Did you read the article? This is about security on-device
The update process can be backed on the kiosk side, hacking the remote side of the update process is a completely different story.
I mean in some cases that was a simple signed package hosted on an S3 bucket... how are you going to leverage that to vandalize a network of devices?
And the kiosks are never on an interesting network (if they were there's dozens of ethernet ports scattered about the place you can use to get access anyways)
Hacked kiosks being used as proxy servers when you need physical access to hack is also a very uninteresting problem. Why risk tying your physical self to a bot for nefarious usage when there are a million and one other "IoT" devices you can pwn instead?
The update process can be backed on the kiosk side, hacking the remote side of the update process is a completely different story.
I mean in some cases that was a simple signed package hosted on an S3 bucket... how are you going to leverage that to vandalize a network of devices?
And the kiosks are never on an interesting network (if they were there's dozens of ethernet ports scattered about the place you can use to get access anyways)
Hacked kiosks being used as proxy servers when you need physical access to hack is also a very uninteresting problem. Why risk tying your physical self to a bot for nefarious usage when there are a million and one other "IoT" devices you can pwn instead?