Slashdot Mirror
Photo Kiosks Infecting Customers' USB Devices
The Risky Biz blog brings news that Big W, a subsidiary of Woolworths, has Windows-based Fuji photo kiosks in at least some of its stores that don't run antivirus software, and are therefore spreading infections, such as Trojan-Poison-36, via customers' USB storage devices. Here is the account of the original reporter. "It's not just the lack of AV that's the problem... it appears there's been zero thought put into the problem of malware spreading via these kiosks. Why not just treat customers' USB devices as read-only? Why allow the kiosks to write to them at all? It would be interesting to find out which company — Fuji, Big W, or even some other third party — is responsible for the maintenance of the machines. It would also be interesting to find out if there are any liability issues here for Big W in light of its boneheaded lack of security planning."
Did they not learn this in programming school? Does not every programming tutorial and system administrator handbook start with this?
The first thing I learned (fortunately not the hard way) was, that, nevermind the specs, input is allways malformed, user input doubly so...
System Administration 101
Original Reporter? I reported this to Woolworths in January. Not only that, it appears to be affecting independent camera stores with similar systems too.
Windows autorun viruses: Annoying if you use Windows, easy to ignore if you don't.
Vuvuzelas: Annoying if you watch soccer, easy to ignore if you don't.
I never encountered a USB stick with a read-only switch. Floppies had them (although they only "communicated" a read-only setting and could not enforce it). SD cards have them, but no USB stick I ever saw had one. Why? Such a switch on a digital device can really enforce the read-only setting.
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
Windows doesn't have a way to mount as read-only.
I would guess Fuji is responsible for these machines. I work for Target, and ALL equipment, kiosks included, in our Kodak labs are serviced by Kodak field techs.
Incidentally, we are allowed to connect guests' media to the kiosks ONLY, never directly to any other lab workstation, because the kiosks are (or at least are supposed to be) far better locked down, including treating all media as read-only.
Just burn a CD and give it to them. Blank CDs cost like 10 cents each if you buy a spindle, and you don't have to worry about them losing your USB drive or infecting it.
More people need to know about this: /FS:NTFS /X
You can make your usb stick immune to all autorun viruses. Simply make an empty autorun.inf file on the usb stick, set file permissions for username " everyone " to Full control: Deny all.
Now noone can delete, write, rename that file and viruses aren't smart enough yet to take over control or delete permissions on the file. The file system on the stick would have to be ntfs. If the file system on it is fat32 you'll need to run from cmd
convert Z:
Where Z is the partition letter of your usb stick. You can also disable autorun on all partitions using TweakUI
"Customers USB Devices Infecting Photo Kiosks".
I wonder how many of those booth designers fail to protect their own piece during promiscuous relationships. Are they're too naive to think most people run, much less bother to update their own AV software? They clearly haven't gone out much or been responsible enough at it... FAIL.
Must... resist... "yo momma" joke.
How much storage space do you mind losing to viruses though? Windows viruses. Come on, unleash your anger!
If you were blocking sigs, you wouldn't have to read this.
shouldn't the kiosk be readonly too?
I used to work on similar kiosks a few years back, those also had no AV, but usually that wasn't a problem.
They ran a hardened win2k, no network services, autorun disabled, afair execution for all drives but C: disabled.
So how the f* would they get infected in the first place?
Lazy techs, at least that was the #1 cause for troubles for back then, everything from re-enabling services to installing 3rd party RA software with no/weak passwords...
The kiosk situation is generally lousy.
Do they keep a copy of all my pics?
They make a copy (they have to, to display thumbnails), but is it temporary or permanent ("To improve the quality of our service...").
There should be a law prohibiting the keeping of copies without express permission, and they shouldn't be allowed to make unrelated functionality dependent on the user agreeing to let them keep a copy.
Copyright law might work here, but I imagine the kiosk companies have found a way around that. Maybe there's a "Terms of user" stick on the back of the machine mentioning that they keep copies, etc.
Expert in software patents or patent law? Contribute to the ESP wiki!
A couple times I have seen an ATM that has crashed, BSOD or shows a windows logon screen -- And we're supposed to trust our money with these tin can openers? WTF?!
Just a guess, but when you are selecting pictures at the kiosk you can probably also do some options such as red-eye reduction, rotating etc. I would imagine most people who do that at a kiosk would like those changes saved on the original picture on their USB drive instead of having to repeat the process at home where they might not even know how to do it.
So there is a reason for not mounting it as read-only.
Why run windows on these kiosks? An embedded OS would be more suitable and cheaper...
Why execute anything thats stored on the usb sticks? That's just colossally stupid, i could understand if some malware was getting onto the devices by exploiting a bug in the jpeg parser or similar, but executing any code on an inserted device is just ridiculous.
Why is the inserted media not mounted read only? These kiosks only need to print photos, they don't need to write to the media.
Why is the system drive writable?
Why is the kiosk software running as a privileged user?
The idea of installing antivirus on them is a stupid one, it will increase the cost, require the kiosks to be updated somehow (either necessitating frequent engineer visits or require a network connection), and no antivirus detects everything (i often do incident response when a customer system has been compromised, in every single case there has been some kind of av product installed and it failed to detect the compromise even tho in most cases the malware installed is well known to other av products).
Also an av product may detect a false positive on a customer's media device and delete their data which could open the kiosk vendor up to potential liability.
Instead, run an embedded linux on these systems...
the frontend software is custom written anyway so could just be written for linux instead without too much difficulty..
less to go wrong since such an os could be stripped to its bare minimum
less cost - there would be no per unit licensing costs..
mount any customer supplied media readonly and noexec.
boot the os from readonly flash so the os cannot be tampered with and any problems a reboot will restore it to default/clean settings
use ram for temporary storage (or a small disk which is reformatted at boot if more storage is required) so after a power cycle, anything left on there is gone
if any persistent storage is required (eg for logs) use a remote syslog server, a receipt printer, or a small disk mounted noexec
use something like an internal readonly compact flash card for the os, when an engineer has to upgrade all he needs to is swap the card out.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Just like with STDs, you can still be a carrier even if you yourself don't suffer from the symptoms.
And just like with STDs, infecting other people while claiming that you are "immune" kinda makes you a jerk.
No pun intended.
Mit der Dummheit kämpfen Götter selbst vergebens
I still do not understand how people dare to deploy Windows on non-attended machines. Severe tweaking to the OS is necessary to accomplish this task successfully, at a point you would be probably violating the license you are paying for. I bet everybody reading this has seen a 'funny' dialog or information box popping up on kiosks, information screens, ATMs, etc. not to mention BSODs. A photo kiosk is the typical application for which Windows is an overkill.
My other signature is a car
You're just bitter because the idiots running Woolworths UK couldn't make it competitive enough to stay open so now you have to stalk kids at pick-n-mix's elsewhere perv-boy.
I did own an Agfa Photo Kiosk. It didn't have an AV by default and it ran "Windows XP embedded edition" that prevented me from installing an AV (installers didn't allow me to do an install.). I saved a raw image of the hard disk for safety and allowed it to infect customers. It was a security nightmare. Viruses had their way into the machine, but AV software didn't. Autorun was a requirement for the kiosk software to process photos and could not be disabled.
Confirming that my USB drive was infected after using the kiosk at Kmart. When I informed the attendant he told me not to worry, those machines were being replaced anyway.
As an aside, the kiosks at my local Big W have keyboards. While they were smart enough to remove the Windows key, they did not disable the Ctrl-Esc shortcut. Quite amusing to browse Slashdot in the middle of the store.
1. download random pic from Internet. ...
2. put it on stick, along with Virus
3. infect kiosk
4. from now on, kiosks substitutes customers photos with "random internet pic" from step 1 somewhere between the time the order has been validated, and when it will be printed.
5.
6. Sit back and watch the fun as customer comes back to pick up his photos...
Didn't they go bust at the end of 2008? Oh hang on.. you don't mean *that* Woolworths. You meant one of the other Woolworths around the world. Would have been nice if you'd mentioned which one.
For crying out loud - even floppies had read-only tabs. Who the f*** designs removable digital storages device without one?
I mean, that way people'd be able to secure themselves against this sort of thing, right?
So why have I never seen any USB drives that are made so that when a particular (physical) switch on it was toggled, the data on it is not modifiable by any computer it might be plugged into? It seems to me in light of this that it's a concept whose time may have likely come.
File under 'M' for 'Manic ranting'
MS does nothing to stop you from implementing any file system you like in Windows. In fact, they've got documentation on how to do it. It's called the Installable Filesystem Kit, which is part of their driver development kit. You can easily write your own file system drivers for Windows.
As an example have a look at http://www.fs-driver.org/. They've got an ext2 driver for Windows. Install it, and ext2 is a file system Windows understands and works with, just like any other. There are others too, there is a commercial HFS (Mac) IFS if you need it.
The problem is not that MS won't allow people to implement other file systems on Windows, they allow it easily. The problem is people are not at all interested in doing so. MS themselves are not that interested because they have a good file system. If you read the info on BTRFS it's goals read like an NTFS feature list. NTFS does what tehy want for a modern filesystem for their computers. For simpler devices, there is exFAT and FAT32. They need nothing else.
Also FAT is so widely supported because it is old (lots of things support it, so more things continue to support it, etc, positive feed back) and simple. For embedded devices, simplicity of a file system can be very important. You do not want the overhead associated with more complex file systems. As a simple example the exfat.sys driver in Windows 7, which supports all FAT systems (including 32, 16, and 12) is 200k. The ntfs.sys driver that supports NTFS is 1.6MB. Now please note that the size difference isn't the issue, it is just indicative of the complexity. NTFS requires a lot of processing, as do most good modern desktop file systems. FAT is just a linked list more or less. It is extremely simple to implement.
For that matter the original FAT is also the ISO/IEC 9293 standard.
But please, don't let the facts get in the way of your two minutes of hate.
I'm asking this out of curiosity, as I really don't have any experience with this type of thing: How do you ensure that USB devices are read-only? Is it a hardware thing? Because if it is a software thing, then it is doomed to being circumvented by the malware. Of course, that brings up the question as to how the malware got on the machine in the first place - I imagine from autorun being on by default. Some system integrator did a lousy job setting the machines up, for sure. But the question remains - how would you protect inserted USB or SD or Flash cards from being written to at a hardware level? Sure, all of those devices have a write-protect tab on them, and as a consumer there's no way I'm putting a drive of mine into an unknown machine without turning setting the drive to "write protect" first, but then, everyone isn't me.
planet texture maps and more
The abysmal level of security found on these kioks is why I only use a write protected SD card when printing photos.
every USB stick (make that all removable media) should be like these:
http://www.newegg.com/Product/Product.aspx?Item=N82E16820709004
boycott slashdot February 10th - 17th check out: altSlashdot.org
Speak Up. Somewhere along the chain, there will be a competent IT manager who knows what this means, and why it is important. If your organisation is good, that'll be from the CTO down, but worst-case you'll get to a "sergeant" kind of level where the manager still deals with the coalface.
If that manager hasn't been notified already by this blog or by someone else reading slashdot, your speaking up will be appreciated. If it's been raised before, you can rest easier knowing there's someone competent around, and you know who to go to next time.
Seriously, what would the harm be in speaking up?
Man who leaps off cliff jumps to conclusion.
I recently had to work with a programmer who was trained in India. Like most Indian-trained developers, he had his bachelors degree, two masters degrees, and almost every Microsoft, Cisco and Oracle certification possible.
We were to develop a relatively simple desktop application that our company would use internally. Like most business apps, it included a few forms where the app users would input certain data.
I ended up doing much of the back-end work, while he focused on the front-end. As the project progressed, I kept seeing that he didn't do any sort of input validation. None at all. So I asked him about this, and he told me that input validation was "wasteful" (his words)! I couldn't believe it, and asked him where he heard that from. He told me that was what his professors had taught him. Not only that, but he showed me some "citations" to back up his claims. Yes, he showed me papers by Indian professors with graphs and timing tables and all sorts of shit like that indicating that basic input validation was too intensive.
This was completely unacceptable, so I had to go to our manager and demand something be done. Thankfully, our manager understands the need for reliable software that includes user input validation, so this Indian fellow was transferred to another project. We hired a German university student, and the results were much better. Our application now has input validation.
"It's not just the lack of AV that's the problem... it appears there's been zero thought put into the problem of malware spreading via these kiosks. Why not just treat customers' USB devices as read-only? Why allow the kiosks to write to them at all?"
...
How about not using Microsoft Windows on the Photo Kiosks? An embedded Linux solution would provide the same functionality without the malware innovation
"Why run windows on these kiosks? An embedded OS would be more suitable and cheaper..."
`Because, while the embedded OS would be less expensive, the development costs would be far higher. Windows devs are a dime-a-dozen, not so much with true embedded developers-especially ones that have experience and know what they are doing'
This is a rehash of Linux-developers-cost-more FUD. The truth is an embedded Kiosk solution would be trivially easy to implement.
Building Embedded Linux Systems
Building Embedded Linux Systems shows you how to design and build your own embedded systems using Linux® as the kernel and freely available open source tools as the framework. Written by an active member of the open source community, the book is structured to gradually introduce readers to the intricacies of embedded Linux, with detailed information and examples in each chapter that culminate in describing how Linux is actually put on an embedded device.
Embedded-Linux-Distributions-Quick-Reference-Guide
While we're tossin' around analogies...
Well, since you mentioned it!
The myth that computers all have viruses is a sad joke. This is Microsoft's fault, plain and simple. The people who set up these kiosks have a right to expect that a computer can run virus-free. There ought to be a class action against Microsoft. Their products ought to be removed from the market for how dangerous they are. Windows is a fucking Pinto.
IBM used to support the fuji kiosks in 2003. Not sure if they still have that contract.
I always thought the machines were rebooted each day, and the image was deployed on each reboot, but what do I know about viruses and malware.
You need to admin privileges to do that. Ah, wait we talk Windows here...
We have a camera store close to the main station in Stuttgart (Germany) which has the same issue, or it did the last time I went there. The instance you plug your USB device in it will get infected by the photo printer. Not sure what it is supposed to do but when I try to run the file at home it won't work. Maybe I am doing something wrong .... $ wine yomamma.exe .... ohh well.
The staff is totally clueless when it comes to computers and management does not give a shit so I bet the machine is still infected.
Everyone who buys Wild Hunt will receive 16 specially prepared DLCs absolutely for free, regardless of platform.
Theoretically Windows has all the features needed to protect a Kiosk. You can mount an USB drive read only. You can remove admin rights from the default account so the software read only switch can't be changed. Have you ever looked through the list of privileges you can fine tune any security need between guest user and full admin? Make good old VMS privileges look simple. It is all there. Just no one uses it.
Martin
reused / windows 9x based software is runing the systems? some of them also have scanners want to bet they are ones that only have windows drivers for?
I think they run on windows embedded and likely don't get the windows updates installed on them.
also they need to networked to the printers at the photo lab.
I have had some experience with bowling alley computers. They were not used with customer usb devices or something but I had some chance to look at the deployment and they used an unpatched WindowsXP SP1 with admin privileges.
The control software of the bowling lane was a little bit communist (by all files beeing distributed equally across the whole filesystem).
I guess it is much easier to just use Delphi (codebases for such embedded systems are usually from 2001 or older) put everything in a box where everything (and I mean everything) is enabled and cross fingers. With no concern for where the files are stored with which permission and so on.
It's a nightmare when I have to change the advertisements of the bowling lane. I go to c:\config_advertisement and oben the advertisement.ini and change something in this badly malformed file. Then I put my bmp (because the deployment has no jpg library), after chanching its name to "advertisement_21.bmp", into the c:\advertisement_pictures-folder. Then you restart _the whole alley_ because restarting individual lanes is harder then you'd think.
And still they are top of the line and are selling one of the "most modern systems around"... sadly
"So, DNS is the way your computer finds www.google.com. It works by sending out packets to the root DNS servers that have the IP address of every computer on the internet. These servers send the IP address of the computer you want to talk to your computer."
No, I am not kidding. Attempts to discuss domains, zones, zone transfers, and different record types were met with a blank stare from the computer science PhD teaching the course. I'd been working in the field for years, was self-taught, and went to school to get the piece of paper that would allow me to continue to get promoted. I kept hoping to actually learn something considering all the money I was shelling out, but I had no such luck. 3 schools, 2.5 years, and a pile of money later, I think I was actually dumber for the experience. But I have my stinking piece of paper for you HR morons, so there.
I actually work at Big W in the photo department. None of the staff maintain the kiosks. If something happens we put up an out of order sign and a tech usually fixes it remotely. We aren't trained at all, and even though I know my way around Windows and the software fairly well I am not allowed to do anything.
It really wouldn't surprise me if the machines were infected with all sorts of nasties. Next time I'm in I might snoop around and see if they have antivirus on there.
And all the bad data is 'emancipated' to an external storage device.
pretty bad stuff
Just tell him about Little Bobby Tables.
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
To make your usb drive less likely to become a carrier you could create a directory called autorun.inf in your usb drive, then put dummy stuff in that directory. Then make the directory and its contents all read only+system+hidden.
If you use NTFS like I do, you can also set the permissions and ownership to be very restrictive.
While that's not foolproof, most malware writers won't bother handling this unless it becomes a common case.
Some crappy stuff may not be able to handle this. But so far it works for me.
Do you really expect someone who thinks running such a device with Windows is a good idea thinks even a moment about security?
Developing such simple GUI applications platform independently is trivial today.
I'm sorry, but there is no reason to run such a kiosk on Windows. However there are many reasons not to do. Just try to enumerate all the different ways an attacker could execute code. Just think of features like autorun, or the default dialogs. You can run code every time you reach the help system.
On Linux you install a normal system, and just start your application fullscreen without any window manager. Without a keyboard this already is quite save.
This is actually a bug in Windows XP - it just runs all autorun.infs it can find, even if they are on a network drive or on a USB stick. Every time you read about something like "$STORAGE_MEDIUM contains $VIRUS and will infect your computer", it's actually "computer runs Windows and will execute every virus on every device it can find".
Microsoft could have fixed this long ago with an update, but for some reason, they didn't care.
Last time I upgraded my computer I put a motherboard that didn't have an IDE interface and my DVD drive was IDE. I was thinking of getting a SATA drive, but then I realized I had no real need for it.
Well, this article just gave me a FABULOUS idea!
One USB thumbdrive, one self-spreading virus for usb thumbdrives and every kiosk in town...
Even if I only get a few, it should STILL be good fun! Especially considering I offer a local virus removal service...
This signature is lame.
If these kiosks were locked down properly, they wouldn't be hosting these viruses. Users should only be able to write to one directory, or better yet a partition, and it should be wiped on logout.
Never let a lack of data get in the way of a good rant.
I administer hundreds of Windows boxes used by thousands of virus-loving students. If you take the time tweaking policies, you can lock them down hard. It's a PIA, but should be mandatory for kiosk applications.
Never let a lack of data get in the way of a good rant.
Kiosks that allow such things should reboot between customers.
If speed is of the essence, reboot from a flash or other high-speed protected boot media. A write-protected RAMDISK backed by a writeable overlay RAMDISK would probably be idea, with booting from write-only media as a backup or as a primary if restart-speed was not essential.
Of course, kiosks should not allow such things in the first place.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
So people are sticking their dongles in strange holes with absolutely no protection and they're picking up viruses? Sounds like someone didn't pay attention during health class...
I know all that. What I was actually referring to was that most 3rd party applications still need admin rights. And it seems that those Kiosk programmers aren't any better.
And if I wanted an example of well done privilege management I would use VMS and not any of the all on / all off security from unix and it's derivates.
Search for my other postings lower down where I explained my self in more detail.
As a photo lab technician with alot of experience in Woolworths Limited and its retail operations I offer my observations on this issue. Most Big W stores run the Fujifilm DPC3 with Windows XP and the Whitech Phototeller software. The default configuration on all these DPC's is that autorun is disabled (after all it would sometimes interrupt the full screen kiosk software on XP) and that the card reader and USB ports are configured to be read only at an OS level. The permissions on them are heavily restricted, but they do not have any internet security of anti-virus software. That is probably a flaw, but the kiosks should never be directly connected to the internet and the threat is limited by the aforementioned configuration. Whitech's software handles all the upload and download for off-site jobs on an on-site server, which is also generally responsible as relay for sending orders from the kiosks to the Digital Imaging Controller (assuming a Fujifilm printer). Ideally only this server should have an internet connection, all the other kiosks and imaging controllers should just be on a separate subnet without internet access. While not necessarily all setups I have seen have this separate subnet it is common. However, the policies that are setup on the kiosks are the Fujifilm defaults and should not be tampered with and I have confirmed that Woolworths Limited stores get the same default configuration. If these are different on the kiosk in question chances are they are using an older kiosk version (or a flawed newer one), a technician has modified the setup for testing and has failed to return the configuration to its original state or an employee has made changes against the recommendations of Fujifilm. I run a Fujifilm system with DPC3s and an identical setup to most Big W stores and have never had any problems, nor discovered any viruses when doing AV scans. It is important to note that with the exception of some obscure USB based viruses there should be few entry points for a virus on these kiosks. While I agree AV software should probably be installed on these by default to mitigate the extra risk, there is obviously something fishy with the kiosk in question.
It's my blog, and it happened to me and the missus. Happy to answer any questions, unless viruses can be trasferred to a USB stick wirelessly I am 100% positive this virus is from the kiosk as creation time was minutes before the reciept for the photos my Wife printed that day. Cheap USB stick so no read only switch, but she runs Linux and I run either Linux or a crazily locked down windows.
Why haven't they thought of that for the kiosks? A good question - I'd have hoped they were so crude they wouldn't run a common infectable OS, but I guess this is progress...
What I want to know is why is it so damn hard to get a USB flashdrive with write protection? I had one from around 2002, and when it broke, I never saw another. The best I could do is get one of those apps that writes every single unused sector with a dummy file, but I don't want to waste write and erase cycles on a not-really-fixed kludge in the first place.
But then, I haven't had photos developed this decade, so personally I'm in the clear. I'll just use a color printer if I really want a physical copy.