Slashdot Mirror

← Back to Stories (view on slashdot.org)

Photo Kiosks Infecting Customers' USB Devices

Posted by kdawson on from the thumb-drive-condoms-in-aisle-four dept.

The Risky Biz blog brings news that Big W, a subsidiary of Woolworths, has Windows-based Fuji photo kiosks in at least some of its stores that don't run antivirus software, and are therefore spreading infections, such as Trojan-Poison-36, via customers' USB storage devices. Here is the account of the original reporter. "It's not just the lack of AV that's the problem... it appears there's been zero thought put into the problem of malware spreading via these kiosks. Why not just treat customers' USB devices as read-only? Why allow the kiosks to write to them at all? It would be interesting to find out which company — Fuji, Big W, or even some other third party — is responsible for the maintenance of the machines. It would also be interesting to find out if there are any liability issues here for Big W in light of its boneheaded lack of security planning."

21 of 288 comments (clear)

  1. Every input is bad... by maweki · · Score: 5, Insightful

    Did they not learn this in programming school? Does not every programming tutorial and system administrator handbook start with this?
    The first thing I learned (fortunately not the hard way) was, that, nevermind the specs, input is allways malformed, user input doubly so...

    System Administration 101

    1. Re:Every input is bad... by erroneus · · Score: 4, Interesting

      No, they don't teach that any longer. I was up on my soap box on the issue and the general response was "but that just introduces bloat!" and was modded troll. I seriously couldn't believe what I was seeing. The fundamentals have been forgotten or ignored lately. It explains a lot. These same people were telling me that "regex" is better than the primitive methods I described for input validation -- the primitive methods I described were to be simple, compact and likely in assembler. I was like "what do you think a "regex" does? Magic? It does the very same thing I described but in a higher-level language. These people all believe in the magical black box.

    2. Re:Every input is bad... by Fluffeh · · Score: 4, Insightful

      I work at Woolworths (The parent company), and I really wonder if I start blowing my trumpet about this, will:
      a) Anyone in management have a clue what this means.
      b) Anyone be able to track down someone who can actually DO something about it.
      c) (sadly) whether anyone will actually care enough to make a change for the better.

      Tomorrow morning's agenda...

      --
      Moved to http://soylentnews.org/. You are invited to join us too!
    3. Re:Every input is bad... by stephanruby · · Score: 4, Insightful

      These same people were telling me that "regex" is better than the primitive methods I described for input validation -- the primitive methods I described were to be simple, compact and likely in assembler.

      Let me guess: (1) the software in question was a blogging program much like wordpress (in other words, you must feel that the context of the situation wasn't relevant to your thesis and didn't even need to be shared with us), (2) the kids you were talking may have known about "premature optimization" but were far too young to explain that concept adequately to you, and (3) those same kids didn't know what an assembler was either, that's why they didn't make fun of you for pretending to know how to program in "assembler" instead of ***assembly***.

  2. Windows autorun viruses are like vuvuzelas. by ivucica · · Score: 5, Insightful

    Windows autorun viruses: Annoying if you use Windows, easy to ignore if you don't.
    Vuvuzelas: Annoying if you watch soccer, easy to ignore if you don't.

  3. Re:Read-only switch for USB sticks? by Tim+C · · Score: 5, Insightful

    I've seen them, but that's not the point - the point is that the kiosk itself should be mounting the stick as read-only regardless of how the stick itself is configured. There should be absolutely no way for the kiosk to write to the stick; otherwise you risk an error (or something malicious, as in this case) wiping out the customer's data or (again, as in this case) potentially infecting their machine.

    --
    It's official. Most of you are morons.
  4. Responsibility by Anonymous Coward · · Score: 5, Interesting

    I would guess Fuji is responsible for these machines. I work for Target, and ALL equipment, kiosks included, in our Kodak labs are serviced by Kodak field techs.

    Incidentally, we are allowed to connect guests' media to the kiosks ONLY, never directly to any other lab workstation, because the kiosks are (or at least are supposed to be) far better locked down, including treating all media as read-only.

  5. Re:Read-only switch for USB sticks? by Anonymous Coward · · Score: 5, Informative

    virus.code

    line 1: remount USB write enabled

  6. Just burn a CD by Spy+Handler · · Score: 5, Informative

    Just burn a CD and give it to them. Blank CDs cost like 10 cents each if you buy a spindle, and you don't have to worry about them losing your USB drive or infecting it.

  7. Use file permissions. by jack2000 · · Score: 4, Informative

    More people need to know about this:
    You can make your usb stick immune to all autorun viruses. Simply make an empty autorun.inf file on the usb stick, set file permissions for username " everyone " to Full control: Deny all.
    Now noone can delete, write, rename that file and viruses aren't smart enough yet to take over control or delete permissions on the file. The file system on the stick would have to be ntfs. If the file system on it is fat32 you'll need to run from cmd
    convert Z: /FS:NTFS /X
    Where Z is the partition letter of your usb stick. You can also disable autorun on all partitions using TweakUI

    1. Re:Use file permissions. by twisteddk · · Score: 4, Interesting

      And what makes you think that the Kiosk software can read a NTFS USB drive ?
      While I cannot speak for the specific types of machines mentioned in the article, I DO know that a lot of the local machines over here are using some funky Linux flavor (presumably to keep costs down), running off flash ROM. And they generally expect you to deliver the data in a FAT32 partition if you provide a USB drive.
      Then again, if the software is Linux, Then there usually isn't that much of a problem with viruses hopping from one device to the next, I'd wager.

      --
      --- To err is human... Am I more human than most ?
    2. Re:Use file permissions. by Bert64 · · Score: 4, Interesting

      Blame Microsoft...
      There are plenty of open royalty free filesystems out there, but MS refuse to implement them and want you to pay royalties to use their own filesystems instead, so people use fat32 because its the least patented of the few filesystems MS do bother to support.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  8. Surely the title of this article should be... by ewrong · · Score: 5, Interesting

    "Customers USB Devices Infecting Photo Kiosks".

  9. Re:Windows Read-only mode. by Rogerborg · · Score: 5, Informative

    Wow, it took me all of 30 seconds to find evidence that you're a lazy raging retard who shouldn't be trusted with a calculator, let alone a general purpose computing device. I know that's a long name for the link, but I really felt it needed to be said.

    --
    If you were blocking sigs, you wouldn't have to read this.
  10. Re:One more reason not to use Windows. by Rogerborg · · Score: 4, Funny

    I wouldn't mind if it dumped all the world's infections on my stick.

    Must... resist... "yo momma" joke.

    How much storage space do you mind losing to viruses though? Windows viruses. Come on, unleash your anger!

    --
    If you were blocking sigs, you wouldn't have to read this.
  11. Yeah, so? by Anonymous Coward · · Score: 5, Interesting

    I used to work on similar kiosks a few years back, those also had no AV, but usually that wasn't a problem.
    They ran a hardened win2k, no network services, autorun disabled, afair execution for all drives but C: disabled.
    So how the f* would they get infected in the first place?
    Lazy techs, at least that was the #1 cause for troubles for back then, everything from re-enabling services to installing 3rd party RA software with no/weak passwords...

  12. I also want to know if they copy my pics! by ciaran_o_riordan · · Score: 4, Interesting

    The kiosk situation is generally lousy.

    Do they keep a copy of all my pics?

    They make a copy (they have to, to display thumbnails), but is it temporary or permanent ("To improve the quality of our service...").

    There should be a law prohibiting the keeping of copies without express permission, and they shouldn't be allowed to make unrelated functionality dependent on the user agreeing to let them keep a copy.

    Copyright law might work here, but I imagine the kiosk companies have found a way around that. Maybe there's a "Terms of user" stick on the back of the machine mentioning that they keep copies, etc.

    --
    Expert in software patents or patent law? Contribute to the ESP wiki!
    1. Re:I also want to know if they copy my pics! by tqft · · Score: 5, Interesting

      I know BigW keep them for up to a week - stuck disk in all the thumbnails up and I asked - how long do you keep them? Up to a week as customers often come back. Can you delete them for me now? No.

      I haven't been back there to have photo's printed. and any shop - i grab just the pics I want printed and put them on an sd card and put that in.

      Why feed the Beast more than it needs to? If we don't make the data available, the Beast can't eat it.

      --
      The Singularity is closer than you think
      Quant
  13. Poor design.. by Bert64 · · Score: 4, Interesting

    Why run windows on these kiosks? An embedded OS would be more suitable and cheaper...

    Why execute anything thats stored on the usb sticks? That's just colossally stupid, i could understand if some malware was getting onto the devices by exploiting a bug in the jpeg parser or similar, but executing any code on an inserted device is just ridiculous.
    Why is the inserted media not mounted read only? These kiosks only need to print photos, they don't need to write to the media.
    Why is the system drive writable?
    Why is the kiosk software running as a privileged user?

    The idea of installing antivirus on them is a stupid one, it will increase the cost, require the kiosks to be updated somehow (either necessitating frequent engineer visits or require a network connection), and no antivirus detects everything (i often do incident response when a customer system has been compromised, in every single case there has been some kind of av product installed and it failed to detect the compromise even tho in most cases the malware installed is well known to other av products).

    Also an av product may detect a false positive on a customer's media device and delete their data which could open the kiosk vendor up to potential liability.

    Instead, run an embedded linux on these systems...
    the frontend software is custom written anyway so could just be written for linux instead without too much difficulty..
    less to go wrong since such an os could be stripped to its bare minimum
    less cost - there would be no per unit licensing costs..
    mount any customer supplied media readonly and noexec.
    boot the os from readonly flash so the os cannot be tampered with and any problems a reboot will restore it to default/clean settings
    use ram for temporary storage (or a small disk which is reformatted at boot if more storage is required) so after a power cycle, anything left on there is gone
    if any persistent storage is required (eg for logs) use a remote syslog server, a receipt printer, or a small disk mounted noexec
    use something like an internal readonly compact flash card for the os, when an engineer has to upgrade all he needs to is swap the card out.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  14. kiosk manufacturers are the culprits by dev_eddie · · Score: 5, Informative

    I did own an Agfa Photo Kiosk. It didn't have an AV by default and it ran "Windows XP embedded edition" that prevented me from installing an AV (installers didn't allow me to do an install.). I saved a raw image of the hard disk for safety and allowed it to infect customers. It was a security nightmare. Viruses had their way into the machine, but AV software didn't. Autorun was a requirement for the kiosk software to process photos and could not be disabled.

    --


    /usr/bin/cookie: Permission Denied.
  15. W00t! Windows based kiosks by ArsenneLupin · · Score: 4, Funny

    1. download random pic from Internet.
    2. put it on stick, along with Virus
    3. infect kiosk
    4. from now on, kiosks substitutes customers photos with "random internet pic" from step 1 somewhere between the time the order has been validated, and when it will be printed.
    5. ...
    6. Sit back and watch the fun as customer comes back to pick up his photos...