The Security of ATMs
From the perspective of the average consumer, Automatic Teller Machines (ATMs) present a target that should be very well fortified against attacks of any kind. Unfortunately, this is often not the case. Many ATMs run on notoriously outdated software and weak networks.
This week saw a hack of Taiwanese ATMs. The Register reports millions of dollars in damage done.
What is more interesting is that the attackers apparently used mobile devices to trigger the dispensation of cash. This implies that the ATMs were previously infected with malware which was then controlled using said mobile devices.
Taiwanâ€™s First Bank - which operated the ATMs - and German manufacturer Wincor Nixdorf - who built the ATMs - have since released statements saying that the attack is being investigated. While it is unlikely that details of the attack will be published officially, we will use this opportunity to take a closer look at the security of ATMs in general.
Under the hood, an ATM is merely a computer connected to specialized hardware. While any OS can be used to construct an ATM, a surprisingly large number run on old versions of Microsoft Windows. Most notably, Windows NT4 and XP are still widely deployed. These Operating Systems are no longer supported by Microsoft and contain a number of known critical vulnerabilities. Many older ATMs rely on money handling hardware constructed decades ago. Since this hardware requires specialized drivers, OS upgrades become impossible.
Even when other OSs with active support are used, many manufacturer choose to not apply automatic security updates due to fears that the changes may break compatibility with the hardware.
While outdated software in embedded systems is rather common, ATMs also require a network connection to the Bank of some kind to operate. With vulnerabilities in the software, the security of the ATM therefore often relies on the security of said network connection. Unfortunately, many ATMs have their Ethernet cables exposed, are connected to a publicly accessible wired network or WiFi, or are even - in some cases - directly connected to the internet. In all of these settings an attacker can gain access to the network and attack the ATM from there.
While the setup and maintenance of ATMs is covered by standards such as PCI-DSS, compliance is not mandatory and security therefore varies widely between manufacturers, operators, banks and countries.
There is little the end-user can do to spot a hacked ATM.
Organizations operating ATMs are advised to comply with a security policy framework and perform regular maintenance on all of their machines to ensure the security of deployed endpoints.