Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Physical Access, Point of Sale, Vegas - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Physical Access, Point of Sale, Vegas

Physical Access [1], as most of us know, is the final point of control. While in Las Vegas (on a well earned vacation) my wife and wandered all over. It only took around a day of being completely unplugged before my mind wandered back to 'security' land. While scoping out places to eat my partner drug us into a 'pricey' looking place (will attempt to remain nameless to protect the 'really' not so smart, however I am not a photo editor so if something slipped, I tried).

When we get into this place, at first in tourist-mode, had a lot of things designed to take my money. After spending a little bit more time in the place, I was most curious about the point of sale suite. Then I noticed, where it was placed, convenient on the floor, but the attendant not that close, distracted from the clients. It get‚??s worse, when I spending more time by the counter the attendant did even notice (as expected sadly) [2].

 

At this point I suspected that I could easily drop a USB key or a leave behind device and decided to take a quick picture of all the ports accessible.


If you look at the photo closely:

 

  1. I was not challenged by anyone
  2. I had plenty of time to snap a shot
  3. Easy access to a USB port
  4. Well known Point of Sale System
  5. Premium Las Vegas location
  6. Printed and taped details near device

 

Conclusion? I paid cash (Not that it helps much, but sure did make me feel better)! Physical security and awareness of your staff regarding it cannot be missed. Reduce your attack surface anyone?

Are you picky about PoS locations now? What things have changed in your shopping habits?

 

References:

[1] http://www.sans.edu/research/security-laboratory/article/281

[2] http://www.police.psu.edu/physical-security/what-is-physical-security.cfm

 

Richard

161 Posts
ISC Handler
I was in a Conroy's part of 800 flowers (a friend sold her business) and saw the exact thing, POS DELL terminals, FULL access to USB on the back to slide in a drive, or mini wireless fob.. You think the check out person really knows or cares, they are too busy with the "smart phone" Humm..

I gladly contacted the company.. got a "Gee thanks" but nothing more was done, so I do not shop there.

I leave you with this question, is it not our duty to inform all to protect all? If not we are in the wrong line of edification.
ICI2Eye

52 Posts Posts
Tax-free shops between two countries borders are commonly kept in the same manner as described in the article. I have seen many of their POS, positioned conveniently throughout the shop. USB and Serial, and some times ethernet, just waiting for something to be plugged in.
Elakamarcus

1 Posts Posts
I took a ghost tour a few weeks back and we had full access to freely roam a restaurant after it was closed for the night. There were 20 in the group, with only one guide. The POS systems were workstations, with full port access, that were still logged into Windows. It would have been too easy.
xMIKEEDGEx

1 Posts Posts
Physical access could be tighter but just because the USB ports are visible does not mean they are operational and not locked down. Most all POS hardware comes with USB but can be locked down either at the BIOS level or OS with endpoint protection after they are configured.

Doug
Anonymous
Posts
I wonder if physical security of POS terminals was as tightly regulated as the gaming industry regulates slot machines and casinos monitor their customers' activity would we see as many hardware vulnerabilities (and breaches) in POS terminals? Can you imagine if all those ports were exposed like that on a slot machine...?
Inspector16

8 Posts Posts
To be fair, exposed ports might be secured against unauthorized devices using something like Intel Small Business Advantage, Didier Stevens' ARIAD, or even Group Policy. Or they might be switched off in the system's BIOS, as is the case for the exposed ports on the Dells at our own checkout area. Still, it does raise concerns when one cannot be sure.
Anonymous
Posts
Quoting ICI2Eye:I leave you with this question, is it not our duty to inform all to protect all? If not we are in the wrong line of edification.


Yes, but with a caveat. Be careful how you report when someone else's security is poop. Back before "wardriving" was a buzzword, a friend of mine fired up his laptop in a bank parking lot while his housemate was depositing a check. He happened to notice that they had an unencrypted WiFi (wait for it...) transmitting customer info in the clear. (face-palm) Being the good whitehat, he dutifully tried to track down someone in IT at the bank to let them know they had a problem. They called the FBI and said he'd attacked their network. (sigh)
Brent

98 Posts Posts
Quoting Brent:
Quoting ICI2Eye:I leave you with this question, is it not our duty to inform all to protect all? If not we are in the wrong line of edification.


Yes, but with a caveat. Be careful how you report when someone else's security is poop. Back before "wardriving" was a buzzword, a friend of mine fired up his laptop in a bank parking lot while his housemate was depositing a check. He happened to notice that they had an unencrypted WiFi (wait for it...) transmitting customer info in the clear. (face-palm) Being the good whitehat, he dutifully tried to track down someone in IT at the bank to let them know they had a problem. They called the FBI and said he'd attacked their network. (sigh)


Well, it would have not been difficult to prove their accusations were :BS: My first response.. do you see a handshake, authentication or IP address attached to this NIC/MAC, and no you may not have any device, that pesky piece of paper ie the 4th says Negative, thanks for playing.

However, duly noted :tiphat: I guess if a few more would have paid attention to a company called Max, then a huge breach might have been avoided. This was a battle I fought and lost (job) because the owners daughter at a company I worked at (controls/HVAC) would allow the techs to turn off the AV and like since it got mad a PCAP and other sniffers. Well, what happened at Target and what how did the breach happen.

And as we all know, a laptop does not have to be carried around. Those that say, oh, disable the USB in the BIOS.. not tough to get around especially when a lot of them use wireless peripherals.. oh look, snarf away. Pathetic when the arrogance of those who are ignorant take it as stupidity when it is not the same.

But in the case of your friend, alas no deed goes unpunished.
ICI2Eye

52 Posts Posts
In a retail shop we left the physical ports unmodified but blocked usbstor and some other registries as well as tore out features and drivers that were not required. As a customer there is no way to know if this is done so I agree about being cautious.
Access to the endpoints (POS and card reader) should be secured anyway since it would be trivial to slip a bluetooth capable hardware keylogger inline on the keyboard or card reader for data exfil.
Universal adoption of end to end encryption on the card reader would also be nice since it would defeat keyloggers and blackpos as well.
Enke

5 Posts Posts
Sorry, I must be missing something. Having an exposed USB port is not an automatic vulnerability. Unused ports can and should be disabled. Is there a potential here for an unlocked port? - yes. Is this port unlocked? - who knows. Is there WIFI access at this same location? - who knows. If there is, is that an automatic vulnerability?

My point is that properly disabling a USB port is very easy with most modern hardware. I can envision some ignorant media reporter reading the above post and start crying "THE SKY IS FALLING! THE SKY IS FALLING!" for every USB port he sees -- meaning most any POS using hardware purchased in the last 15 years.

Lastly hardware based P2PE at the point-of-entry is the best preventative measure for all the malware described and implied in this thread. Is the offending POS using P2PE?

As a side note I would treat the USB port as a honey pot: attach a "will prosecute" warning, install an alarm and have people arested for tampering with the port – but that’s me.
Anonymous
Posts

Sign Up for Free or Log In to start participating in the conversation!