AusPost Parcel Lockers — Hardening Required

Lockers, touchscreen and keypad

What happened?

I went to my local Parcel Locker to pick up a parcel as usual, as I was using the touchscreen to begin entering my mobile # I noticed that the ‘Start Menu’ was exposed. I work in IT Security, so I wanted to see if this was means for further potential data extraction. I’ll list the steps to the best of my memory below -

  1. Clicked start menu, full start menu exposed.
    Note, the only input on these machines is the touch screen, the keypad appeared to do nothing once out of the default app.
  2. Noticed that SQL Management Studio was “pinned” to the top of the Start Menu
  3. Launched SQL Management Studio
  4. Noticed these Kiosks run SQLExpress, not surprising given the number and location of parcel lockers.
  5. Attempted to login with ‘sa’ and blank password, denied.
  6. Switched Authentication to ‘Windows Authentication’ which uses the locally logged in user to attempt to authenticate to the SQL Instance. SQL Server does not ask for the password, and does not perform the identity validation when using this method, making it a highly insecure method on public machines.
    Alarmingly, the logged in user was — redactedlocalmachine\Administrator
  7. To my horror, the login succeeded and I was now logged in with full access to the DB.
  8. Using the touchscreen, I started browsing towards the tables to ascertain what was potentially stored locally on these Databases.
  9. I’ve obfuscated this in the section below, and without specifying the table names, I found several tables that would no doubt contain personal information such as — “Addresses, Config options, emergency access (this would be particularly interesting to dig into), parcels, postcodes, transaction details, user roles and permissions etc. (note — the scope of the actual data stored on these devices was clarified by AusPost in their update on 23/11, see that update for full details)
  10. The touch screen made it difficult to expand tables and it was at this point I decided that the information I had about the environment, the lack of hardening and the images from SQL Management Studio was enough to disclose this to AusPost for them to action.
  11. I was able to re-select the Parcel Locker application from the tray and return the machine to what appeared to be a normal state. I also noted that the start menu was now out of view and was not able to be seen or selected.

The Bad Stuff..

Yikes… The actual table names have been obfuscated intentionally.

Suggestions (in order of preference)

  1. Do not run these terminals under “Local Administrator” accounts — this finding alone has the potential to open these terminals up to a myriad of other attacks/back-doors etc
  2. Disable the built-in administrator account, create a new account (eg PL-LocalAdmin) and add it to the Administrators group, only if required. Also easily achievable via Group Policy.
  3. Do not allow the locally logged in user to have SQL Login rights (ie, do not allow the logged in user of the terminal the ability to login the SQL Management Studio!)
  4. Use Group Policy/Login Scripts to heavily lock down the Windows UI / Start Menu for these terminals
  5. Review or create hardening guides for these terminals. Do some basic hardening before they are deployed. The 3 suggestions above would be a good start and are fairly easy to implement as part of an automated deployment.
  6. There is no way to report Security issues on the AusPost website, only email fraud etc. You should —
    a — Setup a means to be able to report Security Incidents that go to the right team immediately for triage and investigation. This should be for all AusPost offerings.
    b- Improve your incident handling processes internally. This should not have taken so long to make it into the correct department and have them contact me.
  7. Take Security issues seriously, despite multiple follow ups, I never even got to talk to someone technical to explain this until after I was about to give up and publish the article. Follow ups to support did not help for over a month.
    Not reaching out to people who are trying to disclose things appropriately will win you no fans.

Disclosure Timeline

I was extremely dissapointed with AusPost’s handling of this issue, as you can see below, I had to continually chase them to recognise and action this incident. I’ve touched on ways I think they could fix this above.

Frustrating experience…
  • They couldn’t reproduce the Start Button visible issue, good news.
  • Are implementing some of the suggestions I passed along, also good.
  • Agreement that I can post this article in the New Year once reviewed by AusPost.
Final update and actions to be taken



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store