Photo Kiosks Infecting Customers' USB Devices

The Risky Biz blog brings news that Big W, a subsidiary of Woolworths, has Windows-based Fuji photo kiosks in at least some of its stores that don't run antivirus software, and are therefore spreading infections, such as Trojan-Poison-36, via customers' USB storage devices. Here is the account of the original reporter. "It's not just the lack of AV that's the problem... it appears there's been zero thought put into the problem of malware spreading via these kiosks. Why not just treat customers' USB devices as read-only? Why allow the kiosks to write to them at all? It would be interesting to find out which company — Fuji, Big W, or even some other third party — is responsible for the maintenance of the machines. It would also be interesting to find out if there are any liability issues here for Big W in light of its boneheaded lack of security planning."

Re:Read-only switch for USB sticks?

[Lennie]

I have seen USB-sticks with a read-only switch, so they do exist.

Re:Read-only switch for USB sticks?

[Anonymous Coward]

virus.code

line 1: remount USB write enabled

Just burn a CD

[Spy Handler]

Just burn a CD and give it to them. Blank CDs cost like 10 cents each if you buy a spindle, and you don't have to worry about them losing your USB drive or infecting it.

Re:Windows Read-only mode.

[Anonymous Coward]

yes it does:
in the Registry path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies
create a DWORD called WriteProtect with a value of 1.

this should make widows mount all usb disks read-only

Use file permissions.

[jack2000]

More people need to know about this:
You can make your usb stick immune to all autorun viruses. Simply make an empty autorun.inf file on the usb stick, set file permissions for username " everyone " to Full control: Deny all.
Now noone can delete, write, rename that file and viruses aren't smart enough yet to take over control or delete permissions on the file. The file system on the stick would have to be ntfs. If the file system on it is fat32 you'll need to run from cmd
convert Z: /FS:NTFS /X
Where Z is the partition letter of your usb stick. You can also disable autorun on all partitions using TweakUI

Re:Read-only switch for USB sticks?

[Anonymous Coward]

The older USB sticks had them quite often; haven't seen one with a RO switch for about 3 years now.

Re:Windows Read-only mode.

[Rogerborg]

Wow, it took me all of 30 seconds to find evidence that you're a lazy raging retard who shouldn't be trusted with a calculator, let alone a general purpose computing device [helpwithwindows.com]. I know that's a long name for the link, but I really felt it needed to be said.

Read-only

[Tuan121]

Just a guess, but when you are selecting pictures at the kiosk you can probably also do some options such as red-eye reduction, rotating etc. I would imagine most people who do that at a kiosk would like those changes saved on the original picture on their USB drive instead of having to repeat the process at home where they might not even know how to do it.

So there is a reason for not mounting it as read-only.

kiosk manufacturers are the culprits

[dev_eddie]

I did own an Agfa Photo Kiosk. It didn't have an AV by default and it ran "Windows XP embedded edition" that prevented me from installing an AV (installers didn't allow me to do an install.). I saved a raw image of the hard disk for safety and allowed it to infect customers. It was a security nightmare. Viruses had their way into the machine, but AV software didn't. Autorun was a requirement for the kiosk software to process photos and could not be disabled.

Re:Poor design..

[Errol backfiring]

Why execute anything thats stored on the usb sticks?

Quite simple, because Microsoft had a policy to make any data format executable. Yes, images also. And XML, off course. And CSS, even though the standard explicitly warned against that. In Microsoft's own words, to "make developers smile".

Re:Responsibility

[paulc0001]

The kiosks are manufactured by http://www.neoproductsgroup.com/ [neoproductsgroup.com] but are serviced by Fuji engineers. I would expect the disk image to come from Fuji so they would be responsible.

Woolworths?

[Anonymous Coward]

Didn't they go bust at the end of 2008? Oh hang on.. you don't mean *that* [wikipedia.org] Woolworths. You meant one of the other Woolworths around the world. Would have been nice if you'd mentioned which one.

Re:Poor design..

[Anonymous Coward]

1) They probably run Embedded Windows. All the features at half the price and no need to deal with activation keys. Simple drive image.
2) These Kiosks usually use some flavor of a professional level printer. These printers don't have embedded drivers.the professional level require drivers. Cost to write those drivers offset the OS savings cost.
3) The service people paid to administer these machines are more comfortable with Windows - as stated earlier, these are 10 year old products and the linux/embedded tools weren't good back then.

Re:Poor design..

[Com2Kid]

Why run windows on these kiosks? An embedded OS would be more suitable and cheaper...

Most likely to dramatically cut development costs. With standard off the shelf x86 parts you can use whatever development environment and language is most convenient, and you can take advantage of the ever decreasing prices of x86 hardware.

In contrast embedded stuff, while better suited for some situations, is a much bigger pain to get off the ground initially, and pricing tends to stay pretty stable.

Not running as a privileged user (Even Windows XP's guest mode would work out fine here) and turning off auto-run would be good starts. I imagine if someone wanted to they might be able to find some sort of an exploit in one of the image handlers on these devices and infect them through that technique, but if all the kiosk is physically capable of doing is loading image files up, allowing for manipulation of those image files in whatever lame app they have, and then printing said files out, the machine would likely be Secure Enough.

the lack of AV that's the problem

[Anonymous Coward]

"It's not just the lack of AV that's the problem... it appears there's been zero thought put into the problem of malware spreading via these kiosks. Why not just treat customers' USB devices as read-only? Why allow the kiosks to write to them at all?"

How about not using Microsoft Windows on the Photo Kiosks? An embedded Linux solution would provide the same functionality without the malware innovation ...

Re:Windows Read-only mode.

[troll8901]

AC has posted something similar [slashdot.org], but with a lot lesser flames.

Parent may be a lazy raging retard, but I don't understand the need to flame him.

What has been most beneficial to me are not the exact steps, but the knowledge that it's possible with the setting of a registry entry (and the corresponding security permission). I've learnt a lot more from AC's kindly-worded post than your flames.

Re:Have you seen an infected ATM?

[Voyager529]

The difference between an ATM and a photo kiosk is that the only forms of input into the system are the debit card (which is programmed by the bank) and the keypad or touch screen input. Users don't bring in their own infected media to use with it.

Also, the odds are extremely good that at some point, your financial data will involve a Windows terminal. If it makes you feel any better, there are some pretty tight regulations as to how heavily locked down bank systems have to be. Even if you see a bank teller using Windows XP, I guarantee you he/she isn't running as admin, and probably has default-deny permissions for just about everything. Just because Windows doesn't come out of the box very secure doesn't mean that there aren't a few dozen computer techs on the other side responsible for locking it down to the point where it is actually secure enough to do what it does.

Re:While we're tossin' around analogies...

[je ne sais quoi]

I've heard this line before, usually as a justification from the IT staff as to why I need to put AV on my mac. Does this actually happen in the real world with any great frequency? I suppose it could if you were transporting windows executables around on your USB and copying them to your mac it could happen. But usually, I just copy office documents or other data files around. So I'm not convinced (unless of course your office or pdfs have something, but those usually show up in attachments in e-mail from weird places, not something you'd want to move around on your USB).

Re:Every input is bad...

[MikeBabcock]

I have the same problem convincing people to just use 'const' in C programs where they don't expect to modify a value. Its an easy step and it lets the compiler catch a whole host of problems for you (not to mention do optimizations) but its too much typing for some people.

Re:Admin

[Anonymous Coward]

By default (out of the box), all admin elevations in Windows require explicit user input at the console.

You have either disabled UAC (against all recommendations) or you need to upgrade your Windows to a current version.

Falling back on old versions of Windows that aren't even in distribution anymore seems to be the rising trend on slashdot.

But then again, who am I to judge? Linux has never had any security issues since the first release of the kernel. All changes to it have just been feature enhancements.

There is really no need to upgrade your linux ever and that's another reason why Windows sucks.

And another thing regarding autorun since others have posted about it and i have to wait to post as AC (I enjoy reading some of the comments, but won't arse myself to register on this site).

Autorun does not execute anything. It scans the drive for content and offers appropriate options. In the event of an autorun.inf file, it presents an option to do whatever that file has defined. If that includes executing another program, the user will get a UAC prompt for that program if it requests admin elevation.

If your autorun is executing files on the disk without prompting (twice in two different ways), then you need to upgrade your Windows.