Photo Kiosks Infecting Customers' USB Devices

The Risky Biz blog brings news that Big W, a subsidiary of Woolworths, has Windows-based Fuji photo kiosks in at least some of its stores that don't run antivirus software, and are therefore spreading infections, such as Trojan-Poison-36, via customers' USB storage devices. Here is the account of the original reporter. "It's not just the lack of AV that's the problem... it appears there's been zero thought put into the problem of malware spreading via these kiosks. Why not just treat customers' USB devices as read-only? Why allow the kiosks to write to them at all? It would be interesting to find out which company — Fuji, Big W, or even some other third party — is responsible for the maintenance of the machines. It would also be interesting to find out if there are any liability issues here for Big W in light of its boneheaded lack of security planning."

Every input is bad...

[maweki]

Did they not learn this in programming school? Does not every programming tutorial and system administrator handbook start with this?
The first thing I learned (fortunately not the hard way) was, that, nevermind the specs, input is allways malformed, user input doubly so...

System Administration 101

Re:Every input is bad...

[Fluffeh]

I work at Woolworths (The parent company), and I really wonder if I start blowing my trumpet about this, will:
a) Anyone in management have a clue what this means.
b) Anyone be able to track down someone who can actually DO something about it.
c) (sadly) whether anyone will actually care enough to make a change for the better.

Tomorrow morning's agenda...

Re:Every input is bad...

[stephanruby]

These same people were telling me that "regex" is better than the primitive methods I described for input validation -- the primitive methods I described were to be simple, compact and likely in assembler.

Let me guess: (1) the software in question was a blogging program much like wordpress (in other words, you must feel that the context of the situation wasn't relevant to your thesis and didn't even need to be shared with us), (2) the kids you were talking may have known about "premature optimization" but were far too young to explain that concept adequately to you, and (3) those same kids didn't know what an assembler was either, that's why they didn't make fun of you for pretending to know how to program in "assembler" instead of ***assembly***.

Windows autorun viruses are like vuvuzelas.

[ivucica]

Windows autorun viruses: Annoying if you use Windows, easy to ignore if you don't.
Vuvuzelas: Annoying if you watch soccer, easy to ignore if you don't.

Re:Read-only switch for USB sticks?

[Tim+C]

I've seen them, but that's not the point - the point is that the kiosk itself should be mounting the stick as read-only regardless of how the stick itself is configured. There should be absolutely no way for the kiosk to write to the stick; otherwise you risk an error (or something malicious, as in this case) wiping out the customer's data or (again, as in this case) potentially infecting their machine.

Re:Windows Read-only mode.

[pinkushun]

Can you click faster than that Trojan, before it can infect your writable device? I doubt that, Speedy Gonzales. To mount read-only is divine.

Re:Read-only switch for USB sticks?

[Bert64]

Mounting the stick readonly is to protect yourself against liability more than anything else (what if your kiosk corrupts the customers filesystem or deletes their files?)
On the other hand, you could use a hardware reader which is designed to be read only so the software cannot write to it regardless... If the customer inserts a CDROM there is no chance of it being written to if the kiosk doesn't have a writer device.

Preventing anything malicious from executing in the first place is another matter entirely, and also needs fixing.