The Redbox DVD Kiosk

by blakmac  (blakmac@gmail.com)

Many if not most of the audience have seen or used the DVD rental kiosks that have taken up residence at many McDonald's restaurants.

The machine at our location, a Redbox model DVD-OT, provides an extremely easy and affordable way to rent new release movies, provided of course you have a valid form of plastic payment.  In this article we will look at what could be considered a major security threat if applied properly, as well as address some theories which may or may not be founded in reality.  If you are in need of a disclaimer, stop reading right now.

The Machine

The Redbox model DVD-OT is more or less an off-the-shelf computer running Windows XP Professional, some DVD dispensing hardware, and a touch-screen monitor in a big red metal box.

The top section of the box houses the screen, DVDs, and all the mechanisms used to dispense the movies, whereas the lower section houses the PC, keyboard, etc.  All of this can be considered boring to most of you.  Oh, I almost forgot - this machine has a high-speed Internet connection.  We will get to that shortly.

The Software

The Redbox software is launched automatically (I assume) on startup.

As of this article, I have not found a way to exit the program.  There is a "hidden" screen that asks for a username/password, however I've had no luck with that either.

To access this screen, simply touch the "help" button and then tap on the Redbox logo at the bottom of the screen.  I assume that there are some interesting features beyond this login prompt.

Some other programs that run on this machine include programs to hide the start bar and one that looked particularly interesting - test controls for the DVD dispensing mechanism.  This program did not have any information in the title bar, so more research is needed.  Odds are that this program has a shortcut in the start menu, like the start bar hiding program (and several others that I did not have time to note - more information when I get it).

The Flaw(s)

Although I have so far been unsuccessful at finding a way to completely exit the kiosk program, I did notice something while trying to assist a customer with the machine one night.

From certain error screens (there are several, not all will do this) you can tap on the lower-left hand corner of the screen and get (shock) a "Start Menu".  The "Start Menu" contains many (if not all) of the features you would expect from a shiny new XP box, including games, miscellaneous software, and a wonderful feature for touch screen (ab)users called on-screen keyboard.

This program has been part of the Windows Accessibility package for a long time, but since the keyboard is locked away in the bottom of the machine, this will help us on our journey.  On the machines I have encountered, the screen is a bit insensitive so this is an annoyingly slow way to access things.  But patience is a virtue, right?

We'll start by launching the onscreen keyboard.  After that, hit the bottom-left corner again and then launch Internet Explorer.  From here you can use the onscreen keyboard to access your favorite sites (2600.com, page33.tk, etc.).  Now wasn't that stupidly easy?

You could also, of course, browse the hard drive of the system either from IE or "My Computer" (that's right, it's wide open).  There may be things of interest such as user guides, but for the sake of conspiracy (this is speculation, but you never know...) since this is a machine that processes credit card transactions, there could possibly be logs of these transactions stored locally on this PC and, as we have demonstrated, virtually nothing to prevent someone from emailing files from this machine (using Gmail, Hotmail, or the like) to him/herself or to someone else.

Which brings me to another point.

Here we have a machine that has complete HTTP access to the Internet.  Something else I have noticed about the Redbox is that most of the software maintenance is done remotely via the Internet, courtesy of XP's remote administration feature (which as far as I can see is always enabled since there isn't usually a technician anywhere around when this maintenance is being performed.

So here's a possible scenario: by obtaining the IP address of the machine, theoretically one could gain access via the remote admin tools.  Another scenario is that one could download and install some kind of backdoor program, FTP, or HTTP server on the Redbox itself, then gain access from a remote location.  Either way the possibility of remote access exists.

Aside from this, one could manage to spawn a DOS shell using the techniques mentioned above (onscreen keyboard) and possibly gather information on other machines on this network.  After all, they all must have a common server since you can return the DVDs to any kiosk and be credited for the return.  (Browsing "My Network Places" was unsuccessful - I will be researching this further.)

Conclusion

Security through obscurity is not secure!

I can't tell you how many articles I have read concerning touch-screen kiosks that have these same kinds of security flaws.  Windows XP is capable of preventing these kind of problems (i.e., removing onscreen keyboard from the "Start Menu", locking down "My Computer", etc.) from happening.

I hesitate to call these attacks because we are just working with the tools we are given.  In fact, I'm not sure that finding these common flaws could even be considered "hacking," but I do know that thinking about obvious risks, creating theories, and testing ideas does allow someone to be considered a hacker.

Companies need to be more diligent in securing machines that process sensitive information before leaving them in a public place, allowing public access, and trusting everyone not to be curious about a big red shiny box.

Thanks to: Xmitman, nS_Sire.  Greetings to: briggs, carlos, joe, nat, rebecca, juan, and the rest of the Dayton McDonald's night shift