We have a discussion here, if an internet enabled kiosk system can be set up securely without updating the system regularly.
The facts in short:
We are developing a new software product which offers a "station version", means it runs as a kiosk systems.
- it will use a touch-display and a Win10home PC Stick
- no external or virtual keyboard will be used for the GUI interaction
- the frontend is a webapp which is hosted on our server
- the Chrome browser will be used in kiosk mode to display the webapp
- no additional software will be installed, just a clean Win10home, Firewall and Chrome
- all Windows services will be disabled (e.g. Updates)
- all ports are closed except 80 and 443 from inside out
- no access to the internet except the URL to our server
The questions we are discussing are:
Will it be possible for an advanced user to leave the Chrome kiosk mode anyhow?
Our result: we tried everything but did not succeeded, so it seams to be locked.
Will it be secure to leave the system in the setup state, discarding any update for Win 10 and Chrome?
Our thoughts: of course we know, that it is no good idea to skip software and especially OS updates! But we believe by isolating the system, so it can only access our server and closing all ports will do the trick.
I am asking this because if there would be a secure solution we will not have to add high frequent service costs and therefore could offer the system for a lower price.