跳到主体内容

Kiosks and Speed Cameras in a Smart City: Researchers Find Multiple Smart Components of the Modern City Vulnerable to Cyber Attacks

2016年9月15日

Kaspersky Lab researchers examined a number of digital kiosks and interactive terminals used in modern cities for different purposes - from paying for different services through to entertainment – and discovered that a lot of them contain vulnerabilities that can expose private user data and be used to spy or spread malicious code.

Kaspersky Lab researchers examined a number of digital kiosks and interactive terminals used in modern cities for different purposes - from paying for different services through to entertainment – and discovered that a lot of them contain vulnerabilities that can expose private user data and be used to spy or spread malicious code. Along with kiosks, specialists researched speed cameras used in cities and their supporting infrastructure. As a result, they discovered that malicious users could easily access these cameras and manipulate the data collected.
Modern cities are complicated ecosystems made up of hundreds of different components including digital ones. Aimed to make life more convenient and safer for citizens, they can also pose a certain degree of threat to people’s data and safety – as illustrated in the findings of the research conducted by Kaspersky Lab experts.
Ticket terminals in movie theaters, bike rental terminals, service kiosks in government organizations, booking and information terminals at airports, and passenger infotainment terminals in city taxis might all have a different appearance, but inside most of them are the same. Each such terminal is either a Windows-based or an Android-based device. The main difference in comparison to ordinary devices is the special kiosk-mode software that runs on public terminals and serves as the user interface. This software gives the user easy access to specific features of the terminal whilst at the same time restricting access to other features of the device’s operating system, including launching a web browser and then virtual keyboard. Accessing these functions provides an attacker with numerous opportunities to compromise the system, as if he was in front of a PC. The research showed that almost any digital public kiosk contains one or multiple security weaknesses which allow an attacker to access hidden features of the OS.  
In one particular case the user interface of the terminal contained a web-link. The attacker only needed to tap on it in order to launch the browser and then – through the standard Help dialogue – launch a virtual keyboard. In another case – at an e-government service kiosk – the scenario required the user to touch the “print” button. After that, for several seconds the usual browser’s print dialogue window would be opened and, if quick enough, the attacker would tap the “change” [printing parameters] button to enable him to jump into the Help section. From there, they could open the control panel and launch the on-screen keyboard. As a result, the attacker gets all of the devices needed to enter information (the virtual keyboard and the mouse pointer) and can use the computer for their own mercenary purposes, e.g., to launch malware, get information on printed files, obtain the device’s administrator password, etc. And these are only a few weaknesses discovered by Kaspersky Lab researchers.
“Some public terminals we’ve investigated were processing very important information, such as user’s personal data, including credit card numbers and verified contacts (for instance, mobile phone numbers). Many of these terminals are connected with each other and with other networks. For an attacker they may be a very good surface for very different types of attacks – from simple hooliganism, to sophisticated intrusion into the network of the terminal owner. Moreover, we believe that in the future public digital kiosks will become more integrated in other city smart infrastructure, as they are a convenient way to interact with multiple services. Before this happens, vendors need to make sure that it is impossible to compromise terminals through the weaknesses we’ve discovered”, - said Denis Makrushin, security expert at Kaspersky Lab.
Another part of the research was dedicated to cities speed control cameras. Using the Shodan search engine, researchers were able to identify multiple IP addresses belonging to such devices and openly accessible from the web: no passwords were in use and anyone would be able to see the footage from cameras and more. Researchers discovered that some tools used to control these cameras are also available to anyone on the web.
“In some cities, speed control camera systems track certain lines on the highway - a feature which could be easily turned off. So if an attacker needs to shut down the system at a certain location for a period of time, they would be able to do that. Considering that these cameras can be, and sometimes are, used for security and law enforcement purposes it is really easy to imagine how these vulnerabilities can assist in crimes like car theft and others. It is therefore really important to keep such networks protected at least from direct web access”, - said Vladimir Dashchenko, security expert at Kaspersky Lab.
The text of the research and advice on how to protect IT systems of Smart Cities from being compromised is available on Securelist.com.
It is also available at Securingsmartcities.org – a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

Kiosks and Speed Cameras in a Smart City: Researchers Find Multiple Smart Components of the Modern City Vulnerable to Cyber Attacks

Kaspersky Lab researchers examined a number of digital kiosks and interactive terminals used in modern cities for different purposes - from paying for different services through to entertainment – and discovered that a lot of them contain vulnerabilities that can expose private user data and be used to spy or spread malicious code.
Kaspersky logo

关于卡巴斯基

卡巴斯基是一家成立于1997年的全球网络安全和数字隐私公司。卡巴斯基不断将深度威胁情报和安全技术转化成创新的安全解决方案和服务,为全球的企业、关键基础设施、政府和消费者提供安全保护。公司提供全面的安全产品组合,包括领先的端点保护解决方案以及多种针对性的安全解决方案和服务,以及用于应对复杂和不断变化的数字威胁的网络免疫解决方案。全球有超过4亿用户使用卡巴斯基技术保护自己,我们还帮助全球200,000家企业客户保护最重要的东西。要了解更多详情,请访问www.kaspersky.com.cn.

相关文章 企业新闻