<!-- title: Cleanup & Security description: published: true date: 2024-12-11T19:45:49.469Z tags: editor: ckeditor dateCreated: 2024-10-21T14:25:51.187Z --> <p>As the new owner of an abandoned Redbox kiosk, you've got a motorized, multi-hundred-pound steel box waiting to become a security risk in front of you. There are multiple things worth tweaking in your unit before you leave it to sit powered on for an extended period of time.</p> <h1>Opening and Cleaning Out Disks</h1> <p>First of all, <strong>do NOT power the unit on. Doing so could cause damage to the kiosk and/or discs. </strong>To open the kiosk, you need to access the lock from the inside. To do this, you must remove the back cover. Indoor units use S02 Robertson (square) bits, and the outdoor units use H4 Security Hex, or T25 Security Torx bits. These screws line the outer edge of the back plate, and once removed, will allow the panel to be lifted off.</p> <p>Once you have access to the unit, you need to remove as many discs as you can from deck 4 (the fourth platform from the top of the carousel) in order to reach through to the lock. During this process, make sure to remove disks that are likely jamming the carousel, ensuring that it can spin freely before powering the unit on, as it can easily cause problems if the carousel is stuck.</p> <p>Once you have deck 4 cleared, it is recommended to use a flashlight set on the top of the carousel pointing down, or on deck 5, pointing at the lock. Once you can see the lock, look at the barrel on the front of the unit, and determine whether the arrow is pointing up, or down. If the arrow is pointing up, you need to depress the indent on the top of the barrel. If it is pointing down, you need to do it on the bottom. Use a flathead screwdriver to reach through deck 4, and depress the small square on either the top or the bottom of the barrel, depending on the direction of the arrow. </p> <p>Doing this successfully will be audibly indicated, and the lock cylinder and handle should be extended from the housing. To open the door, turn the handle counter-clockwise until the door is fully unscrewed, which can then swing open.</p> <p>todo: (add images)</p> <h1>Security</h1> <h2>Remove the Cellular Modem</h2> <p>Every kiosk contains a cellular modem. This modem likely still has a data plan, meaning that any units with power are still connected to the internet. Removing this before powering the unit on has no consequences and should be done to ensure you don't expose the kiosk directly to the internet, especially if you're doing this in the future when these Windows 7 Embedded installs are extremely outdated.</p> <h2>Disable or Uninstall Kaseya</h2> <p>Kaseya was software Redbox used to help manage their kiosks remotely. This software only can be connected to via <code>accessredbox.net</code> servers. This domain is still registered at this time, though the eventual owner of this domain in the future could repurpose it into a malicious Command and Control server for any remaining kiosks connected to the internet. You should disable the Kaseya services in Service Management or otherwise uninstall it.</p> <h2>Disable or Uninstall RealVNC</h2> <p>RealVNC is installed on many Redbox kiosks, specifically RealVNC 4. This is a very old version of RealVNC and should be uninstalled or removed. You can disable it in Service Management or uninstall it fully.</p> <h1>Clean Up</h1> <h2>Remove old .log files</h2> <p>It's recommended that all owners purge old .log files as they could contain some limited personal information of individuals who previously rented from a kiosk. If your kiosk has been down for several months when you power it on, the KioskEngine will automatically purge the old logs for you.</p> <ul> <li><code>C:\Program Files\Redbox\KioskLogs\ErrorLogs</code></li> <li><code>C:\Program Files\Redbox\KioskShell\logs</code></li> <li><code>C:\Program Files\Redbox\REDS\DeviceService\logs</code></li> <li><code>C:\Program Files\Redbox\REDS\Kiosk Engine\logs</code></li> <li><code>C:\Program Files\Redbox\REDS\Update Manager\logs</code></li> <li><code>C:\ProgramData\Redbox\KioskClient\Logs</code></li> <li><code>C:\ProgramData\Redbox\UpdateClient\Logs</code></li> </ul> <h1>Recommendations</h1> <h2>Installing VNC Server</h2> <p>If you've recently acquired a Redbox kiosk and want to tinker with your machine in the comfort of your own room, you may want to look into setting up a VNC server. A VNC server will allow you to remotely access and control your kiosk from any device, anywhere, which can save you the hassle of connecting a keyboard and mouse each time you need to access the machine. This is especially useful if your kiosk is placed in a less convenient location, like outdoors or in a cold garage. To start a VNC server on your kiosk, you'll need to choose one first. UltraVNC is highly recommended, as it works great on 32-bit devices and is easy to setup. First, <a href="https://uvnc.com/downloads/ultravnc.html">visit this page</a> to download the latest version of UltraVNC Server (make sure to select the 32-bit architecture). Then, drag this executable on a USB stick and plug it into your kiosk.</p> <p>Once you boot your kiosk, open the File Explorer and navigate to your external USB. Click on the executable to start the installation, and follow the instructions to set up your VNC server. When the installation is complete, navigate to <code>C:\Program Files\uvnc bvba\UltraVNC</code> and launch the <code>uvnc_settings.exe</code> file located in this folder. Here, you'll be able to configure your VNC server and setup a password for accessing it.</p> <p>Then, apply all changes and restart your system. Once your system boots back up, you should be able to access your VNC Server at port 5900 (by default). Download a VNC Client on your devices (like RealVNC Viewer), and enter your kiosk's local IP address followed by the port. You should be able to connect without issues and access your kiosk on your network!</p> <p><strong>Tip:</strong> <i>If you want to access your kiosk outside of your network, you can setup port forwarding on your router to expose the 5900 port.</i></p> <h2>Enabling SMB Protocol</h2> <p>If you'd like to have the option of managing the files on your kiosk with ease, enabling the SMB1 protocol is a good choice. Similarly to setting up a VNC Server, SMB will allow you to access your kiosk's internal files without the need of navigating through File Explorer directly. Before enabling SMB, you'll need to create a new Administrator account or change the password for <code>Rbuser</code> to login. You can learn how to change the default Administrator password <a href="/en/manual/troubleshooting#changing-your-administrator-password">here</a>.</p> <p>If you already have access to an Administrator account, open the Command Prompt on your kiosk and run the following command to enable SMB through the registry editor:<br><code>reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v SMB1 /t REG_DWORD /d 1 /f</code></p> <p>This will create a registry record enabling SMB1 on your device. Before you continue, it's also recommended that you ensure SMB will start properly on boot. To do this, enter the Services Manager (<code>services.msc</code>) and look for the following services: <strong>Server</strong>, <strong>Workstation</strong>, and <strong>TCP/IP NetBIOS Helper</strong>. For each of these, right-click them and select Properties, and make sure that the Startup type is set to "Automatic". They most likely are, but if not, make sure to update them as so and start them afterwards if they aren't already.</p> <p>Once you've enabled SMB and configured the start-up services, you'll want to grant permission to access the C:\ drive on your kiosk. Navigate to your C:\ drive in File Explorer and right-click on it, then select Properties. Click the Sharing tab, and select Advanced Sharing to open the permission manager. Tick the "Share this folder" option, and create a “Share name” to continue (you can name this whatever you'd like). Click the Permissions button below it, and check Allow for each option (Read/Write/Full Access), making sure the “Everyone” group is selected.</p> <p>After doing this, you should be able to access your kiosk files through SMB! If you don't know how to do this already, you can use <a href="https://knowledgebase.45drives.com/kb/kb450446-connecting-to-smb-share-on-windows-and-macos/">this guide here</a>. When you're prompted to enter your credentials, use the login for your Administrator account that you setup before you started. That's it!</p> <h2>Configuring Firewall</h2> <p>If you want to enable functionalities like starting a VNC server, enabling the SMB protocol, or any other tasks that require a local network connection, you'll want to connect your kiosk to your home network. As you may already know, however, you may not want to expose your computer to the internet directly as it may cause complications in the future when software is no longer supported (or in the case of being required to upgrade Windows 7). To help minimize your risk to such complications, you can configure your router's firewall and disable access to WAN. If you don't have your kiosk connected to the internet already, you can follow the instructions <a href="/en/manual/quirks#no-internet-on-cellular-modem-sim">here</a>.</p> <p>To do this, you'll need access to your router's administrator panel. This tutorial will be using OpenWRT, but most router's support this functionality in a similar way (the instructions may vary, however). First, login to your router's OpenWRT interface and go to <strong>Network > Firewall > Traffic Rules</strong>. Then, create a new forward rule with the “Source zone” set to LAN, and the “Destination zone” set to WAN. Then, update this forward rule to the following details:</p> <blockquote> <p>Name: [enter any name here]<br>Restrict to address family: <strong>IPv4 and IPv6</strong> (default)<br>Protocol: <strong>TCP+UDP</strong> (default)<br>Source zone: <strong>LAN</strong> (default)<br>Source MAC address: [select your kiosk's MAC address here]<br>Source address: [select your kiosk's local IP address here]<br>Source port: <strong>any</strong> (default)<br>Destination zone: <strong>WAN</strong> (default)<br>Destination address: <strong>any</strong> (default)<br>Destination port: <strong>any</strong> (default)<br>Action: <strong>reject</strong></p> </blockquote> <p>Click the <strong>Save & apply</strong> button below, and wait for the changes to propagate. Your kiosk should now have internet access restricted to only communicate devices in your local network.</p> <p> </p>