Stuxnet begone! Can we worry about EFTPOS now, please?

Stuxnet, the malware story which refuses to die, has dominated recent security media coverage for two reasons. Firstly, Stuxnet targets the sorts of Programmable Logic Controller (PLC) used for industrial automation in plants and factories. Secondly, Stuxnet’s prevalence was apparently greatest in Iran, giving hyperbolistas plenty to dine out on. (No emails about my neologism or my sentence-ending preposition. Thank you.)

PLC security problems are important, but I find myself much more concerned when I hear of hardware or firmware security troubles in the financial sector, especially those related to Trojanised cash machines or point-of-sale devices.

Stuxnet, it seems, targeted a specific PLC device in a in a specific configuration in a specific location. So it didn’t pose an obviously widespread public danger. Indeed, it is unlikely we shall ever find out what it was for. Stuxnet was also rather easy to prevent, and easy to identify and remove even if you did get infected.

But hardware and firmware hackers seem regularly able to subvert payment devices on a surprisingly broad scale – even though you and I are expected by the payment industry to put considerable trust in the myriad different point-of-sale and cash withdrawal units in use around the world.

A few examples should suffice.

In 2008, Trojanised chip-and-PIN machines in Europe were reported to have been compromised during the manufacturing process. These Trojanised devices sported additional internal hardware, including a GSM modem, to transmit phished credentials to cybercriminals in Pakistan.

In 2009, McDonalds outlets in Western Australia were victimised with fraudulent EFTPOS devices. Apparently, the crooks simply swapped legitimate payment devices for hacked ones whilst buying food from the drive-through counter, where EFTPOS devices are handed into the car and can be operated largely out of sight. A similar swapover ruse was later used to recover the dodgy devices and restore the originals.

And ALDI in the USA has very recently admitted a widespread hardware phishing campaign against its customers, once again apparently orchestrated by the use of tampered EFTPOS devices.

In the 21st century, no merchant’s network should tolerate the arbitrary connection of unknown and unauthorised devices.

Checks and balances within every device vendor’s production facilities should make it impossible to compromise trusted devices, such as by the addition of GSM hardware together with Trojanised firmware to drive it.

And EFTPOS devices should routinely be retired once any security precautions deemed OK at design time have been overtaken by time or cybercriminality. In the 2009 McDonalds attack in Western Australia, the devices in use had been short-listed for an Australian design award back in 2000; the nomination notes that they were “developed for an expected product lifecycle of 5-7 years”.

If Stuxnet teaches the PLC industry to take security seriously (and let us hope that is a silver lining which might yet appear), perhaps ALDI’s current discomfiture – with attacks apparently reported across eleven states in the USA – will lead to a similar security boost amongst merchants and electronic funds processors.

The much-vaunted PCI Data Security Standard explicitly mentions, as one of its twelve fundamental principles, the requirement to “assign a unique ID to each person with computer access.”

Perhaps it’s time to see this identification regimen extended explicitly to devices with access to the network, too?