How many computer users still regularly use Windows XP?
It’s a trick question, of course, because the answer is that millions of people do every time they take money out of an ATM cash machine; a significant proportion of which still run some variant of the geriatric OS.
It’s a finding that jumps out of a new probe of ATM security by Positive Technologies, which found that 15 out of the 26 common designs it tested were running embedded versions of XP.
The report doesn’t differentiate between Windows XP and the various Windows Embedded products based on it, but in technology terms they’re all ancient. XP gasped its last breath in April 2014, as did Windows XP Professional for Embedded Systems. The end of extended support has come and gone for most other embedded products based on XP too, and those that are still hanging on by their fingernails only have a few months left.
A further eight ATMs used Windows 7, while only three used Windows 10. While ATM security shouldn’t be reduced to which OS version is in use, the fact that over half were using an OS that even Microsoft thinks is on life support underscores the challenge of keeping them safe.
A quick check on Naked Security shows a string of stories of ATM compromises going back into the mists of time, including August’s multinational cashout warning by the FBI, and a wave of “jackpotting” attacks.
Then there is the recent trend for black box attacks in which a hole is drilled into the machine to hook up a mini-computer (Raspberry Pis being a popular option) to instruct the ATM to chuck out money.
A bit of a mess
Reading deeper into Positive’s report, it’s not hard to see why attacks keep happening. Its researchers uncover weaknesses at every level of their security design.
At the most basic layer of security – encrypting internal hard drives to prevent attackers copying over malware – only two of 26 had this protection.
In a quarter of ATMs, it was possible to bypass security by connecting and booting from an external drive, changing the boot order in the old-style BIOS (no UEFI or authentication present), and configuring the ATM to boot from this to run malware.
A further 11 could be started in Safe Mode, Directory Service Restore Mode or Kernel Debug – a simple way to bypass security checks. Ditto forcing an ATM out of kiosk mode, which was possible for 20 machines.
The team even discovered previously unknown flaws in the security software that was supposed to be protecting ATMs.
What about common attacks?
Spoofing attacks are one example where attackers insert themselves between the ATM and the processing centre to coax it to spit out cash using false commands – just over a quarter had vulnerabilities that might allow this.
Meanwhile, skimming card data from the magnetic stripe either directly during use or subsequently as it is transferred from the ATM to a processor, proved possible for every single ATM tested.
As for black box attacks, 18 were susceptible to this compromise.
About the only defence an ATM maker could put up to these tests is that all require some time – usually minutes – as well as undisturbed access to the ATM cabinet from the front.
Said Positive’s cyber resilience head, Leigh-Anne Galloway:
To reduce the risk of attack and expedite threat response, the first step is to physically secure ATMs, as well as implement logging and monitoring of security events on the ATM and related infrastructure.
The report goes on to recommend some familiar precautions – that data exchanged with the card reader should be encrypted, and that manufacturers take steps to prevent arbitrary code execution and man-in-the-middle attacks between the ATM and processing centre.
In other words: ATMs are just computers at the end of the day (but with an older OS than yours).
4 comments on “How to rob an ATM? Let me count the ways…”
> 15 out of the 26 common designs it tested were running embedded versions of XP… eight used Windows 7, while only three used Windows 10.
Using variants of Windows is the only approach? Reminds me of the Blues Brothers quote:
“We listen to both kinds of music. Country AND western.”
Every business needs to show a profit but it shouldn’t be at the the expense of it’s customers. Unfortunately, unless they are forced to, banks will not spend any of their excessive profits on security. I had to go in to discuss something with my bank about 5 years ago and they were still running Windows 2000. Unbelievable. The ATMs are still on XP today. I’ve approached a machine to withdraw money and been unable to because the machine was repeatedly rebooting. Nice. No point in switching. I’m sure that it won’t help. At least all Canadian banks are on chip and pin now.
Usually, people simply start the ATMs and drill or open the vault door. Quick, simple and contrary to what someone said next, if you do it right, they probably will not catch you unless someone yells at you.
The technical programming issue and other coding errors where penetration can be easily happened and installing malware there can make sure the robbing off the ATM. There are minor and major attacks occur in ATM which you will have to know about.