RegisterFAQSearchLogin
It is currently 01 Aug 2010, 06:00

View unanswered posts | View active topics


Board index » Hardware » Other Embedded

All times are UTC + 1 hour





Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 
Print view Previous topic | Next topic 
 T-Mobile Internet Kiosk Hacked 
Author Message
rawsock
Administrator
User avatar

Joined: 01 Dec 2007, 20:56
Posts: 65
Location: Poland
Post T-Mobile Internet Kiosk Hacked
Do no trust public Internet kiosk devices

Some time ago I was stuck for several long hours at a German airport in the middle of nowhere. I decided to spend them on proving that Internet kiosks are vulnerable to local attacks and thus unsafe. I will not give you a full tutorial on how to make free Internet access, since I may need it in the future 8-). Instead, I just want to warn you that you shouldn't trust such devices - I was able to gain full control over it. See below for a proof.

The first one shows a default application on T-Mobile's Internet kiosk. By playing a little bit with the interface I was able to crash it (see error message). Note that the account shows 0,00E, so I didn't have to pay anything prior to crashing it:

Attachment:
kudos1.jpg

A little bit more playing and I have launched Windows Task Manager and Internet Explorer. Note the ad banner on top of the screen. It is an independent application. I could kill it with Task Manager, but decided to make photo with it to prove that it is still an Internet kiosk:

Attachment:
kudos2.jpg

Things I learned about the system:

- The application engine for T-Mobile Internet kiosks is made by Degasoft and its name is Kudos.
- Its 'security' is mostly achieved by obscurity. For example, the engine constantly sets focus and always-on-top application attributes to itself, which is annoying but does not provide any real security at all.
- The kiosk is equipped with hardware monitoring which forces to reboot the machine every several minutes if the main application is not responding. It is just enough to finish taking over full control after the application is dead.

Things I was able to do without paying anything:

- gain full controll (it takes up to 1 hour to do that)
- surf the net for free
- launch any application that is already installed (like mplayer - you can see it in the Task Manager application list in the picture above; no wonder why it was already installed :shock:)
- install any application (it could be a key logger, for example)
- uninstall any application (including Kudos Internet kiosk engine)
- view network drives and write to most of them
- copy apps, logs, configs, IE temporary files to external server
- reboot or shutdown the machine
- make it completely unusable by the time the technical service arrives

I hope you will think twice next time before logging in to your bank account using public Internet kiosk... :!:


You do not have the required permissions to view the files attached to this post.
_________________
Regards,
www.hwhack.com admin

14 Mar 2008, 21:43
Profile WWW
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 

Board index » Hardware » Other Embedded

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © phpBB Group, phpBB SEO.
Designed by Vjacheslav Trushkin for Free Forums/DivisionCore.