Stuxnet begone! Can we worry about EFTPOS now, please?

Filed Under: Data loss, Malware, Vulnerability

Stuxnet, the malware story which refuses to die, has dominated recent security media coverage for two reasons. Firstly, Stuxnet targets the sorts of Programmable Logic Controller (PLC) used for industrial automation in plants and factories. Secondly, Stuxnet's prevalence was apparently greatest in Iran, giving hyperbolistas plenty to dine out on. (No emails about my neologism or my sentence-ending preposition. Thank you.)

PLC security problems are important, but I find myself much more concerned when I hear of hardware or firmware security troubles in the financial sector, especially those related to Trojanised cash machines or point-of-sale devices.

Stuxnet, it seems, targeted a specific PLC device in a in a specific configuration in a specific location. So it didn't pose an obviously widespread public danger. Indeed, it is unlikely we shall ever find out what it was for. Stuxnet was also rather easy to prevent, and easy to identify and remove even if you did get infected.

But hardware and firmware hackers seem regularly able to subvert payment devices on a surprisingly broad scale - even though you and I are expected by the payment industry to put considerable trust in the myriad different point-of-sale and cash withdrawal units in use around the world.

A few examples should suffice.

In 2008, Trojanised chip-and-PIN machines in Europe were reported to have been compromised during the manufacturing process. These Trojanised devices sported additional internal hardware, including a GSM modem, to transmit phished credentials to cybercriminals in Pakistan.

In 2009, McDonalds outlets in Western Australia were victimised with fraudulent EFTPOS devices. Apparently, the crooks simply swapped legitimate payment devices for hacked ones whilst buying food from the drive-through counter, where EFTPOS devices are handed into the car and can be operated largely out of sight. A similar swapover ruse was later used to recover the dodgy devices and restore the originals.

And ALDI in the USA has very recently admitted a widespread hardware phishing campaign against its customers, once again apparently orchestrated by the use of tampered EFTPOS devices.

In the 21st century, no merchant's network should tolerate the arbitrary connection of unknown and unauthorised devices.

Checks and balances within every device vendor's production facilities should make it impossible to compromise trusted devices, such as by the addition of GSM hardware together with Trojanised firmware to drive it.

And EFTPOS devices should routinely be retired once any security precautions deemed OK at design time have been overtaken by time or cybercriminality. In the 2009 McDonalds attack in Western Australia, the devices in use had been short-listed for an Australian design award back in 2000; the nomination notes that they were "developed for an expected product lifecycle of 5-7 years".

If Stuxnet teaches the PLC industry to take security seriously (and let us hope that is a silver lining which might yet appear), perhaps ALDI's current discomfiture - with attacks apparently reported across eleven states in the USA - will lead to a similar security boost amongst merchants and electronic funds processors.

The much-vaunted PCI Data Security Standard explicitly mentions, as one of its twelve fundamental principles, the requirement to "assign a unique ID to each person with computer access."

Perhaps it's time to see this identification regimen extended explicitly to devices with access to the network, too?

, , , , , , , , , , , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog