0

We have a discussion here, if an internet enabled kiosk system can be set up securely without updating the system regularly.

The facts in short:

We are developing a new software product which offers a "station version", means it runs as a kiosk systems.

  • it will use a touch-display and a Win10home PC Stick
  • no external or virtual keyboard will be used for the GUI interaction
  • the frontend is a webapp which is hosted on our server
  • the Chrome browser will be used in kiosk mode to display the webapp
  • no additional software will be installed, just a clean Win10home, Firewall and Chrome
  • all Windows services will be disabled (e.g. Updates)
  • all ports are closed except 80 and 443 from inside out
  • no access to the internet except the URL to our server

The questions we are discussing are:

  1. Will it be possible for an advanced user to leave the Chrome kiosk mode anyhow?

    Our result: we tried everything but did not succeeded, so it seams to be locked.

  2. Will it be secure to leave the system in the setup state, discarding any update for Win 10 and Chrome?

    Our thoughts: of course we know, that it is no good idea to skip software and especially OS updates! But we believe by isolating the system, so it can only access our server and closing all ports will do the trick.

I am asking this because if there would be a secure solution we will not have to add high frequent service costs and therefore could offer the system for a lower price.

Community
  • 1
tmprivat
  • 3
  • 2
  • 1
    What if there are 0 day vulnerabilities in the windows firewall itself? In general, the moment the device is connected to the Internet, it is susceptible to vulnerabilities which you may or may not be aware of at the time. Then again you are explicitly telling the device to ignore any updates, you will have to strike a balance between the two here. Is there a primary firewall before the windows device? – yetdot Aug 30 '16 at 12:32
  • The other thing to look at is what are you to lose if the box does get compromised. Is the box doing read only stuff, if so that may help a bit. – yetdot Aug 30 '16 at 12:40
  • @yetdot 1) most of the time there should be an hardware firewall which belongs to the customers LAN 2) good point, it actually does read only, so there are no data which can get lost or compromised. It's one and only purpose is to display the web app. – tmprivat Aug 30 '16 at 13:12
  • Could you explain why software updates cannot be enabled in the first place? Solutions to centrally manage software updates has existed since the last century? – billc.cn Aug 30 '16 at 13:15
  • By default, Chrome kiosk mode leaves a number of methods of breakout, so it would be worth getting the device tested by an expert in the field. For example, could an attacker physically connect a keyboard somehow? Can you breakout before Chrome loads? – Matthew Aug 30 '16 at 14:55
  • @billc.cn we did not have good experiences with auto updating Windows systems in the past, they always get stuck. Remote administration isn't faultless also, so you always need an external switch to reset the system. But the biggest point with remote administration is, that there are always discussion if you setup a system inside a customer LAN and ask for remote desktop ports to be opened up in the firewall. We want to get around this time intensive and sometimes useless discussions. – tmprivat Aug 31 '16 at 06:08
  • @Matthew you are right, testing by an expert would be great, to find a "real" expert isn't that easy. The last two ones did not tell us something new, thats why we decided to ask this question here. Concerning the keyboard, there is no external port to plug it in an even BT is deactivated. We tried to break the start sequence of the system but did not succeed. But this isn't a big issue as you can not disconnect the system (no external wires) and the startup is early in the morning without any user access. – tmprivat Aug 31 '16 at 06:17

1 Answers1

1

No. Even if the user cannot do anything by itself, there is possibility by cooperation of a web site (that the hacker made itself), would be able to escape the kiosk mode. This with the addition that Chrome, upon detecting a security problem, will usually prompt the user if he want to proceed. If both the end user and website is malicious, then the malicious user will just proceed through.

I would suggest using a Linux Kiosk distribution instead. There is Webconverger, and there is Proteus. The advantage is that these can be run in "live mode", and use a write-secured USB memory (For example, https://www.kanguru.com/storage-accessories/flash-blu30.shtml ) where you flip the write protect switch, to prevent writes to the memory.

When you use such a solution, you combine this with a simple timer, that Cuts the Power to the kiosk, lets say every night when the location where the kiosk is placed, is closed. The advantage is then, that ANYTHING that a malicious individual may have done to the kiosk, is instantly cleared out and the device is guranteed Clean every morning.

If you for some reason MUST use windows 10 with Chrome, there is a possibility to run this in write protected mode too. This can be accomplished here:

How to enable on Windows 10: https://msdn.microsoft.com/en-us/library/windows/hardware/mt572001(v=vs.85).aspx

How it works: https://msdn.microsoft.com/en-us/library/dn449416(v=winembedded.82).aspx

Then when this are activated, you can turn on the Write protect switch on the USB memory without problems. Then you can apply the timer function as I describe, that will reboot the computer each night.

sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33
  • Thanks for this detailed feedback and the shown alternatives. Adding a write protection mode seams very useful in combination with an external time switch. Using Linux is a little difficult, as there is far less touch displays support for Linux, but we will investigate that as your mention Linux distributions sounds very promising. – tmprivat Aug 31 '16 at 06:01
  • @tmprivat : Most linux kiosk distros has touch screen support, but if not, many touch screen, using settings, can be set to emulate a standard HID mouse, which will guranteed work with any linux distro. – sebastian nielsen Aug 31 '16 at 06:11
  • we decided that the Iiyama T2735MSC fits best for our needs and this one unfortunately only supports mouse events. As we need touch events for pinching and swiping this does not work. Other displays have the same issue with Linux. Its a pity as we would prefer Linux definitely. – tmprivat Aug 31 '16 at 06:53