How many computer users still regularly use Windows XP?
It’s a trick question, of course, because the answer is that millions of people do every time they take money out of an ATM cash machine; a significant proportion of which still run some variant of the geriatric OS.
It’s a finding that jumps out of a new probe of ATM security by Positive Technologies, which found that 15 out of the 26 common designs it tested were running embedded versions of XP.
The report doesn’t differentiate between Windows XP and the various Windows Embedded products based on it, but in technology terms they’re all ancient. XP gasped its last breath in April 2014, as did Windows XP Professional for Embedded Systems. The end of extended support has come and gone for most other embedded products based on XP too, and those that are still hanging on by their fingernails only have a few months left.
A further eight ATMs used Windows 7, while only three used Windows 10. While ATM security shouldn’t be reduced to which OS version is in use, the fact that over half were using an OS that even Microsoft thinks is on life support underscores the challenge of keeping them safe.
A quick check on Naked Security shows a string of stories of ATM compromises going back into the mists of time, including August’s multinational cashout warning by the FBI, and a wave of “jackpotting” attacks.
Then there is the recent trend for black box attacks in which a hole is drilled into the machine to hook up a mini-computer (Raspberry Pis being a popular option) to instruct the ATM to chuck out money.
A bit of a mess
Reading deeper into Positive’s report, it’s not hard to see why attacks keep happening. Its researchers uncover weaknesses at every level of their security design.
At the most basic layer of security – encrypting internal hard drives to prevent attackers copying over malware – only two of 26 had this protection.
In a quarter of ATMs, it was possible to bypass security by connecting and booting from an external drive, changing the boot order in the old-style BIOS (no UEFI or authentication present), and configuring the ATM to boot from this to run malware.
A further 11 could be started in Safe Mode, Directory Service Restore Mode or Kernel Debug – a simple way to bypass security checks. Ditto forcing an ATM out of kiosk mode, which was possible for 20 machines.
The team even discovered previously unknown flaws in the security software that was supposed to be protecting ATMs.
What about common attacks?
Spoofing attacks are one example where attackers insert themselves between the ATM and the processing centre to coax it to spit out cash using false commands – just over a quarter had vulnerabilities that might allow this.
Meanwhile, skimming card data from the magnetic stripe either directly during use or subsequently as it is transferred from the ATM to a processor, proved possible for every single ATM tested.
As for black box attacks, 18 were susceptible to this compromise.
About the only defence an ATM maker could put up to these tests is that all require some time – usually minutes – as well as undisturbed access to the ATM cabinet from the front.
Said Positive’s cyber resilience head, Leigh-Anne Galloway:
To reduce the risk of attack and expedite threat response, the first step is to physically secure ATMs, as well as implement logging and monitoring of security events on the ATM and related infrastructure.
The report goes on to recommend some familiar precautions – that data exchanged with the card reader should be encrypted, and that manufacturers take steps to prevent arbitrary code execution and man-in-the-middle attacks between the ATM and processing centre.
In other words: ATMs are just computers at the end of the day (but with an older OS than yours).