When asked about information security and defense in depth many people only think about technical controls, they will talk about technical controls such as Firewalls, IDS/IPS devices, network segregation and so on but physical security is a critical step often overlooked by many information security professionals. No matter how well you segregate your network, how you harden your systems or what authentication methods you have implemented if physical security controls fail or don’t exist in the first place the technical controls often provide very little protection.
I recently had an interesting experience that made me think about the importance of physical security.
I was at an Airport waiting for my delayed flight recently so I decided to take a look at the “pay as you browse” Internet kiosks to pass the time. I’ve never used these kiosks before because I usually bring my laptop with me or I check my email with my Android mobile.
The first thing that surprised me is that it was possible to connect a USB device to the machine. I took a look around the machine looking for the network cable or the electricity power and I was not able to find them, they had been hidden.
Usually, in order to interact with these computers you have to insert coins and you use the internet until your time expires. You can’t launch any applications or surf the internet if you do not pay. After a short time I figured out I could probably use applications, see the ‘start’ windows bar and the applications installed without paying anything.
The system was running Windows Vista but I was not able to surf or open any of the applications so I decided to plug my Android mobile into the USB port and see how the computer behaved when a USB device was plugged in. I was surprised to see that once the device was connected the computer recognized my mobile.
At this point I was sure that the USB port was fully functional and it was possible to read the content off the phone (or any other USB device). Can you imagine what you could do if you are able to read *any* external file from a USB device? A file which you have created before you arrived at the airport perhaps using a tool such as Metasploit?
Of course I didn’t do anything illegal and I didn’t exploit any vulnerabilities on this kiosk and neither should you. From a research point of view I tried to figure out how it would be possible to create a simple way of exploiting a system like this. I decided to take a look at the applications installed on this system and I found that Adobe Reader was installed.
The version of Adobe Reader installed was v8.0.0 which has several vulnerabilities in it. What would happen if I created a PDF file with a malicious payload? What would happen if I put this PDF file onto a USB key and then plugged it into the USB port on this kiosk?
I have created a video in my lab at home that explains how you could create a malicious PDF file which exploits a vulnerability in v8.0.0 of Adobe Reader and creates a reverse shell.
A higher quality version of the video can be found here.
The steps I took to create the malicious PDF file are listed below:
- Create a PDF file with metasploit that contains a payload to exploit any of the vulnerabilities in Adobe Reader v8.0.0.
- The payload in the file will connect to port 80 of a server under our control through the ‘reverse_tcp’ module. We will use port 80 because the machine has access to Internet, so this port will be open.
- Once the file is opened, the system will make the connection and we will have access to the system.
As I said this is illegal and must not be carried out against a real world system, I created the PDF and exploited Adobe Reader in my own lab. You can see it is very simple to bypass any logical security controls in the system and get Admin privileges by only using a USB key with a malicious PDF file on it.
In this scenario there are several different security controls that have failed. In the best case scenario (from the airports point of view) you can get access to Internet for free by launching a portable browser from the USB key but in the worst case scenario you could potentially remotely access and control this system with admin privileges. You could install malware such as a keylogger to harvest usernames and passwords for social networking websites, corporate web mail systems and other potentially sensitive data such as online banking credentials. It could also map the network and exploit other systems. In the very worst case scenario this network might not be segregated from the “production network” in the airport allowing you to remotely access any network or system on the airport network.
There are three different security issues that should be fixed:
- Lack of physical isolation: public access to an USB port could lead to system compromise.
- Poor patching policy: Adobe Reader was an old version. I would assume that the Operating System wasn’t patched properly either.
- Principle of need to know and least privilege: there are many applications that can be launched besides the browser. If this is a system used only to surf the internet then only a browser should be installed.
As always we look forward to hearing any feedback from the readers of this blog so please get in touch by leaving a comment, sending me a message on Twitter or by sending me an email (securityninja at realexpayments.com).
Update 4th November 2010
I’m just posting a quick update to this blog post to say that the kiosk operator has contacted us about the issues raised in this blog post. I will be sharing the operators feedback with you in the remainder of this update.
I have to say I’m delighted to see that security is a major concern for this operator and where problems have been identified by the blog post they have been fixed.
Please see the feedback below from the operator addressing the main concerns we raised in our blog post:
Unpatched version of Adobe Reader
You are correct in that the kiosk you were using, and a small number of other kiosks in the same airport, were running an old version of Adobe Reader. We have now discovered that our patch server was not updating Adobe Reader correctly on the particular image on these kiosks and this has now been rectified and they have been updated with the latest Adobe fixes. Given the explosion in PDF exploits being created, we are well aware of the implications of running older versions of this as well as other applications.
Operating System and other patches
All our kiosks are updated with the latest o/s and application patches, using a combination of the vendors’ automatic update utilities and our own bespoke patch server.
Other Kiosk Security Features
We deploy the industry-leading kiosk browser application, SiteKiosk, on all of our kiosks. It includes a number of very strong security features, including a highly restricted user account, prevention of launching external applications (either on the PC or a USB key) other than those pre-configured and a limited shell in place of the Windows desktop. All kiosks also run a ‘hardened’ version of Windows and as well as AntiVirus and other Malware protection tools. We also deploy content filtering tools at DNS and router level to limit botnet and malware activity, as well as blocking access to pornographic content. Hardware and software firewalls are also deployed at all of our locations.
Access to production networks
All of our kiosks at airport locations are connected to standalone broadband lines and are never connected to the location’s production networks. At our other locations (hotels, shopping centres, ferries) we are connected either via standalone lines or to ‘guest’ broadband networks. And again, hardware firewalls are deployed in these locations.