PARCOMAGICSecurity analysis of public terminals
Denis Makrushin (@difezza), Kaspersky Lab
Stanislav Merzlyakov, Positive Technologies
WATCH OUT! WATCHDOGS.
2
Common usage terminals
Life is a good teacher
Methodic of Penetration testing
Virtual keyboard
Moving in Control panel
Arbitrary code execution
Windows Help or Desktop
Input Data fuzzing
Tap-fuzzing
Escape from the application
Fullscreen application
Calling the additional elements of the
system’s interface
Calling the undocumented features of
the application
View from the developer
Street magic: escape from the app
Street magic: virtual keyboard
Who am I?
Another kind of PoC
Catch me!
Post-exploitation
• Located in public places
• 24/7 available
• Same configuration
• The higher degree of
confidence from the user
• Connected to each other and to
private network
• Advertising
• Social engineering/phishing
• Botnet use cases
• Dump of app for offline
reversing
• Internal network attack
• …
Take a look around
Firewall
Terminal’s
server
Main office
Recommended
