Let's talk about hacking a parking meter and analyze how to protect it.
The computer game Watch Dogs perfectly describes the near future: there are all kinds of devices, means of issuing and receiving cash, as well as various devices with Internet access, stuffed with vulnerabilities, the exploitation of which allows a hacker to derive some benefit. For example, in the game, the protagonist using a smartphone can compromise the video surveillance system, thereby gaining the ability to conduct surveillance and obtain additional information.
Fans of this computer game disagreed: some say that it is too “utopian” to take out a smartphone and break everything around. Others realize that "a fairy tale is a lie, but there is a hint in it" and the game world partly reflects the real one.
We will try to put forward a few more arguments in favor of the fact that the devices around us, which we barely notice in parks and public places, can be vulnerable and pose a danger - at least for our wallet.
TERMINAL TERMINATORS
The number of public devices that are waiting for their hero from a computer game is off the charts. Parks and streets are full of parking payment terminals for all kinds of vehicles and cozy "booths" for fast recharging of a mobile device. Airports and train stations offer various devices for paying for tickets and getting help information. In cinemas, there are terminals for buying and booking tickets for film shows. In clinics and government agencies, visitors are greeted by electronic queuing devices and printing any receipts. Even toilets are equipped with payment terminals. However, hardly anyone will be able to penetrate the latest devices - they will not have enough spirit
.
Charge your device anywhere concept
Movie ticket terminals.
However, life teaches the developers of such devices that not all of their users touch touchscreens with good intentions. If we enter a query like terminal hacked into Google, we get a lot of relevant videos in which the main characters play solitaire on one terminal or another, or draw all sorts of obscenities in Paint. The reason for this can be various bugs in terminal applications, and often they have a similar operating principle.
An example of "instructions to compromise" found on the web.
So, in one of the videos, the participant holds his finger on the screen for about ten seconds, and this leads to the result of “right-clicking”. In the other, the guys randomly poke at the lower left corner of the screen and the full-screen application is minimized. Someone even thought of covering the GSM antenna of the terminal with the palm of their hand and thus provoking a connection error.
"Dexterity of the fingers and no fraud".
Of the cases of compromise of such devices, the most interesting incident occurred with the payment terminals of one well-known vendor of electronic payments. The attacker entered the line “last_page = StyleSheet.css” into the payment purpose input field using the application's virtual on-screen keyboard, which is available in the payment system interface. Notepad.exe was opened as a handler for the file with this extension, which, through its help system, allowed the villain to move to the system control panel and launch the virtual keyboard of the operating system.
An interesting and already irrelevant option for compromising the terminal.
PROCEDURE FOR PROTECTION ANALYSIS FOR PUBLIC TERMINALS
Based on such videos and the sad experience of vendors, you can draw up a simple methodology for analyzing the security of devices of this type.
Search methodology for security analysis of public terminals.
Our task: having a full-screen application in our hands, which, most likely, functions on the basis of the Windows operating system, go beyond it into the system environment. For this, you can use the so-called Tap-fuzzing. In other words - to work with your fingers. Click on different parts of the application in order to provoke its undocumented behavior. Or you can use Data-fuzzing and substitute various data into input fields in order to provoke incorrect processing of incoming data.
As soon as it is possible to call an element of the standard interface of the operating system, the next step is to get into the control panel - for example, through the help sections.
Getting into the control panel will be the starting point for launching the virtual keyboard with the corresponding consequences.
TRANSPORTATION SITUATION
Moscow residents are increasingly able to find bicycle parking meters in the parks of their city. The essence of these devices is quite simple: there is a payment terminal for paying for a bike and a bike rack. The output device in the payment terminal is a display where the user can register for a bike ride and get help information.
The system interface is designed specifically for this type of device (if you have ever paid for something in payment terminals, then you have an idea of what it is about), and it is difficult to get confused in it. In this interface, the user has the opportunity to get the current location, or rather, to see the mark on the Google map, which indicates where the parking meter is.
All such devices work on the basis of classic operating systems (more often Windows-like) with all their vulnerabilities. However, the specialized interface is a full-screen application with very limited functionality that prevents the user from getting “under the hood” and deliberately or unintentionally doing stupid things. Accordingly, when analyzing the security of terminals, the main task is to go beyond this full-screen application. After that, you can play pranks: launch your applications, raise privileges, dump valuable information, and more.
An interesting feature was found in the considered systems of parking meters. In the "Maps" section, the developers did not come up with anything new and used maps from Google. And everything would be decent if only the widget from Google did not have a status bar, which, among other information (current scale, copyrights, and so on), contains the links "Report a bug", "Privacy" and "Terms of Service "that open standard Internet Explorer window ...
A full-screen application interface containing some features ...
LET'S RIDE!
In addition to the described link, other links are imperceptibly scattered in this application (for example, when showing certain restaurants, you can click the "Details" button), by clicking on which you can open the browser.
Go beyond the full screen application
"So what? Well, I opened the browser - there is no keyboard anyway!" Now it will be: following the links on the pages with help information, it is possible to go to the help section called "Accessibility", where the virtual keyboard is hiding.
Who am I? Administrator!
Then it all depends on the imagination and the degree of impudence of the attacker. Running cmd.exe demonstrates another flaw in the configuration: the current session of the operating system is started with administrator privileges, which means that we can potentially download and run any application completely unhindered.
Bingo: virtual keyboard
Thus, an attacker can obtain an NTLM hash of the administrator's password. At the same time, it is highly probable that the password set on this device is also suitable for other devices of this type - and this is already the third flaw in the configuration ...
This is where the adventure ends, so let's speculate on what an attacker can get out of it all.
TERMINALS OF PUBLIC INSTITUTIONS
By government agencies, we mean those located in buildings that have a coat of arms or the Russian flag. Without specifics and mention of manufacturers, but in essence.
So, before us is the interface of a full-screen application, which, based on the data we entered, offers to print a receipt for payment.
"Check Me Completely"
After filling in all the fields and details, we press the "Create" button and observe the following picture: the terminal opens a standard print window for a few seconds, which contains all the print parameters of our document, and the "Print" button is automatically pressed.
Briefly appearing system element
As a result, if an attacker manages to click on the "Change" button, he gets the opportunity, through simple manipulations with print parameters, to go to the help section ...
WHITEHETS FALL ASLEEP, BLACKHETS WAKE UP
Post-exploitation scenarios follow from the features of these devices:
The main goal of an attacker is direct or indirect financial gain as a result of a compromised device. In this case, to achieve this goal, he can get not just an NTLM hash, which still needs to be brute-forced to get a password, but immediately the administrator's password. To do this, an attacker can extract clear text passwords stored in memory. By the way, the latest version of the WCE utility can now not only dump passwords by injecting code into the lsass.exe process, but directly read memory within the current session. Let's add here support for Windows 7, on the basis of which parking meters work, and we will get a "key" for all devices of this vendor at once.
A figment of the imagination: what would happen if mimicatz ended up running on the terminal side
In addition, an attacker can get a dump of the bike parking application, which kindly collects information about those who want to ride: name, email address and phone number. It is possible that a database with valuable information is stored somewhere nearby. Needless to say, such a database will be of particular value in the market, because it contains verified phone and email addresses. In the event that there is no such database, the villain can install his own keylogger, which intercepts all user-entered data and sends it to a remote server.
Considering one of the features of these devices - 24/7 operation, you can organize, for example, a mining pool or use it for other hacking purposes that require the presence of an infected workstation on the network around the clock.
Particularly impudent attackers can implement an attack scenario, the result of which will be the receipt of the user's payment data: on the main window of the parking meter application, you can leave a field for entering the details of a plastic card in an unobtrusive form , and with a high degree of probability, a misled user will kindly leave them with his name. phone number and email ...
The abundance of scenarios that open up opportunities for access to personal data and the wallet of unsuspecting people is limited only by the imagination of intruders. The described situation with the security of parking meters clearly demonstrates how several flaws in the configuration form a vulnerability.
In addition, a compromised terminal can become a starting point for further attacks on the corporate network. Very often, such devices access a terminal server or an entire subnet located in the company's trusted zone, which means that a small targeted attack using malware and / or social engineering could allow an attacker to end up in the main office. No knocking.
Broke the terminal - got into the company
RECOMMENDATIONS
Our analysis of the security of parking meters demonstrates how several configuration flaws make a device vulnerable. And the above scenarios of attacks - how it can open to attackers access to personal data and wallets of unsuspecting people.
In order to exclude malicious activity on public devices, developers and administrators of bicycle parking terminals and other terminals located in public places, we recommend:
We recommend that users of payment terminals do not enter the full details of their payment cards. In no case should you enter the CVV2 / CVC2 card number, they are not required to make a payment. You should not neglect the opportunity to pay for the service in cash at the terminal.
The computer game Watch Dogs perfectly describes the near future: there are all kinds of devices, means of issuing and receiving cash, as well as various devices with Internet access, stuffed with vulnerabilities, the exploitation of which allows a hacker to derive some benefit. For example, in the game, the protagonist using a smartphone can compromise the video surveillance system, thereby gaining the ability to conduct surveillance and obtain additional information.
Fans of this computer game disagreed: some say that it is too “utopian” to take out a smartphone and break everything around. Others realize that "a fairy tale is a lie, but there is a hint in it" and the game world partly reflects the real one.
We will try to put forward a few more arguments in favor of the fact that the devices around us, which we barely notice in parks and public places, can be vulnerable and pose a danger - at least for our wallet.
TERMINAL TERMINATORS
The number of public devices that are waiting for their hero from a computer game is off the charts. Parks and streets are full of parking payment terminals for all kinds of vehicles and cozy "booths" for fast recharging of a mobile device. Airports and train stations offer various devices for paying for tickets and getting help information. In cinemas, there are terminals for buying and booking tickets for film shows. In clinics and government agencies, visitors are greeted by electronic queuing devices and printing any receipts. Even toilets are equipped with payment terminals. However, hardly anyone will be able to penetrate the latest devices - they will not have enough spirit
.
Charge your device anywhere concept
Movie ticket terminals.
However, life teaches the developers of such devices that not all of their users touch touchscreens with good intentions. If we enter a query like terminal hacked into Google, we get a lot of relevant videos in which the main characters play solitaire on one terminal or another, or draw all sorts of obscenities in Paint. The reason for this can be various bugs in terminal applications, and often they have a similar operating principle.
An example of "instructions to compromise" found on the web.
So, in one of the videos, the participant holds his finger on the screen for about ten seconds, and this leads to the result of “right-clicking”. In the other, the guys randomly poke at the lower left corner of the screen and the full-screen application is minimized. Someone even thought of covering the GSM antenna of the terminal with the palm of their hand and thus provoking a connection error.
"Dexterity of the fingers and no fraud".
Of the cases of compromise of such devices, the most interesting incident occurred with the payment terminals of one well-known vendor of electronic payments. The attacker entered the line “last_page = StyleSheet.css” into the payment purpose input field using the application's virtual on-screen keyboard, which is available in the payment system interface. Notepad.exe was opened as a handler for the file with this extension, which, through its help system, allowed the villain to move to the system control panel and launch the virtual keyboard of the operating system.
An interesting and already irrelevant option for compromising the terminal.
PROCEDURE FOR PROTECTION ANALYSIS FOR PUBLIC TERMINALS
Based on such videos and the sad experience of vendors, you can draw up a simple methodology for analyzing the security of devices of this type.
Search methodology for security analysis of public terminals.
Our task: having a full-screen application in our hands, which, most likely, functions on the basis of the Windows operating system, go beyond it into the system environment. For this, you can use the so-called Tap-fuzzing. In other words - to work with your fingers. Click on different parts of the application in order to provoke its undocumented behavior. Or you can use Data-fuzzing and substitute various data into input fields in order to provoke incorrect processing of incoming data.
As soon as it is possible to call an element of the standard interface of the operating system, the next step is to get into the control panel - for example, through the help sections.
Getting into the control panel will be the starting point for launching the virtual keyboard with the corresponding consequences.
TRANSPORTATION SITUATION
Moscow residents are increasingly able to find bicycle parking meters in the parks of their city. The essence of these devices is quite simple: there is a payment terminal for paying for a bike and a bike rack. The output device in the payment terminal is a display where the user can register for a bike ride and get help information.
The system interface is designed specifically for this type of device (if you have ever paid for something in payment terminals, then you have an idea of what it is about), and it is difficult to get confused in it. In this interface, the user has the opportunity to get the current location, or rather, to see the mark on the Google map, which indicates where the parking meter is.
All such devices work on the basis of classic operating systems (more often Windows-like) with all their vulnerabilities. However, the specialized interface is a full-screen application with very limited functionality that prevents the user from getting “under the hood” and deliberately or unintentionally doing stupid things. Accordingly, when analyzing the security of terminals, the main task is to go beyond this full-screen application. After that, you can play pranks: launch your applications, raise privileges, dump valuable information, and more.
An interesting feature was found in the considered systems of parking meters. In the "Maps" section, the developers did not come up with anything new and used maps from Google. And everything would be decent if only the widget from Google did not have a status bar, which, among other information (current scale, copyrights, and so on), contains the links "Report a bug", "Privacy" and "Terms of Service "that open standard Internet Explorer window ...
A full-screen application interface containing some features ...
LET'S RIDE!
In addition to the described link, other links are imperceptibly scattered in this application (for example, when showing certain restaurants, you can click the "Details" button), by clicking on which you can open the browser.
Go beyond the full screen application
"So what? Well, I opened the browser - there is no keyboard anyway!" Now it will be: following the links on the pages with help information, it is possible to go to the help section called "Accessibility", where the virtual keyboard is hiding.
Who am I? Administrator!
Then it all depends on the imagination and the degree of impudence of the attacker. Running cmd.exe demonstrates another flaw in the configuration: the current session of the operating system is started with administrator privileges, which means that we can potentially download and run any application completely unhindered.
Bingo: virtual keyboard
Thus, an attacker can obtain an NTLM hash of the administrator's password. At the same time, it is highly probable that the password set on this device is also suitable for other devices of this type - and this is already the third flaw in the configuration ...
This is where the adventure ends, so let's speculate on what an attacker can get out of it all.
TERMINALS OF PUBLIC INSTITUTIONS
By government agencies, we mean those located in buildings that have a coat of arms or the Russian flag. Without specifics and mention of manufacturers, but in essence
.So, before us is the interface of a full-screen application, which, based on the data we entered, offers to print a receipt for payment.
"Check Me Completely"
After filling in all the fields and details, we press the "Create" button and observe the following picture: the terminal opens a standard print window for a few seconds, which contains all the print parameters of our document, and the "Print" button is automatically pressed.
Briefly appearing system element
As a result, if an attacker manages to click on the "Change" button, he gets the opportunity, through simple manipulations with print parameters, to go to the help section ...
WHITEHETS FALL ASLEEP, BLACKHETS WAKE UP
Post-exploitation scenarios follow from the features of these devices:
- All of them are located in public places.
- Available 24/7.
- They have the same configuration.
- Have an increased degree of user trust.
- They are connected with each other and can have access to other "private" networks.
The main goal of an attacker is direct or indirect financial gain as a result of a compromised device. In this case, to achieve this goal, he can get not just an NTLM hash, which still needs to be brute-forced to get a password, but immediately the administrator's password. To do this, an attacker can extract clear text passwords stored in memory. By the way, the latest version of the WCE utility can now not only dump passwords by injecting code into the lsass.exe process, but directly read memory within the current session. Let's add here support for Windows 7, on the basis of which parking meters work, and we will get a "key" for all devices of this vendor at once.
A figment of the imagination: what would happen if mimicatz ended up running on the terminal side
In addition, an attacker can get a dump of the bike parking application, which kindly collects information about those who want to ride: name, email address and phone number. It is possible that a database with valuable information is stored somewhere nearby. Needless to say, such a database will be of particular value in the market, because it contains verified phone and email addresses. In the event that there is no such database, the villain can install his own keylogger, which intercepts all user-entered data and sends it to a remote server.
Considering one of the features of these devices - 24/7 operation, you can organize, for example, a mining pool or use it for other hacking purposes that require the presence of an infected workstation on the network around the clock.
Particularly impudent attackers can implement an attack scenario, the result of which will be the receipt of the user's payment data: on the main window of the parking meter application, you can leave a field for entering the details of a plastic card in an unobtrusive form , and with a high degree of probability, a misled user will kindly leave them with his name. phone number and email ...
The abundance of scenarios that open up opportunities for access to personal data and the wallet of unsuspecting people is limited only by the imagination of intruders. The described situation with the security of parking meters clearly demonstrates how several flaws in the configuration form a vulnerability.
In addition, a compromised terminal can become a starting point for further attacks on the corporate network. Very often, such devices access a terminal server or an entire subnet located in the company's trusted zone, which means that a small targeted attack using malware and / or social engineering could allow an attacker to end up in the main office. No knocking.
Broke the terminal - got into the company
RECOMMENDATIONS
Our analysis of the security of parking meters demonstrates how several configuration flaws make a device vulnerable. And the above scenarios of attacks - how it can open to attackers access to personal data and wallets of unsuspecting people.
In order to exclude malicious activity on public devices, developers and administrators of bicycle parking terminals and other terminals located in public places, we recommend:
- Prevent the ability to open external links in a full screen application.
- Do not allow calling any elements of the Windows OS interface (for example, right-clicking using the windows for printing documents).
- Start the current operating system session with limited standard user privileges.
- Create a unique account with a unique password on each device.
We recommend that users of payment terminals do not enter the full details of their payment cards. In no case should you enter the CVV2 / CVC2 card number, they are not required to make a payment. You should not neglect the opportunity to pay for the service in cash at the terminal.
