Security is hard to get right and simple(r) to get wrong....

  • Release Candidate 6
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!



What could possibly go wrong?
Nov 7, 2020

It all begins with a sushi restaurant that leverages iPads in Guided Access Mode (GAM) for food ordering. The basic idea is to tap, order and then stroke the robot when it delivers the food. What could possibly go wrong, you might ask......

Mistake 1: The waitress tells you the iPad unlock code because, of course, they go to sleep.
Mistake 2: The unlock code is also the code to get out of GAM

Place a teenager at the scene and of course the teen gets the iPad out of GAM and starts taking selfies with a view to replacing the background. Funny - but too much chance of being said teen AirDrops a fun image to the iPad and replaces the background.

It doesn't end there because the iPads are on a wireless network - one that is not the network being offered to customers. can you get another device to join the network? The teen was not sure but a more experienced person was; Apple makes it wonderfully easy to share Wifi passwords! (Caveat: the password can apparently only be shared from a device into which the password was typed, actually good thinking from Apple).

And so there's a new iPhone on the network. Running Fing. Discovery is a wonderful thing......

The barrier to entry in the network is not significant - and on that network you will now find things such as: Sonos speakers for the restaurant and office, the sushi delivery robot (all interesting for the Rickrolling teen) and (for a real attacker) all of the PoS devices plus the office computers.

It's a real shame that the barrier to self-entry and setup for these things is so low because it really could end in tears.

and of course the food delivery robot has a web interface. Do you think the default username/password have been changed?

I am sure they are not alone. The question is whether they need to be told about this and how it can be done.....or if I would want to be the one.
Pity that they cannot even be secure when they take the waiter's / waitress' job away and put our credit cards at risk. If you tell them, they'd probably sue you. When systems are sold for a given purpose, like POS, they should be secure by default. When someone who's not an expert integrates a bunch of pieces and parts to do something, it get's a lot harder to cover all the security bases, even if they're concerned enough to try.

May your bits be stable and your interfaces be fast. :cool: Ron