Nick Barron, security consultant
Nick Barron, security consultant

The Curious Case of the Worm-Infected Photo Booth lays bare the perils of shunning security in favour of usability.

Supermarkets are well known for showering their customers with free gifts in an effort to drum up business. However, I'm guessing that none of the customers at one of my local stores was expecting to walk away with a free virus.

It all started with a discussion at one of my regular (and more than a little geeky) curry evenings with my former employee Dr Ashley Smith of the University of Southampton. He mentioned that during a recent visit to the aforementioned store to print some photos, his father's USB drive had come away with malware.

Of course, messing around with someone else's computers, even for benevolent purposes, is not something to take on casually, so I wiped a couple of USB sticks and put a cat photo on each, and visited the store. After printing each photo on a different machine (there are two at the store, one per cat), I returned home, forensically imaged the disks and had a look. Printing the photos was not essential (although extra cat pictures are always useful), but did avoid any accusations of unauthorised access. Sure enough, one of the USB sticks had an unwelcome addition in the form of WORM_VB.CVY, a not particularly sophisticated but rather nasty data-stealing worm that propagates by removable media and autorun exploits. So the photo booths are clearly Windows machines lacking even basic anti-virus measures.

The most likely infection route was a customer unwittingly inserting an infected USB stick, after which everyone else using a writeable stick was given the unexpected gift. Of course, reporting the issue was another matter. I figured the staff on the till were unlikely to have any idea how to deal with it, so I wrote a detailed description of the issue and remedial action needed to the manager and, thanks to some of my Twitter friends, found a ‘back channel' security contact at the company.

Although it took a while, the company did respond in a professional manner, triggering an examination of all such machines across its UK stores. Apparently the machine in question had been left “unlocked” after a recent software upgrade (although they didn't elaborate on the locked versus unlocked state). The only black marks were their failure to put up a warning notice for customers who may have been affected, and the complete failure of the store manager to respond at all (a few vouchers for cat food would have been a nice touch for my consultancy).

It will be interesting to see if other machines in different stores are similarly affected, as sadly the producers for such equipment seem to be ignorant of the security issues. Any computer accessible to the general public has to be considered a target for attack, either intentional or accidental. Anti-virus software is a clear necessity, and would have stopped this issue at source. For photo-printing booths, a read-only USB interface would be a sensible choice (and cheap, as Philip Polstra demonstrated in his 2011 44Con presentation – see bit.ly/MLAA0P).

But, more importantly, there should be a clear option for submitting security concerns. It's often hard enough to find such contacts for software vendors and websites, but trying to explain such things to non-technical supermarket staff requires even more patience.

Ubiquitous computing is pretty much here; the typical household now has numerous devices that qualify as computers without looking like old-fashioned PCs. TVs, Blu-ray players, phones, iPods, tablets; the list just goes on and on.

Each of these is a potential toe-hold on the home network if not properly configured, patched and protected. In an effort to make these products, and their high-street counterparts, user-friendly, they typically avoid the usual patch cycle and security product maintenance most PC users begrudgingly accept.

Good technology should get the job done without getting in the way, but that shouldn't mean that basic security measures are ignored in the process.