Windows XP and USB ports making cash machine vulnerable to attack

According to Kaspersky, ATMs are far easier to get into that you might think

Almost any ATM can be illegally accessed and “jackpotted”, claims Kaspersky
Almost any ATM can be illegally accessed and “jackpotted”, claims Kaspersky

Security researchers at Kaspersky claim that virtually any cash machine can be illegally accessed and stolen from.

In short, outdated software and poor hardware mean cash machines are easy pickings for criminals.

The researchers said that most ATMs are usually based on outdated software (such as Windows XP) and this makes the vulnerable to either malware or other exploits. Another security headache is the use of the insecure XFS standard which banks use to communicate with ATMs.

"The problem is that XFS specification requires no authorisation for the commands it processes, meaning that any app installed or launched on the ATM can issue commands to any other ATM hardware unit, including the card reader and cash dispenser", said Olga Kochetova, security expert at Kaspersky Lab's Penetration Testing department, in a blog post.

Windows XP has not been patched for over two years. “Of course, 0-day vulnerabilities for this system will remain unpatched. The engineers servicing ATMs often think that if the ATM is working, it is better “not to touch” (read: “not to update”) it. As a consequence, some cash machines still have the unpatched critical vulnerability MS08-067 which allows remote code execution,” she said.

Once the ATM is accessed, hackers can pretty much do anything they like.

Another issue is how easy it is to gain physical access to an ATM. Hackers can deploy a “black box”, basically a tiny computer that helps criminals connect the ATM to a rogue processing centre under their control, bypassing any security measures the bank has put in place. The black boxes can be installed easily if a criminal can reach the PC or USB port inside the ATM.

Kochetova said that many banks still think that criminals are only interested in stealing money through internet banking.

“The results of our research show that even though vendors are now trying to develop ATMs with strong security features, many banks are still using old insecure models,” she said.

“This makes them unprepared for criminals actively challenging the security of these devices. This is today's reality that causes banks and their customers huge financial losses.”

To guard against such attacks, Kochetova said, the XFS standard needed overhauling and two-factor authentication needed deploying to cash machines.

Alex Cruz Farmer, VP of cloud at Nsfocus, told SCMagazineUK.com that as banks are enterprise, and it is their prerogative to deliver profits for their staff and, most importantly, shareholders. “With this mindset, ATMs and installations are delivered and deployed with a particular strategy to ensure a good return on investment,” he said.

“Looking at the UK, since ATM withdrawal fees are no longer a thing, I can absolutely understand the return on investment due to maintaining these would be much lower or take longer. With that in mind, updating and putting state of the art technologies within ATMs will be challenging,” he said.

Farmer added that hacking ATMs is straightforward, however, “it requires a physical person to commit the fraud. By that I mean having to physically attend an ATM, and install equipment.”

“If ATMs were treated the same way as we treat security appliances, then any attempts hacking them would be much more difficult or hopefully near impossible. Even vendors like Intel have created free technology built in their processors to deal with detecting malware on boot, so the solutions are there to be utilised,” he said.

Mark James, Security Specialist at ESET, told SC there may be many reasons for still using the older insecure models but one of the biggest will almost certainly be cost.

“The sheer amount of money involved in purchasing, configuring, installing the new models and of course disposing of the old ones will be enormous. Banks will probably perceive the small risk of attack and those costs compared to replacing all the current models and weigh up the pros and cons,” he said.

James added that the most important things that can be done right now is making sure the software used on these units is up to date and patched as thoroughly as possible.

“Any and all software needs to be vetted and where possible replaced with current versions and close attention paid to known exploits in both software and hardware (firmware). Access to both physical and remote needs should be monitored and regularly reviewed to see if it can be compromised or spoofed and any findings should be actioned with speed and urgency.”

Sign up to our newsletters