Hardware, software and expert advice for digital signage and kiosks
 Home Products Solutions Blog Support Company News Contact
Customer Login 
WireSpring Blog SignageWire
Latest Articles Full Article List

WireSpring Blog

Securing your Interactive Kiosks and Digital Signs

Author: Bill Gerba on 2005-02-15 00:46:03

 After reading this article on kiosk security over at Kiosk Marketplace, I felt compelled to fill in a few missing details that might make people think the wrong things about securing their public-facing digital terminals. First, the good: obviously, the things mentioned in the article, like anti-virus, spyware detection, session timeouts and encrypted sessions are all very important. Any kiosk software that can't handle these basic premises shouldn't be considered for projects that require Internet connectivity or private data collection. However, these items are the very basics – the tip of the kiosk and digital signage security iceberg, if you will.

The fact is that most security problems will come from one of two sources: illegitimate network traffic and physical compromise. While the former gets the most press (and is, by any measure, the fastest medium for mischief transmission), the latter is important too, and a bit easier to secure against, so that's what I'll start with.

Physical Security
Ask any computer security specialist and they will be sure to tell you that physical access is the most overlooked element in most security plans. Corporations will spend millions on firewalls, intrusion detection devices and high-priced security consultants, but will often take physical security measures for granted. Consequently, it often comes as a great surprise to them when a disgruntled employee walks off with a hard drive full of customer data. Physical security needs to be job one for these organizations, and this is even more true for anybody working with interactive kiosks or digital signs. The computers powering these devices need to be locked down (inside a locking cabinet or physically chained to something) as a first measure to prevent data theft. While all of those tool-less cases and thumbscrews seem like a really cool idea (and they are when used in a controlled, secure environment), out in public they are the only things standing between your hard drives and the crook who wants them. A tough steel enclosure and a few drops of LocTite on all case screws are a good deterrent to the casual thief. And if you can, store your entire CPU in a safe, secured place. Out of site, out of mind, after all :)

Device-level Security
Assuming that you've done what you can to ensure the physical security of your kiosk CPUs and digital signage players, the next thing to consider is device-level security. The first place to lock down your system is at the BIOS level. After configuring your systems, make sure to password-protect them to prevent unauthorized changes in the field. Next, turn your attention to the operating system itself. How should you go about locking that down? In the interactive kiosk world this duty is typically handled by your kiosk software platform. This software will do things like preventing CTRL-ALT-DEL from rebooting your computer and stopping unauthorized users from mucking about with system settings. But what about digital signage software? I was surprised to find out that many of these packages don't have any kind of security features at all. That's right... walk right up to many digital signage players and plug in a keyboard and mouse, and that's all you need to access the system. With a few clicks you can shut down the signage software and start surfing the Internet (or whatever else you want to do). If you're using a signage platform that lacks security features out-of-the-box (especially in Microsoft Windows), you'll need to take some extra steps and install some additional software to prevent this kind of tampering. If you're using an appliance-based solution you're probably better off than the Windows-based folks, but you should double-check with the device manufacturer. If you're running FireCast digital signage software, you're in good shape, since it uses the same locked-down Linux operating system as our interactive kiosk software.

Network Security
Last, but certainly not least, is network security. If you don't take network security seriously, you're going to get burned. Badly. Don't believe me? Then maybe you should talk to the dozens of customers that have come to WireSpring after finding that their insecure Windows-based platforms were compromised by viruses, trojans, and spyware. Some of these machines were turned into "zombies" and used to mail out spam messages. Others were reconfigured to display inappropriate content. And the fact that the Kiosk Marketplace article on kiosk security doesn't really cover this vital area is terrifying. Ok, they talk about VPNs and "secure transactions" a little bit, but they don't mention anything about public vs. private IPs, network address translation (NAT), hardware and software firewalls, port blocking, or turning off network services that aren't being used (even Microsoft has started to figure out this last one, and they're not exactly known for being a paragon of security).

Final notes
There are two things to keep in mind while thinking of all this. First, no system is totally secure. If somebody wants it badly enough, they're going to find a way in. But second, it's usually pretty easy to secure your systems to the point where most people won't bother trying to break in. Here are a few simple steps that you can take to help improve your network security:
  • If possible, don't hook your kiosks or digital signs up to publicly-addressable IPs. Instead, use a router and hardware firewall to provide basic perimeter security.
  • Turn off all unneeded network services (like file/print sharing for Windows, or samba and miscellaneous servers for Mac OSX and Linux).
  • Disable listening on unused ports. Even better, use a remote management package that uses "client pull" technology and disable listening on all ports (FireCast does this for you)
  • Use SSL for any critical network traffic. If you're doing any kind of live transactions, I shouldn't have to tell you this.
  • Don't use proprietary, vendor-specific file formats. If you use interactive Quicktime movies, or the bug-ridden Microsoft WMV/Media Player system, you're asking for trouble. One of these days somebody is going to slip you a file that will take over your system. Use open formats like MPEG2 and MPEG4 instead, and rely on your kiosk/signage software platform for doing things like clickthroughs.
Now I certainly don't proclaim this to be the end-all of security lists, but it's a good start, and a much needed extension of the Kiosk Marketplace article. Take security seriously, and plan it in from the beginning of your kiosk or signage project, and you will be rewarded with a robust network that is highly resistant to problems and tampering. I also don't want to scare people into thinking that it's impossible to run a well-secured network. With some planning, a few ground rules, and a healthy dose of common sense, it can be done. As always, if you have any questions, feel free to ask us.

Comments (0)

Subscribe to comments for this article | Trackback

Leave a Comment

Name:
Email Address:
(required but won't be shown)
Website:
Comment:
(max 2000 characters)
Are you a human? If so, uncheck this box:



Digg this! | Del.icio.us


Previous Article: Tiny Projector Promises Bigger Kiosks, Cheaper Digital Signs
Next Article: Retail Television Networks Coming of Age

Front page of dynamic digital signage and interactive kiosks journal

LEGAL STUFF: The WireSpring Blog is written by Bill Gerba but may periodically include articles by guest authors. The author of each article is clearly identified at the start of the article. The opinions expressed in each article are solely those of the author, and do not reflect the official opinions of WireSpring Technologies, Inc. All blog articles are copyright © 2004-2008 William F. Gerba or the guest author, as appropriate. All content besides the actual article text, e.g. surrounding branding and informational content, is copyright © 2000-2008 WireSpring Technologies, Inc. All rights reserved. Except as provided in WireSpring's Republishing and Syndication Policy, no blog content may be reproduced, in whole or in part, without WireSpring's express written consent.

Subscribe via RSS
If you use one of these services, click the button to subscribe to automatic updates:


For advanced users or those with other services, here is the XML link:
Subscribe via XML/RSS/RDF Subscribe via XML/RSS/RDF

What's this page about?
We created this journal to help share useful info about digital signage and self-service kiosk projects. Our articles typically focus on project planning, industry research, ROI analysis, and high-profile deployments. We post new, original articles about once a week.

Who's the author?
Bill Gerba is CEO of WireSpring and maintains an active role in the digital signage and self-service kiosk industries. An industry advocate since 2000, Bill is the chairman of POPAI's Digital Signage Awards and a member of the group's Education and Advocacy Committees. He is a frequent speaker at industry conferences (including the Digital Signage Expo) and has been featured in numerous publications. If you would like Bill to provide feedback for a story you're working on, or you want him to speak at your event, please contact us.

Questions?  Start a live chat • Call us at (800) 989-9269 or +1 (954) 548-3300 • Get pricing and trial info
Copyright © 2000-2008 WireSpring Technologies, Inc. All rights reserved. Except as provided in our Republishing and Syndication Policy, no content on this website may be reproduced, in whole or in part, without our express written consent. View our privacy and legal info.