AusPost Parcel Lockers — Hardening Required

Lockers, touchscreen and keypad

What happened?

  1. Clicked start menu, full start menu exposed.
    Note, the only input on these machines is the touch screen, the keypad appeared to do nothing once out of the default app.
  2. Noticed that SQL Management Studio was “pinned” to the top of the Start Menu
  3. Launched SQL Management Studio
  4. Noticed these Kiosks run SQLExpress, not surprising given the number and location of parcel lockers.
  5. Attempted to login with ‘sa’ and blank password, denied.
  6. Switched Authentication to ‘Windows Authentication’ which uses the locally logged in user to attempt to authenticate to the SQL Instance. SQL Server does not ask for the password, and does not perform the identity validation when using this method, making it a highly insecure method on public machines.
    Alarmingly, the logged in user was — redactedlocalmachine\Administrator
  7. To my horror, the login succeeded and I was now logged in with full access to the DB.
  8. Using the touchscreen, I started browsing towards the tables to ascertain what was potentially stored locally on these Databases.
  9. I’ve obfuscated this in the section below, and without specifying the table names, I found several tables that would no doubt contain personal information such as — “Addresses, Config options, emergency access (this would be particularly interesting to dig into), parcels, postcodes, transaction details, user roles and permissions etc. (note — the scope of the actual data stored on these devices was clarified by AusPost in their update on 23/11, see that update for full details)
  10. The touch screen made it difficult to expand tables and it was at this point I decided that the information I had about the environment, the lack of hardening and the images from SQL Management Studio was enough to disclose this to AusPost for them to action.
  11. I was able to re-select the Parcel Locker application from the tray and return the machine to what appeared to be a normal state. I also noted that the start menu was now out of view and was not able to be seen or selected.

The Bad Stuff..

Yikes… The actual table names have been obfuscated intentionally.

Suggestions (in order of preference)

  1. Do not run these terminals under “Local Administrator” accounts — this finding alone has the potential to open these terminals up to a myriad of other attacks/back-doors etc
  2. Disable the built-in administrator account, create a new account (eg PL-LocalAdmin) and add it to the Administrators group, only if required. Also easily achievable via Group Policy.
  3. Do not allow the locally logged in user to have SQL Login rights (ie, do not allow the logged in user of the terminal the ability to login the SQL Management Studio!)
  4. Use Group Policy/Login Scripts to heavily lock down the Windows UI / Start Menu for these terminals
  5. Review or create hardening guides for these terminals. Do some basic hardening before they are deployed. The 3 suggestions above would be a good start and are fairly easy to implement as part of an automated deployment.
  6. There is no way to report Security issues on the AusPost website, only email fraud etc. You should —
    a — Setup a means to be able to report Security Incidents that go to the right team immediately for triage and investigation. This should be for all AusPost offerings.
    b- Improve your incident handling processes internally. This should not have taken so long to make it into the correct department and have them contact me.
  7. Take Security issues seriously, despite multiple follow ups, I never even got to talk to someone technical to explain this until after I was about to give up and publish the article. Follow ups to support did not help for over a month.
    Not reaching out to people who are trying to disclose things appropriately will win you no fans.

Disclosure Timeline

Frustrating experience…
  • They couldn’t reproduce the Start Button visible issue, good news.
  • Are implementing some of the suggestions I passed along, also good.
  • Agreement that I can post this article in the New Year once reviewed by AusPost.
Final update and actions to be taken

--

--

--

www.david-clarke.id.au

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to Plan an Engineering Project in 5 Easy Steps

Introduction to Spring Cloud Gateway

Seaside cliffs visible through an old stone arch

Web Application Architecture

5 Tips for Writing Good One-Time Data Processing Scripts

Dev Spotlight: Devin Otway w/ Postmates

How to Run Productive 1-on-1 Meetings Remotely

What should you focus on as a new web developer?

The Perils of Modernizing SQL Apps on NoSQL

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
David Clarke

David Clarke

www.david-clarke.id.au

More from Medium

Are Masking and Encryption the Same?

CISO MindMap 2022: What do InfoSec Professionals really do?

Your Guide to the Best Cyber Security Podcasts

Cyber Crime Isn’t Going Anywhere Soon, What Can You Do About It?