Security Analysis of Public Terminals
Watch Dogs game perfectly describes the near future: all kinds of devices, cash withdrawal and acceptance tools, as well as a variety of devices with Internet access, crammed with vulnerabilities, the exploitation of which allows the hacker to gain certain benefits. For example, in the game, the protagonist using a smartphone can compromise the video surveillance system, thereby gaining the ability to conduct surveillance and obtain additional information.
Fans of Watch Dogs disagreed: someone says that it is too “utopian” to get a smartphone and break everything around. Others realize that “a fairy tale is a lie, but a hint in it” and the game world partially reflects the real one.
We will try to put forward some more arguments in favor of the fact that the devices around us, which we barely notice in parks and public places, can be vulnerable and be dangerous - at least for our wallet.
The number of public devices that are waiting for their hero from a computer game is off the charts. Parks and streets are full of payment terminals for parking of various means of transportation and cozy "booths" for quick recharging of a mobile device. Airports and train stations offer a variety of ticket payment and reference information devices. In cinemas there are terminals for buying and booking movie tickets. In polyclinics and government agencies, visitors are greeted with electronic queuing devices and the printing of some receipts. Even toilets are equipped with payment terminals. True, it’s unlikely that anyone will be able to pentest the latest devices - there’s not enough spirit :).
However, life teaches the developers of such devices that not all of their users relate to touchscreens with good intentions. If you enter a terminal hacked request into Google, we get a lot of relevant videos in which the main characters lay out solitaire on a terminal or draw obscenities in Paint. The reason for this may be various bugs in terminal applications, and often they have a similar operating principle.
So, in one of the videos, the participant holds his finger on the screen for about ten seconds, and this leads to the result of "right-clicking". On the other, the guys randomly poke into the lower left corner of the screen - and the full-screen application minimizes. Someone even thought of closing the GSM-antenna of the terminal with his palm and thus provoke a connection error.
Of the cases of compromise of such devices, the most interesting incident that occurred with the payment terminals of one well-known vendor of electronic payments. An attacker in the input field of the payment destination using the virtual on-screen keyboard of the application, which is available in the interface of the payment system, entered the string “last_page = StyleSheet.css”. Notepad.exe was opened as a handler for a file with this extension, which through its help system allowed the villain to get into the system control panel and launch the virtual keyboard of the operating system.
Methodology for security analysis of public terminals
Based on such videos and the sad experience of vendors, you can make a simple technique for analyzing the security of devices of this type.
Our task: having in our hands a full-screen application that most likely operates on the basis of the Windows operating system, go beyond its boundaries into the system environment. To do this, you can use the so-called Tap-fuzzing. In other words, to work with your fingers. Click on various sections of the application in order to provoke its undocumented behavior. Or you can use Data-fuzzing and substitute various data in the input fields in order to provoke incorrect processing of incoming data.
As soon as you manage to call an element of the standard operating system interface, the next step will be to get to the control panel - for example, through the help sections.
Getting into the control panel will be the starting point for launching the virtual keyboard with the corresponding consequences.
Residents of Moscow are increasingly likely to find bicycle parking meters in the parks of their city. The essence of these devices is quite simple: there is a payment terminal for paying for a bicycle and a bike rack. The output device in the payment terminal is a display where the user can register to ride a bicycle and get help information.
The system interface is designed specifically for this type of device (if you ever paid anything at payment terminals, you can imagine what it is about), and it’s hard to get confused. In this interface, the user has the opportunity to get the current location of the parking meter, or rather, see the mark on the Google map.
All such devices operate on the basis of classic operating systems (most often Windows-like) with all their vulnerabilities.
However, the specialized interface is a full-screen application with very limited functionality, which prevents the user from getting under the hood and intentionally or inadvertently doing stupid things. Accordingly, when analyzing the security of terminals, the main task is to go beyond the limits of this full-screen application. After that, it will be possible to fool around: launch your applications, raise privileges, dump valuable information and more.
Let's go for a ride!
In addition to the described link, other links are imperceptibly scattered in this application (for example, when displaying various restaurants, you can click the "Details" button), by clicking on which you can open a browser.
"So what? Well, I opened the browser - you don’t have a keyboard anyway! ”Now it will be: through the links on the pages with help information there is an opportunity to go to the help section called“ Accessibility ”, where the virtual keyboard is hidden (here is another unpleasant minus of Windows) .
Then everything depends on the imagination and the degree of arrogance of the attacker. Running cmd.exe demonstrates another configuration flaw: the current operating system session is started with administrator privileges, which means that we can potentially download and completely run any application without hindrance.
So, an attacker can get an NTLM hash of the administrator password. Moreover, it is highly likely that the password installed on this device is suitable for other devices of this type - and this is the third drawback of the configuration.
This is the end of the adventure, so let's speculate on what an attacker can extract from all this.
By government institutions, we mean those that are in buildings that have a coat of arms or a Russian flag. Without specificity and mention of manufacturers, but in fact :).
So, we have the interface of a full-screen application, which, based on the data we entered, offers to print a receipt for payment.
After filling in all the fields and details, we click the "Create" button and observe the following picture: the terminal opens a standard print window for a few seconds, which contains all the printing options for our document and automatically presses the "Print" button.
As a result, if an attacker manages to click on the “Change” button, he gets the opportunity to go to the help section through simple manipulations with the print settings ...
Whitehats fall asleep, blackhets awake
Post-operation scenarios arise from the features of these devices:
- All are located in public places.
- Available 24/7.
- They have the same configuration.
- They have an increased degree of trust on the part of the user.
- Connected to each other and can have access to other "private" networks.
The main objective of the attacker is the direct or indirect financial gain as a result of compromising the device. In this case, to achieve this goal, he can get not just an NTLM hash, which still needs to be brute-force to obtain a password, but immediately the administrator password. To do this, an attacker can extract passwords in clear form stored in memory. By the way, the latest version of the WCE utility can now not only dump passwords by injecting code into the lsass.exe process, but also directly read the memory within the current session.
We add here support for Windows 7, on the basis of which parking meters work, and we will get a “key” to all devices of this vendor at once.
In addition, an attacker can get a dump of the bike parking application, which kindly collects information about those who want to ride: name, email address and phone. It is possible that a database with important information is stored somewhere nearby. It’s not worth explaining that such a database will be of particular value in the market, because it contains verified phone numbers and email addresses. In the event that there is no such database, the villain can install his keylogger, which intercepts all the data entered by users and sends it to a remote server.
Considering one of the features of these devices - 24/7 operation, you can organize, for example, a pool for mining or use it for other hacking purposes that require the presence of an infected workstation around the clock in the network.
Particularly arrogant attackers can implement an attack scenario, which will result in the receipt of payment data of the user: on the main window of the parking meter application, you can unobtrusively leave a field for entering the details of a plastic card, and with a high degree of probability, the misguided user will kindly leave them with his name, phone number and e-mail ...
The abundance of scripts that provide opportunities for access to personal data and the wallet of unsuspecting people is limited only the imagination of intruders. The described situation with the security of parking meters clearly demonstrates how several configuration flaws form a vulnerability.
In addition, a compromised terminal may be the starting point for a further attack on the corporate network. Very often, such devices access a terminal server or an entire subnet located in the company's trusted zone, which means that a small targeted attack using malware and / or social engineering can allow an attacker to be in the main office. No knocking.
Our analysis of the security of parking meters demonstrates how several configuration flaws make the device vulnerable. And the given attack scenarios are how it can open to attackers access to personal data and wallets of unsuspecting people.
In order to exclude malicious activity on public devices, developers and administrators of bicycle parking terminals and other terminals located in public places, we recommend:
- Disable the ability to open external links in a full-screen application.
- Avoid invoking any elements of the Windows OS interface (for example, by right-clicking using windows for printing documents).
- Start a current operating system session with limited regular user privileges.
- On each device, create a unique account with a unique password.
We recommend that users of payment terminals do not enter the full details of their payment cards. In no case can you enter the CVV2 / CVC2-card number, they are not required to make a payment. The opportunity to pay in cash at the terminal should not be neglected.
First published in the Hacker magazine dated 12/2014.
Subscribe to Hacker