Honestly I have to say this is the type of security article that annoys me the most.
- Snarky and talks down about people not "in the know" about potential security issues.
- Supreme confidence that they are super knowledgeable about how it "should" be done.
- Fails to provide any actual demonstrable impact, but doing the old "left to the reader" as to how it's clearly exploitable.
But when you drill into the details, they are just fundamentally wrong about how the product is even working, what is possible with the attack surface, and how components are interacting with each other.
There are plenty of vulnerabilities out there, and companies do make stupid mistakes with regards to security in lots of situations. That doesn't mean that every pie in the sky idea you have (oh look, I did a kiosk escape, dot dot dot, clearly I can credit card skim now) is possible.
it's in the tradition of "posting the wrong answer to get the good one". within this genre the comment section ends up even more terrifying than the post itself!
> There are payment terminals attached to these kiosks. If someone installs malware on here - just insert a usb stick or use the recovery mode - then tada we have the next generation of atm skimming.
As has been mentioned through out this thread by others there is not this form of interaction between the payment terminal and the kiosk.
I guess it’s partly the tone of the article. It comes across as quite arrogant. Had he actually managed to break in to one of them, that would’ve been interesting.
The commenter wasn’t providing an explanation on how the kiosk works, they were giving a criticism of the tone and usefulness of the article. I thought their level of detail in their critique was perfectly appropriate.
After having read quite a few, security articles seem much like proposing Russel's teapot: as long as you as the authors don't demonstrate a viable exploit, it is unlikely that such an exploit exists.
- Snarky and talks down about people not "in the know" about potential security issues.
- Supreme confidence that they are super knowledgeable about how it "should" be done.
- Fails to provide any actual demonstrable impact, but doing the old "left to the reader" as to how it's clearly exploitable.
But when you drill into the details, they are just fundamentally wrong about how the product is even working, what is possible with the attack surface, and how components are interacting with each other.
There are plenty of vulnerabilities out there, and companies do make stupid mistakes with regards to security in lots of situations. That doesn't mean that every pie in the sky idea you have (oh look, I did a kiosk escape, dot dot dot, clearly I can credit card skim now) is possible.