January 26, 2008DVD Rental kiosk pilot by Blockbuster, and security liabilityNice catch by Gerba of Wirespring of blogger experience at new Blockbuster dvd rental "kiosk". Doesn't physically describe the "kiosk" so it might not be conventional enclosure/etc and judging from the comments it sounds more like an unsecured ordering terminal. Last year for their online signup program Blockbuster used bare laptops on a table for their "kiosks". With recent alerts on credit card theft on DVD rental machines you would think that they wouldn't put customer data at risk like this, but it was probably the cheapest solution...I wonder how much that "most cost-effective" network solution that TJ Maxx used last year ended up really costing them after all their data got swiped....Ended up being very expensive I think and created fear in consumers shopping in their stores still... The maxim that the cheapest solutions come with the highest liabilities still holds true (and amazingly is most often ignored..). Block Buster Express Kiosk - $1.00 Dvd Rentals dvd blockbuster rental kiosk one dollarBlockbuster has jumped on the $1 rental bandwagon. A more common company of this type is Redbox. These ar ebasically ATM looking machines that despense dvd’s for $1.00 a night. Redbox has about 6,000 Machines in operation and blockbuster has recently released 14. The first ever Blockbuster Express Kiosk is located just down the street to me. I decided I would try it and see how it worked. I wish I had my camera. When I arrived to the kiosk the tech i guess forgot to unplug the Keyboard and mouse as they were laying on the floor. The computer guy in me decided to see what was under the hood. Two keys later i was looking at a Windows XP desktop with Admin privelages. How can it be? Blockbuster, Do you not realize what I could do if i was a ambitious hacker? If you dont let me tell you. If Blockbuster isn’t careful, I could: These are just SOME of the things we could do. How about we take the code for the Machine, figure out how the kiosk’s talk to each other and add a trojan to install rootkit on All the kiosks that connects to the main server hub. From there, We could say, Put in the name nich duncan under the account, and get free rentals at all the kiosks or get even more malicious and Swipe credit card information from ALL KIOKS. It’s a good thing i’m not a bad guy, otherwise blockbuster would be all over the news for losing customers creditcard infomation, missing dvd’s and all sorts of bad mojo. Now, I did call the customer service number and told them about this small error in their ways, they assured me they would send a tech to remove the keyword and mouse, which they did. The next day when i went, they were gone, But i decided to look around, On the back of the monitor is where the Computer is attached. All ports are open and avialble. You have got to be kidding me blockbuster, You really left me a spot to plug in my own keyboard? So I called back and told them this is not satisfactory, this time I spoke with a supervisor and told them, I know they are testing the market, so i wanted to share some incite on what i thought of the machines. I explained the keyboard incident, then told them If I was so inclined I could just plug in my own since they leave the ports there for anyone to access, and I went on to tell them what I could do with just a keyboard if I was so inclined. That was yesterday, Today when I went to return the dvd’s from yesterday. The tech was there replacing the monitor with a different brand. Looks like they took my advise to heart and realized the issues they could have had. Related Link - Was the TJX fiasco result of poor wireless security or somebody breaking into a job hire terminal? Posted by staff at January 26, 2008 09:30 AM |