Whether it is an EPOS system at a fast food venue or large display system at a public transport hub, interactive kiosks are becoming popular and trusted conduits for transacting valuable data with customers.
The purpose of interactive kiosks, and the reason for their increasing prevalence, is to drive automation and make processes more efficient. For many businesses and government departments, they are the visible and tangible manifestations of their digital transformation.
Kiosks are information exchanges, delivering data and content; ingesting preferences, orders and payments. With so much data going back and forth, there is huge value. However, wherever there is value you’ll find malicious and criminal activities seeking to spoil, subvert or steal it.
Three categories of Cyber Threat
Kiosks are just the latest in a long line of data-driven objects that need protecting. At stake is the very heart (and public face) of digitally evolved organisations.
Threats to kiosks come in three principal forms:
Threats to system integrity – where kiosks are compromised to display something different. Losing control of what your kiosks look like undermines your brand and causes distress to customers. A recent example is of a well-known sportswear store in New Zealand, where a kiosk displayed pornography for 9 hours before employees arrived the next morning to disconnect it.
Threats to system availability – where kiosks are compromised to display nothing. In other words, they go offline. Instead of displaying some kind of reassuring ‘out of order’ message they give the appearance of a desktop computer with frozen dialogue boxes or raw lines of code. Examples of this are all too common, but are typically characterised by ‘the blue screen of death’.
Threats to system confidentiality – where kiosks show no outward signs of compromise, but are in fact collecting data illegally. Such attacks carry significant risk over and above creating nuisance or offence. Examples include one of the largest self-service food vending companies in the US suffering a stealth attack. Payment card details and even biometric data gleaned from users at kiosks may have been jeopardised.
The challenge of curbing these threats is compounded by interactive kiosks’ great virtue: their connectedness. As with any Internet of Things (IoT) endpoint architecture, the potential routes for attack are numerous. They can spread from attacks on a company’s internal network, stem from vulnerabilities in kiosk application software, or even result from a direct assault on the kiosk itself.
How Best Practice Regulatory Standards Apply to Kiosks
Regulatory compliance plays a part here. The EU GDPR and NIS directive (ably supported by comprehensive guidance proffered via the UK NCSC Cyber Assessment Framework) compel organisations to consider all parts of their endpoint estates with appropriate operational controls, processes and risk management approach in respect of – for example – patch management, privileged user access and data encryption.
Regulatory reforms are all well and good, but technology (AI, machine learning, blockchain, etc.) is evolving rapidly. Organisations must be as proactive about the cybersecurity challenge as possible or risk falling behind the digital innovation curve.
Here at Becrypt, through our work with UK Government and the National Cyber Security Centre (NCSC), we have developed solutions in line with core objectives sought by NIS and other regulations, for use in public sector environments. At the same time, we are seeing private sector businesses increasingly coming under the sorts of cyberattacks more commonly associated with the public sector.
Paradox: The Secure, Linux-based OS for Interactive Kiosks
Government research has determined that the best way to mitigate threats to interactive kiosks, and safeguard wider digital transformation objectives, is to secure the kiosk operating system (OS).
Becrypt has developed Paradox, a secure Linux-based OS and management platform for kiosks. Paradox incorporates a secure-by-design architecture. This ensures kiosks remain in a known healthy state, free of malware. For organisations concerned about the potential for attack, it provides absolute certainty that every time a machine is switched on, its OS and all its applications have not been compromised.
Another common concern with kiosks is managing hundreds or even thousands of geographically dispersed devices without being able to check on or remediate system health. Should it detect anything unusual, Paradox will automatically rollback to the last known good state. This presents a functioning system rather than an offline/unavailable one. It avoids the onset of ‘bluescreen’ failures and allows administrators to visualise and manage kiosks in an easy and low-cost way. Automated security and patch management further ensures that devices are always kept up-to-date.
Paradox is also a very lightweight OS. It shrinks the potential attack surface ensuring the entire kiosk estate is not susceptible to common exploits. It also carries a number of advanced security controls that make it more difficult to attack, such as a sandboxed user account for privilege escalation prevention. OS components are also mounted as ‘read-only’, thereby preventing persistent, targeted attacks.
Spurred on by consumer demand for deeper interactions and easier, more personalised experiences, the exponential growth in interactive kiosks is plain to see in public spaces everywhere. This shift encourages more private and public sector organisations to do more with their data. The onus is on all of us to protect it.
With a heritage of creating UK National Cyber Security Centre (NCSC) certified products, Becrypt is a trusted provider of endpoint cybersecurity software solutions. Becrypt helps the most security conscious organisations to protect their customer, employee and intellectual property data. It has an established global client base which includes governments (central and defence), wider public sector, critical national infrastructure organisations and SMEs.
As one of the early pioneers in disk encryption software to today being first to market with a unique desktop operating system, Becrypt continues to bring innovation to endpoint cyber security technology. A recognised cyber security supplier to governments around the world, Becrypt’s software also meets other internationally accredited security standards. Through its extensive domain and technical expertise, Becrypt helps organisations optimise the use of new cyber security technologies and its flagship security solution Paradox delivers a highly secure platform for the modern age.