X-Rated Video at DC’s Union Station: A Lesson on Kiosk Security

In Mid-May, a pornagraphic video was played on a touchscreen kiosk terminal for approximately 3 minutes and was recorded by a passerby in the terminal at Washington DC’s Union Station. Initial news stories touting a “hack” on the device were quick to learn that it was not in fact a breach of security in the traditional sense, but rather a lack of security in the first place.

According to an article from the Washington Post: “The screens were recently installed inside the station as part of a renovation project to update the building and improve amenities for customers. The digital advertising boards are touch-screen, and they usually display a rotation of advertisements and public service announcements, along with an updated directory of the businesses inside the station. The digital display can be turned on and off manually, but the videos that are sent to the screens to be played are controlled remotely.”

After a change in hands of software providers, the Windows 10 based kiosks had certain functions enabled on them to prevent this kind of breach, functions that had been enabled on every kiosk but this particular one. The software provider Ping HD’s CTO, Kevin Goldsmith happened to be in Washington D.C. at the time. After investigating the incident, he concluded that the local area network didn’t have proper security measures in place. While the specific reason of the break in hasn’t been reported (for security purposes), it would be easy for someone to access the machine through swipe gestures commonly used for the tablets Windows 10 is installed on. Goldsmith went on to describe because of the open network, once someone had access to one terminal they are able to pull out any information they want.

Since that time, the kiosk has been locked down and no other “hacks” have been reported. This incident just goes to show that oversight in security can cost someone a good reputation. While this certainly isn’t the end for the company, it sure is a tough lesson that every software provider and kiosk manufacturer needs to learn from.