January 17, 2007

Kiosk Case Study -- Hackers Find A Way

Nice report by on Zoom vending kiosks being "tricked". We've looked at the unit in Flatirons in Colorado and were unable to find that weakness so this could be a new version being deployed (without sufficient testing perhaps).

Davis Freeberg’s Digital Connection - Zoom Kiosks Hacked - Hackers Can’t Resist Free iPods

Zoom Kiosks Hacked - Hackers Can’t Resist Free iPods

BacklightOne of the major advantages to using kiosks at a retail store is the reduction in shrinkage that retailers see, once they introduce kiosks at the retail level. Because customers have to actually pay for a product before they can get their hands on it, vending can save retailers significant amounts of money by reducing the amount of theft from shoplifters and unscrupulous employees. Like anything though, if you give someone enough incentive, people will always figure out a way to get around theft deterrent systems.

When I was a kid, people took the time to figure out a way to short circuit Coke machines into giving away free sodas, by spitting water into the slot for dollar bills. Considering that Zoom systems is catering to a much higher end of the retail market with their iPod and cell phone kiosks, it shouldn’t be much of a surprise that hackers have already figured out a way to get around the theft protections built into the Zoom vending machines.

Because Zoom is using internet explorer to run their kiosk software, hackers have figured out that it’s relatively easy to bypass their security protections by accessing the file explorer window and then tricking the machine into thinking that you’ve already paid.

Since most of the Zoom’s kiosks are either inside of a Macy’s location or in an airport, this limits the effectiveness of this hack because there are still security guards that can watch out for this, but this hack could still undermine the usefulness of kiosk technology, if you have to have physical security monitoring the machines. While I’d be surprised to find out that Zoom hasn’t already responded to this threat by making it more difficult to gain access to the file explorer window, this hack still highlights an important issue for kiosk manufactuers to consider when designing their vending solutions.

By removing an actual human from the transaction process vending can save time and money for many businesses, but without the right theft controls, it can also expose retailers to even higher levels of theft. Even with this exploit, I would still be willing to bet that retailers see significant less shrinkage with Zoom kiosks than without them, but for a technology that depends upon removing humans from the transaction process, these sorts of exploits are a significant threat to the kiosk industry. If retailers can’t feel comfortable in having an unmonitored vending machine selling their inventory, it will greatly diminish the appeal and convenience that vending can have as a retail solution.



Posted by staff at January 17, 2007 07:56 AM