Sleeping Dragon 2013/07/24 18:53
Nowadays, touch screen devices involve more and more fields, deeply integrated into our daily life.
For example, the well-known ATM teller machines, to utility bill payment machines, coupon printers, traffic route query machines, shopping guides at malls, boarding pass printers and even video game machines, have all adopted touch screen technology.
In terms of people coming and going, how safe is the equipment that everyone touches?
Below you are about to see some ways to break through the terminal, and it really responds to the phrase "security is everywhere".
Touch-screen terminals with such simple functions have also been discovered by black hats and white hats with so many hidden safety hazards and "how to play".
What can be rest assured in future life?
The following is a case from wooyun:
1. Use mailto to call out Outlook to bypass:
The program is embedded in the web page, write a mailto by yourself and insert it into the page to call outlook
Use the mailto on the page to call up Outlook
2. Long press with two fingers or three fingers causes the "right button" to appear:
After the right button appears, you can choose to print and bypass it by adding a printer.
Or call up the save file, then right-click to open a new window, and then Task Manager.
Or right-click to view the source code, it may bring up the taskbar under windows.
3. Frequent clicking on the screen or deliberately entering wrong data, causing the program to crash:
Tap the screen frequently
Enter a mobile phone number that does not exist, click Forgot password to report an error, the input method appears, click Help to jump out of the sandbox
Do not enter an empty query and report an error, the input method appears, click help to jump out of the sandbox
Enter a small amount and report an error to jump out of the sandbox
Enter the card number with special characters
There may be gaps in "layers" at the edge of the screen and in the stroke input method;
Input Method Bypass Smart ABC Input Method WooYun: Bypass Shida Terminal Library's Bibliographic Query System
Sogou input method WooYun: Shenzhen Book City city block self-service library terminal restrictions bypass Google input method WooYun: Guangdong mobile information service desk terminal
Windows' own mechanism, the security bubble has a high priority, leading to bypass
Can open the browser directly
With hyperlinks in the software, IE can be called up
Some white hats did not write specific methods, but you can feel how many terminals have been bypassed:
0x02 follow up
Terminal security is not a technology that has recently emerged. After breaking through the "sandbox" environment, if an attacker deliberately implants a Trojan horse into the terminal operating system for long-term control, the friends who use the machine will be out of luck. In addition to breaking through the "sandbox" environment, it is also important to note that most of these terminals are in the internal network with a large amount of sensitive data. The fall of the terminal is equivalent to opening a door to the internal network, and this door can be used by any passerby. Internet companies and equipment manufacturers take strict precautions if they come into contact with it, and arouse attention! !