With a large number of ATMs still running Windows XP and Windows NT4, it is becoming increasingly important to understand what the risks are in deploying these older operating systems in the modern threat landscape.
First Published 20th July 2016
Insufficient funds.
4 min read | Reflare Research Team
From the perspective of the average consumer, Automatic Teller Machines (ATMs) present a target that should be very well fortified against attacks of any kind. Unfortunately, this is often not the case. Many ATMs run on notoriously outdated software and weak networks.
This week saw a hack of Taiwanese ATMs. The Register reports millions of dollars in damage done.
What is more interesting is that the attackers apparently used mobile devices to trigger the dispensation of cash. This implies that the ATMs were previously infected with malware which was then controlled using said mobile devices.
Taiwan's First Bank - which operated the ATMs - and German manufacturer Wincor Nixdorf - who built the ATMs - have since released statements saying that the attack is being investigated. While it is unlikely that details of the attack will be published officially, we will use this opportunity to take a closer look at the security of ATMs in general.
Under the hood, an ATM is merely a computer connected to specialized hardware. While any OS can be used to construct an ATM, a surprisingly large number run on old versions of Microsoft Windows. Most notably, Windows NT4 and XP are still widely deployed. These Operating Systems are no longer supported by Microsoft and contain a number of known critical vulnerabilities. Many older ATMs rely on money-handling hardware constructed decades ago. Since this hardware requires specialized drivers, OS upgrades become impossible.
Even when other OSs with active support are used, many manufacturers choose not to apply automatic security updates due to fears that the changes may break compatibility with the hardware.
While outdated software in embedded systems is rather common, ATMs also require a network connection to the Bank of some kind to operate. With vulnerabilities in the software, the security of the ATM therefore often relies on the security of said network connection. Unfortunately, many ATMs have their Ethernet cables exposed, are connected to a publicly accessible wired network or WiFi, or are even - in some cases - directly connected to the internet. In all of these settings, an attacker can gain access to the network and attack the ATM from there.
While the setup and maintenance of ATMs are covered by standards such as PCI-DSS, compliance is not mandatory and security, therefore, varies widely between manufacturers, operators, banks and countries.
There is little the end-user can do to spot a hacked ATM.
Organizations operating ATMs are advised to comply with a security policy framework and perform regular maintenance on all of their machines to ensure the security of deployed endpoints.