July 10, 2009

Security - Hacking into ATM via Windows CE

Writeup on ATM hack via Windows CE. Worth noting that 56% of ATMs run on Windows (rest on OS/2). Vendors noted with responses include Diebold and NCR (both claim to not be exploited). We also note that many of the new gas pumps are running Windows CE for that matter.


From Slashdot

"A researcher working for networking company Juniper has been forced to cancel a Black Hat presentation that would have revealed a way to hack into ATM machines. The presentation focused on exploiting vulnerabilities in devices running the Windows CE operating system, including some ATMs. The decision to cancel was made to give the vendor concerned time to patch the problem, although the company was notified 8 months ago. The article mentions a growing trend in ATM hacking: In November 2008 thieves stole nearly $9 million from more than 130 cash machines in 49 cities worldwide. And earlier this year, the second biggest maker of ATMs, Diebold, warned customers in an advisory that certain cash machines in Eastern Europe had been loaded with malicious software capable of stealing financial information and the secret PINs from customers performing ATM transactions."

Flaw Opens ATMs to Hackers
A conference presentation would have exposed flaws in some cash machines.
By Robert Lemos
Barnaby Jack, a security researcher at the computer networking giant Juniper, had planned to hack into an automatic teller machine (ATM) live onstage at the Black Hat Security Conference in Las Vegas later this month. But his presentation, designed to demonstrate the insecurity of various ATMs, attracted the attention of the financial industry as well as security professionals, and under pressure from ATM manufacturers, Juniper canceled the presentation last week, citing concerns that the vulnerabilities involved had still not been fixed.

"The vulnerability Barnaby was to discuss has far reaching consequences, not only to the affected ATM vendor, but to other ATM vendors and--ultimately--the public," wrote Brendan Lewis, director of corporate social media relations for Juniper in a statement posted to the company's official blog last week. "To publicly disclose the research findings before the affected vendor could properly mitigate the exposure would have potentially placed their customers at risk. That is something we don't want to see happen."

The presentation would have focused on exploiting vulnerabilities in devices running the Windows CE operating system, including some ATMs, according to a source familiar with the details. While the presentation was canceled to allow manufacturers more time to fix the vulnerabilities, Juniper had originally notified the company almost eight months ago, says the source, who asked not to be named.

Other security experts are not surprised that the vulnerabilities are there to find. Significant flaws in cash machines and ATM networks are plentiful, says Nicholas Percoco, senior vice president of TrustWave, an information security and compliance firm that has assessed the security of point-of-sale terminals, kiosks, and ATM networks. "It is very, very rare that a device comes to our labs--in fact, I don't think that it has happened--that we don't find a vulnerability," Percoco says.

ATMs have also been the focus of a number of high-profile security incidents in the past 12 months. In November 2008, thieves stole nearly $9 million from more than 130 cash machines in a matter of hours using fake payroll cards. The scheme, which took place in 49 cities worldwide, relied on hackers breaching the network of financial firm RBS WorldPay and reloading cards so that they could withdraw an average of $90,000 per account.

In January of this year, the second biggest maker of ATMs, Diebold, warned customers in an advisory that certain cash machines in Eastern Europe had been loaded with malicious software capable of stealing financial information and the secret PINs from customers performing ATM transactions. The stealthy software, which infected at least 20 ATMs, allowed criminals to print out card details on ATM receipts and eject the cash cartridge from the ATM kiosks, according to an analysis of the software performed by TrustWave.

"Once the attackers get in through the back-end systems, they essentially camp out," says Percoco. "It is cash, so it is real money; it's not like they are charging to a credit card and have to sell the goods."

Among recommendations to its customers, Diebold asked that banks and ATM owners periodically change the kiosks' administrator passwords and ensure that the firewalls are active. Diebold believes that attackers had to have physical access to the systems to load the malicious software in the first place. "To the company's knowledge, this is the first incident dealing with a physical attack and installation of illegal software within the ATM unit," Diebold said in a statement issued at the time.

NCR, the leading supplier of ATMs worldwide, has taken a multilayered approach to securing its cash machines. The company uses a technology, known as Solidcore, that prevents unauthorized code from running on its Windows-based systems, and it recommends that customers lock down the Windows XP operating system by using the built-in firewall and virtual private networking. Other security features include physical measures to make it apparent if a fraudster attaches a device to steal card information to the ATM, a mechanism to prevent such devices from easily reading bank cards, and ink that stains stolen cash.

Representatives for both NCR and Diebold denied that any of their machines were to be the focus of Juniper's demonstration, however.

Link

Posted by staff at July 10, 2009 10:13 AM
Leading the way in self-service kiosk tech