Slashdot Mirror

← Back to Stories (view on slashdot.org)

Photo Kiosks Infecting Customers' USB Devices

Posted by kdawson on from the thumb-drive-condoms-in-aisle-four dept.

The Risky Biz blog brings news that Big W, a subsidiary of Woolworths, has Windows-based Fuji photo kiosks in at least some of its stores that don't run antivirus software, and are therefore spreading infections, such as Trojan-Poison-36, via customers' USB storage devices. Here is the account of the original reporter. "It's not just the lack of AV that's the problem... it appears there's been zero thought put into the problem of malware spreading via these kiosks. Why not just treat customers' USB devices as read-only? Why allow the kiosks to write to them at all? It would be interesting to find out which company — Fuji, Big W, or even some other third party — is responsible for the maintenance of the machines. It would also be interesting to find out if there are any liability issues here for Big W in light of its boneheaded lack of security planning."

11 of 288 comments (clear)

  1. Every input is bad... by maweki · · Score: 5, Insightful

    Did they not learn this in programming school? Does not every programming tutorial and system administrator handbook start with this?
    The first thing I learned (fortunately not the hard way) was, that, nevermind the specs, input is allways malformed, user input doubly so...

    System Administration 101

  2. Windows autorun viruses are like vuvuzelas. by ivucica · · Score: 5, Insightful

    Windows autorun viruses: Annoying if you use Windows, easy to ignore if you don't.
    Vuvuzelas: Annoying if you watch soccer, easy to ignore if you don't.

  3. Re:Read-only switch for USB sticks? by Tim+C · · Score: 5, Insightful

    I've seen them, but that's not the point - the point is that the kiosk itself should be mounting the stick as read-only regardless of how the stick itself is configured. There should be absolutely no way for the kiosk to write to the stick; otherwise you risk an error (or something malicious, as in this case) wiping out the customer's data or (again, as in this case) potentially infecting their machine.

    --
    It's official. Most of you are morons.
  4. Responsibility by Anonymous Coward · · Score: 5, Interesting

    I would guess Fuji is responsible for these machines. I work for Target, and ALL equipment, kiosks included, in our Kodak labs are serviced by Kodak field techs.

    Incidentally, we are allowed to connect guests' media to the kiosks ONLY, never directly to any other lab workstation, because the kiosks are (or at least are supposed to be) far better locked down, including treating all media as read-only.

  5. Re:Read-only switch for USB sticks? by Anonymous Coward · · Score: 5, Informative

    virus.code

    line 1: remount USB write enabled

  6. Just burn a CD by Spy+Handler · · Score: 5, Informative

    Just burn a CD and give it to them. Blank CDs cost like 10 cents each if you buy a spindle, and you don't have to worry about them losing your USB drive or infecting it.

  7. Surely the title of this article should be... by ewrong · · Score: 5, Interesting

    "Customers USB Devices Infecting Photo Kiosks".

  8. Re:Windows Read-only mode. by Rogerborg · · Score: 5, Informative

    Wow, it took me all of 30 seconds to find evidence that you're a lazy raging retard who shouldn't be trusted with a calculator, let alone a general purpose computing device. I know that's a long name for the link, but I really felt it needed to be said.

    --
    If you were blocking sigs, you wouldn't have to read this.
  9. Yeah, so? by Anonymous Coward · · Score: 5, Interesting

    I used to work on similar kiosks a few years back, those also had no AV, but usually that wasn't a problem.
    They ran a hardened win2k, no network services, autorun disabled, afair execution for all drives but C: disabled.
    So how the f* would they get infected in the first place?
    Lazy techs, at least that was the #1 cause for troubles for back then, everything from re-enabling services to installing 3rd party RA software with no/weak passwords...

  10. Re:I also want to know if they copy my pics! by tqft · · Score: 5, Interesting

    I know BigW keep them for up to a week - stuck disk in all the thumbnails up and I asked - how long do you keep them? Up to a week as customers often come back. Can you delete them for me now? No.

    I haven't been back there to have photo's printed. and any shop - i grab just the pics I want printed and put them on an sd card and put that in.

    Why feed the Beast more than it needs to? If we don't make the data available, the Beast can't eat it.

    --
    The Singularity is closer than you think
    Quant
  11. kiosk manufacturers are the culprits by dev_eddie · · Score: 5, Informative

    I did own an Agfa Photo Kiosk. It didn't have an AV by default and it ran "Windows XP embedded edition" that prevented me from installing an AV (installers didn't allow me to do an install.). I saved a raw image of the hard disk for safety and allowed it to infect customers. It was a security nightmare. Viruses had their way into the machine, but AV software didn't. Autorun was a requirement for the kiosk software to process photos and could not be disabled.

    --


    /usr/bin/cookie: Permission Denied.