Slashdot Mirror
Photo Kiosks Infecting Customers' USB Devices
The Risky Biz blog brings news that Big W, a subsidiary of Woolworths, has Windows-based Fuji photo kiosks in at least some of its stores that don't run antivirus software, and are therefore spreading infections, such as Trojan-Poison-36, via customers' USB storage devices. Here is the account of the original reporter. "It's not just the lack of AV that's the problem... it appears there's been zero thought put into the problem of malware spreading via these kiosks. Why not just treat customers' USB devices as read-only? Why allow the kiosks to write to them at all? It would be interesting to find out which company — Fuji, Big W, or even some other third party — is responsible for the maintenance of the machines. It would also be interesting to find out if there are any liability issues here for Big W in light of its boneheaded lack of security planning."
Did they not learn this in programming school? Does not every programming tutorial and system administrator handbook start with this?
The first thing I learned (fortunately not the hard way) was, that, nevermind the specs, input is allways malformed, user input doubly so...
System Administration 101
Windows autorun viruses: Annoying if you use Windows, easy to ignore if you don't.
Vuvuzelas: Annoying if you watch soccer, easy to ignore if you don't.
I never encountered a USB stick with a read-only switch. Floppies had them (although they only "communicated" a read-only setting and could not enforce it). SD cards have them, but no USB stick I ever saw had one. Why? Such a switch on a digital device can really enforce the read-only setting.
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
I would guess Fuji is responsible for these machines. I work for Target, and ALL equipment, kiosks included, in our Kodak labs are serviced by Kodak field techs.
Incidentally, we are allowed to connect guests' media to the kiosks ONLY, never directly to any other lab workstation, because the kiosks are (or at least are supposed to be) far better locked down, including treating all media as read-only.
Just burn a CD and give it to them. Blank CDs cost like 10 cents each if you buy a spindle, and you don't have to worry about them losing your USB drive or infecting it.
More people need to know about this: /FS:NTFS /X
You can make your usb stick immune to all autorun viruses. Simply make an empty autorun.inf file on the usb stick, set file permissions for username " everyone " to Full control: Deny all.
Now noone can delete, write, rename that file and viruses aren't smart enough yet to take over control or delete permissions on the file. The file system on the stick would have to be ntfs. If the file system on it is fat32 you'll need to run from cmd
convert Z:
Where Z is the partition letter of your usb stick. You can also disable autorun on all partitions using TweakUI
"Customers USB Devices Infecting Photo Kiosks".
Wow, it took me all of 30 seconds to find evidence that you're a lazy raging retard who shouldn't be trusted with a calculator, let alone a general purpose computing device. I know that's a long name for the link, but I really felt it needed to be said.
If you were blocking sigs, you wouldn't have to read this.
Must... resist... "yo momma" joke.
How much storage space do you mind losing to viruses though? Windows viruses. Come on, unleash your anger!
If you were blocking sigs, you wouldn't have to read this.
Can you click faster than that Trojan, before it can infect your writable device? I doubt that, Speedy Gonzales. To mount read-only is divine.
I used to work on similar kiosks a few years back, those also had no AV, but usually that wasn't a problem.
They ran a hardened win2k, no network services, autorun disabled, afair execution for all drives but C: disabled.
So how the f* would they get infected in the first place?
Lazy techs, at least that was the #1 cause for troubles for back then, everything from re-enabling services to installing 3rd party RA software with no/weak passwords...
The kiosk situation is generally lousy.
Do they keep a copy of all my pics?
They make a copy (they have to, to display thumbnails), but is it temporary or permanent ("To improve the quality of our service...").
There should be a law prohibiting the keeping of copies without express permission, and they shouldn't be allowed to make unrelated functionality dependent on the user agreeing to let them keep a copy.
Copyright law might work here, but I imagine the kiosk companies have found a way around that. Maybe there's a "Terms of user" stick on the back of the machine mentioning that they keep copies, etc.
Expert in software patents or patent law? Contribute to the ESP wiki!
A couple times I have seen an ATM that has crashed, BSOD or shows a windows logon screen -- And we're supposed to trust our money with these tin can openers? WTF?!
Just a guess, but when you are selecting pictures at the kiosk you can probably also do some options such as red-eye reduction, rotating etc. I would imagine most people who do that at a kiosk would like those changes saved on the original picture on their USB drive instead of having to repeat the process at home where they might not even know how to do it.
So there is a reason for not mounting it as read-only.
Why run windows on these kiosks? An embedded OS would be more suitable and cheaper...
Why execute anything thats stored on the usb sticks? That's just colossally stupid, i could understand if some malware was getting onto the devices by exploiting a bug in the jpeg parser or similar, but executing any code on an inserted device is just ridiculous.
Why is the inserted media not mounted read only? These kiosks only need to print photos, they don't need to write to the media.
Why is the system drive writable?
Why is the kiosk software running as a privileged user?
The idea of installing antivirus on them is a stupid one, it will increase the cost, require the kiosks to be updated somehow (either necessitating frequent engineer visits or require a network connection), and no antivirus detects everything (i often do incident response when a customer system has been compromised, in every single case there has been some kind of av product installed and it failed to detect the compromise even tho in most cases the malware installed is well known to other av products).
Also an av product may detect a false positive on a customer's media device and delete their data which could open the kiosk vendor up to potential liability.
Instead, run an embedded linux on these systems...
the frontend software is custom written anyway so could just be written for linux instead without too much difficulty..
less to go wrong since such an os could be stripped to its bare minimum
less cost - there would be no per unit licensing costs..
mount any customer supplied media readonly and noexec.
boot the os from readonly flash so the os cannot be tampered with and any problems a reboot will restore it to default/clean settings
use ram for temporary storage (or a small disk which is reformatted at boot if more storage is required) so after a power cycle, anything left on there is gone
if any persistent storage is required (eg for logs) use a remote syslog server, a receipt printer, or a small disk mounted noexec
use something like an internal readonly compact flash card for the os, when an engineer has to upgrade all he needs to is swap the card out.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Just like with STDs, you can still be a carrier even if you yourself don't suffer from the symptoms.
And just like with STDs, infecting other people while claiming that you are "immune" kinda makes you a jerk.
No pun intended.
Mit der Dummheit kämpfen Götter selbst vergebens
I still do not understand how people dare to deploy Windows on non-attended machines. Severe tweaking to the OS is necessary to accomplish this task successfully, at a point you would be probably violating the license you are paying for. I bet everybody reading this has seen a 'funny' dialog or information box popping up on kiosks, information screens, ATMs, etc. not to mention BSODs. A photo kiosk is the typical application for which Windows is an overkill.
My other signature is a car
I did own an Agfa Photo Kiosk. It didn't have an AV by default and it ran "Windows XP embedded edition" that prevented me from installing an AV (installers didn't allow me to do an install.). I saved a raw image of the hard disk for safety and allowed it to infect customers. It was a security nightmare. Viruses had their way into the machine, but AV software didn't. Autorun was a requirement for the kiosk software to process photos and could not be disabled.
1. download random pic from Internet. ...
2. put it on stick, along with Virus
3. infect kiosk
4. from now on, kiosks substitutes customers photos with "random internet pic" from step 1 somewhere between the time the order has been validated, and when it will be printed.
5.
6. Sit back and watch the fun as customer comes back to pick up his photos...
MS does nothing to stop you from implementing any file system you like in Windows. In fact, they've got documentation on how to do it. It's called the Installable Filesystem Kit, which is part of their driver development kit. You can easily write your own file system drivers for Windows.
As an example have a look at http://www.fs-driver.org/. They've got an ext2 driver for Windows. Install it, and ext2 is a file system Windows understands and works with, just like any other. There are others too, there is a commercial HFS (Mac) IFS if you need it.
The problem is not that MS won't allow people to implement other file systems on Windows, they allow it easily. The problem is people are not at all interested in doing so. MS themselves are not that interested because they have a good file system. If you read the info on BTRFS it's goals read like an NTFS feature list. NTFS does what tehy want for a modern filesystem for their computers. For simpler devices, there is exFAT and FAT32. They need nothing else.
Also FAT is so widely supported because it is old (lots of things support it, so more things continue to support it, etc, positive feed back) and simple. For embedded devices, simplicity of a file system can be very important. You do not want the overhead associated with more complex file systems. As a simple example the exfat.sys driver in Windows 7, which supports all FAT systems (including 32, 16, and 12) is 200k. The ntfs.sys driver that supports NTFS is 1.6MB. Now please note that the size difference isn't the issue, it is just indicative of the complexity. NTFS requires a lot of processing, as do most good modern desktop file systems. FAT is just a linked list more or less. It is extremely simple to implement.
For that matter the original FAT is also the ISO/IEC 9293 standard.
But please, don't let the facts get in the way of your two minutes of hate.
Are you sure that Windows is ready for the desktop? I'm not sure my grandmother could handle that...
The mental image of widows mounting USB sticks is overpowering. Best typo ever.
Speak Up. Somewhere along the chain, there will be a competent IT manager who knows what this means, and why it is important. If your organisation is good, that'll be from the CTO down, but worst-case you'll get to a "sergeant" kind of level where the manager still deals with the coalface.
If that manager hasn't been notified already by this blog or by someone else reading slashdot, your speaking up will be appreciated. If it's been raised before, you can rest easier knowing there's someone competent around, and you know who to go to next time.
Seriously, what would the harm be in speaking up?
Man who leaps off cliff jumps to conclusion.
AC has posted something similar, but with a lot lesser flames.
Parent may be a lazy raging retard, but I don't understand the need to flame him.
What has been most beneficial to me are not the exact steps, but the knowledge that it's possible with the setting of a registry entry (and the corresponding security permission). I've learnt a lot more from AC's kindly-worded post than your flames.