterthought or an add-on.”
Alex Mathews, Lead Security Evangelist at Positive Technologies:
“It is difficult to tell what the impact might be without accessing the terminal itself, which Southern Rail would obviously not appreciate. The first thing an attacker would try and establish is the level of access and what privileges it has. If they found it had local disk access, the worst that could happen is a failure of that kiosk or modification of the behavior of that specific terminal.
However, an attacker would be more interested to use such access for further cascading attacks within the interconnected systems/network. Here, we dive into the realms of real speculation. Depending on the level of network access, exposure of interconnected systems and their various external and internal attack vectors, a range of theoretical possibilities exist, from impacting the whole network, all the way to compromising one targeted system that could be critical to the kiosk infrastructure. One thing is clear; it is not ideal and will hopefully force a reassessment of the security of these devices.”