Submission + - Hacking kiosks and ATMs with Windows sticky keys
pestilence669 writes: "An alarming number of kiosks and ATMs (like the V-Com units in 7-11) run Windows XP. I've recently made it a hobby to play minesweeper and surf the web on these units. Most, if not all, are connected to the Internet. BitTorrent from an ATM? It's easier than you think! Gaining control is as simple as five keystrokes.
The companies that build ATMs and kiosks seem to know nothing about keyboard shortcuts. If there's a keyboard attached, you can bet that they removed the TAB key to prevent ALT+TAB abuses. Little do they know, ALT+TAB is not the only way to lose focus for an application.
If you're a fast typer like me, you've probably been greeted with the Microsoft sticky keys dialog. It asks you if you want to enable "sticky keys." It's a usability feature that helps disabled individuals type with one hand. Sadly, it's pseudo-enabled by default since this dialog box appears. Most people don't know it, so it's ready to be abused on just about every production XP-based kiosk or ATM (with keyboard).
All that needs to be done: hit the SHIFT key five times. SHIFT is guaranteed to be included in even the most restrictive keyboard layouts. In almost every instance, the sticky keys dialogs appears. As the kiosk or ATM application looses focus, you'll be presented with the XP start menu in the background. Many of these machines use a complete install with Minesweeper, Hearts, Internet Explorer and Outlook Express. Fun!!!
I've made it a regular habit to browse Slashdot, send email, and surf blogs from just about any kiosk that I find. Whenever my wife uses the bathroom at Dave & Busters, I'm reading blogs in the lobby. Whenever I'm at 7-11, I'm surfing with the ATM.
What's really scary about all of this is how easy it is to install executable code onto these devices. They're on the Internet and they have local storage. As far as I can tell, in my own experience, there are no restrictions in place. What's to stop someone from installing their own COM/ActiveX "helper" object and intercepting all HTTP/bank traffic?"
The companies that build ATMs and kiosks seem to know nothing about keyboard shortcuts. If there's a keyboard attached, you can bet that they removed the TAB key to prevent ALT+TAB abuses. Little do they know, ALT+TAB is not the only way to lose focus for an application.
If you're a fast typer like me, you've probably been greeted with the Microsoft sticky keys dialog. It asks you if you want to enable "sticky keys." It's a usability feature that helps disabled individuals type with one hand. Sadly, it's pseudo-enabled by default since this dialog box appears. Most people don't know it, so it's ready to be abused on just about every production XP-based kiosk or ATM (with keyboard).
All that needs to be done: hit the SHIFT key five times. SHIFT is guaranteed to be included in even the most restrictive keyboard layouts. In almost every instance, the sticky keys dialogs appears. As the kiosk or ATM application looses focus, you'll be presented with the XP start menu in the background. Many of these machines use a complete install with Minesweeper, Hearts, Internet Explorer and Outlook Express. Fun!!!
I've made it a regular habit to browse Slashdot, send email, and surf blogs from just about any kiosk that I find. Whenever my wife uses the bathroom at Dave & Busters, I'm reading blogs in the lobby. Whenever I'm at 7-11, I'm surfing with the ATM.
What's really scary about all of this is how easy it is to install executable code onto these devices. They're on the Internet and they have local storage. As far as I can tell, in my own experience, there are no restrictions in place. What's to stop someone from installing their own COM/ActiveX "helper" object and intercepting all HTTP/bank traffic?"
