AutoThing: A Secure Transaction Framework for Self-Service Things

Self-Service Terminals (SSTs) are increasing their presence across multiple industries, from vending machines and self-service banking to automated national border crossing checkpoints. Due to the massive integration of SSTs into critical infrastructure, their security has raised major concerns. In this work, we develop a security model for the family of SST system protocols to formally prove that traditional SST systems are not resilient against cyber-attacks. We create a comprehensive inventory of attacking configurations against SSTs. We then use this inventory to verify that enhanced resilience against compromising any major component of an SST system can be achieved via three steps: a) replacing free-range APIs with multi-signature transaction tokens; b) switching from networking interfaces in SSTs into direct device-to-device channels; and c) adding a bootstrapping service. We introduce Offline Self-Service Things (OSST), which have high attack resilience by maintaining a distributed representation without the need to be online. To enable the real-world applicability of OSSTs, we develop AutoThing , a transaction framework for OSSTs. We show the extensibility of AutoThing by building two applications upon the framework: VolgaPay , a payment system for vending machines; and VolgaGuard , an access control system. We evaluate both systems to show the portability and scalability of AutoThing .