Friday, January 25, 2008

Serious problems with Block Buster Express kiosks?

I just got through reading this blog post from John Bocook, a guy who went to check out a new Block Buster Express DVD rental kiosks at his local store, but came away with more than he bargained for:
The first ever Blockbuster Express Kiosk is located just down the street to me. I decided I would try it and see how it worked. I wish I had my camera. When I arrived to the kiosk the tech i guess forgot to unplug the Keyboard and mouse as they were laying on the floor. The computer guy in me decided to see what was under the hood. Two keys later i was looking at a Windows XP desktop with Admin privelages. How can it be? Blockbuster, Do you not realize what I could do if i was a ambitious hacker? If you don't let me tell you.
  • If Blockbuster isn’t careful, I could:
  • Despense DVD’s for free
  • Add a back door to get access to all the creditcard information that is swiped on this machine
  • Replace the “Play Trailer” videos with a more adult video of my choosing
  • Add a rootkit, so that even if the machine is re-imaged, I will will have a backdoor.
These are just SOME of the things we could do. How about we take the code for the Machine, figure out how the kiosk’s talk to each other and add a trojan to install rootkit on All the kiosks that connects to the main server hub. From there, We could say, Put in the name nich duncan under the account, and get free rentals at all the kiosks or get even more malicious and Swipe credit card information from ALL KIOKS (sic).
I have no idea whether these things are true, but given that we've seen lots of poorly-implemented retail kiosk systems in the past (indeed, for a while it was even thought that kiosks played a part in the largest theft of credit card data in history), and even electronic voting kiosks have been shown to have numerous vulnerabilities, I wouldn't be at all surprised if they were.

Tags: ,

No comments: