Protect Your Assets

Neal B. Custer: Vulnerability of ATMs with Windows XP a lesson for all

President of Reveal Digital Forensics & Security, a subsidiary of Custer Agency Inc. and an adjunct professor at Boise State UniversityMarch 19, 2014 

Neal B. Custer

It is safe to say that the average user feels pretty safe and comfortable using an ATM. This is a self-evident truth: Why else would there be such long lines at bank drive-thrus everywhere at the end of each workday? This makes sense - after all, the ATM runs a proprietary operating system and is a lot less susceptible than other computers to hacking attempts, right?

Not necessarily. Contrary to what the user interface might suggest, under the hood many ATMs are still running Windows XP. All the security vulnerabilities that come with being powered by an antiquated operating system are present.

Furthermore, many of these Windows XP ATM systems have functional USB ports on the front of the unit. You have probably never seen these USB ports, because they are hidden underneath the machine's lockable plastic front panel. However, just because they are out of sight does not mean they are secure. A situation like this - a public-facing system literally full of money, running a vulnerable operating system, with unrestricted USB access - is a recipe for disaster.

HOW A THIEF CAN ROB YOUR ATM

That disaster manifests itself as a simple scheme. Criminals need only to identify a particular model of ATM running Windows XP, read the documentation online and learn where the USB ports are, prepare a USB stick infected with malware (easily purchased from a number of cybercrime forums), and wait for a time when they can have five minutes alone with the machine. From there, they simply cut a hole into the plastic, pop in the USB stick, and watch the machine spill out money like a Las Vegas slot machine.

What can business owners learn from this latest exploit? Is this only applicable to banks and private ATM companies?

Hardly. On a conceptual level, these particular ATMs are using a concept known as "security through obscurity," which simply means that efforts are taken to keep vulnerabilities out of the public eye. Instead of fixing the problems, the problems are hidden from view.

HIDING PROBLEMS DOESN'T SOLVE THEM

This is by no means secure. An ATM might not appear to be running Windows XP, and it might not appear to have USB ports, but that does not change the fact that both are true. Especially in the age of the Internet, relying on security through obscurity is an impossibility. It takes a single curious mind to do the research necessary to undermine this sort of "security," and then share those vulnerabilities with the rest of the known world through the Internet.

Instead of simply trying to hide the problems, ATM manufacturers should have instead taken steps to truly secure the devices. Microsoft is discontinuing support for Windows XP (now a 10-year-old product) next month and recommends upgrading to a more modern version of Windows. Whether the ATMs have the hardware to do that is another question, but even if they were forced to stay on XP, the USB ports could still be disabled through the BIOS (short for basic input/output system, instructions in firmware that turn the computer on and off). On top of that, the plastic front panels could easily be replaced with metal ones. An even better approach would be to replace the whole machine with a unit running a totally proprietary system without front-facing USB access.

The problems with these solutions is that they all cost money. A new ATM is not cheap, and even replacing the front panel with a metal one costs money a business owner might not be willing to spend. This leads to the same dangerous justification that seems to occur in every less-than-secure business - someone assumes it "can't happen to them" and thus it isn't worth the investment to fix.

WHAT BUSINESS OWNERS SHOULD DO

Security needs to be proactive, not reactive. It is far too easy to fall into the trap of thinking "it can't happen to me," leaving your systems inadequately protected, and assuming things are secure simply because you haven't been successfully hacked yet. Business owners should hire external security auditors at least yearly. Auditors can approach a situation from the same point of view as the bad guys - they can identify the assets worth targeting, determine what vulnerabilities are present, and depending on the scope of the assignment, even make simulated hacking attempts to see just how far they can go.

When your systems are hacked by an auditor, the flaws are documented in a report and suggestions are made in order to secure those systems and provide better training for employees. When those systems are hacked by a criminal, there will be no such helpful report - only missing funds.

WINDOWS XP: TROUBLE

If you are running a small business, are you still using Windows XP on at least one machine that interacts with customer data? Are your customers aware of this? Is that machine connected to the Internet? These are important questions that need to be asked.

Even if you are running a particular piece of legacy software that will not work with newer versions of Windows, all the necessary steps need to be taken to keep that data safe. Consider switching software packages, or if that is impossible, isolate the XP machine from public access (including the Internet) entirely.

Security through obscurity does not work in the modern age. We cannot just hide our vulnerabilities and hope that nothing bad will happen. Business owners must own security and hold themselves accountable to be proactive about it.

If we merely keep our vulnerabilities hidden behind a thin sheet of plastic, one day somebody will decide to cash out.

neal@custeragency.com

Idaho Statesman is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service