Deposit container full – container not recognized – brand not accepted by the market: If you are a frequent consumer of bottled drinks in Germany, you have certainly experienced a frustrating situation or two with deposit machines. But can deposit machines pose a threat to the security of sensitive data as well as to our nerves?
To answer this very question, our security analysts Tobias Hamann and Luca Rupp of usd HeroLab have often found themselves arm-deep in countless different (vending) machines, including deposit machines, check-in machines, ticket machines and EV charging stations. All in the name of “more security”: As part of machine pentests, they put point-of-sale devices, ticket and cash register systems and other devices (hereinafter referred to as “machines”) to the test . In this article, they explain why machine pentests are important and what they look like.
Machine pentest on the bus? That's why we need it
Nowadays, almost every machine that we as customers interact with contains a whole host of information technology. Somewhere behind the casing there is usually nothing more than a standard computer with a standard operating system such as Windows. It is often supplemented by special hardware such as printers, barcode scanners, touchscreens and payment terminals. These devices are usually easily accessible by everyone - including potential attackers.
Modern public transport vehicles, such as city buses, also operate a large number of devices, such as ticket machines, passenger counters and surveillance cameras. These devices often have to communicate with each other and the operator's backend via various networks in order to perform their functions correctly. And where there are networks, there are also potential gateways for attackers. Their goal: to gain access to the operator's internal company network and its sensitive data.
“Devices such as ticket machines, point-of-sale (PoS) systems and EV charging stations are an important part of the customer experience and a bridge between the physical and digital worlds. Insecure POS systems can, however, open a gateway into the internal company network for attackers. Therefore, even if it doesn't seem obvious at first glance: Have your buses, ticket machines and charging stations pentested.”
Tobias Hamann - Managing Consultant IT Security
How our analysts test point-of-sale devices and machines
Our analysts add specific elements to our standardized and proven methodology for machine pentests:
Physical checks
Our analysts initially access the system like a normal customer would. Software that runs on machines is usually only made available to customers in kiosk mode, in which the user's rights are severely restricted. Our analysts try to break out of kiosk mode via the touchscreen and gain access to the integrated computer.
Another test involves checking the physical structure of the overall system to see whether mechanical access restrictions can be overcome. For example, by (forcibly) opening locks or removing panels.
“There have been cases where we've been able to break open the housing of devices with just a ballpoint pen – you don't always need special tools. Sometimes lockable flaps are simply left open for practical reasons, for example, because there are not enough keys for all employees who would need one. It should never be that easy for attackers to break into the physical interior of a device. But let's be honest: the physical housing is only ever a deterrent. It’s much more important that the computer system behind it is adequately secured.“
Tobias Hamann
System hardening
To ensure that the systems behind the machine housings are sufficiently secure, our analysts next check the hardening measures of the integrated computer systems. First, they gain a comprehensive picture of the installed operating system and software components and their current versions. Based on this, they then use various methods to try to extend their rights on the system locally.
“As there is nothing but ordinary systems and applications behind the housing of machines, we proceed similarly to how we pentest company notebooks or other computers used by employees. Typical vulnerabilities that we frequently discover are, for example, vulnerabilities in third-party software, insecure operating system configurations or access data stored in an openly readable format.
Luca Rupp, Senior Consultant IT Security
Checks at the backend
“A machine found in a supermarket, bus or departure lounge is rarely operated in isolation. Security can therefore only be correctly assessed in the overall context. It is not enough to just look at the security of the application shown on the touchscreen or the strength of the lock in the housing. Instead, the environment in which the machine is installed and the connection to the operator's backend must also be examined.”
Luca Rupp
This is why our machine pentests always conclude with a check of the integration of the device into the operator's backend. Machines often communicate simultaneously with several systems and services in the backend. At these interfaces, our analysts check whether the communication is encrypted, whether the services in the backend are vulnerable to injection attacks and whether the authentication and authorization mechanisms between the device and the backend are state of the art.
At a glance: These are the most common vulnerabilities
To reduce the risk of attacks on machines, we test for a wide range of vulnerabilities as part of a machine pentest. These three are among the ones we encounter frequently:
- Breaking out of kiosk mode: Using certain touchscreen gestures or connected peripheral devices, a user (in the worst case, an attacker) manages to break out of the mode intended for them with restricted functionalities and gain access to higher-privileged functions.
- Bypassing physical barriers: The housing can be easily broken open, locks can be easily picked. Attackers thus gain access to hardware or interfaces such as network sockets that they are not authorized to use.
- Lack of system hardening: The computer integrated in the machine is not adequately protected against attacks.
Ever thought about a machine pentest?
Don't just have the systems and applications at your company headquarters tested. Every bus, deposit machine and EV charging station can be a gateway into your entire company network. We help you to uncover vulnerabilities before hackers do. Contact us, we will be happy to help you.
