Robbing ATMs by SMS: Not in the real world

Summary:Why would anyone with the ability to execute Backdoor.Ploutus, which Symantec says is used to rob ATMs with text messages, bother with it?

It's odd how Windows XP can be about to reach end-of-life, and suddenly there's a mad rush to make money off it. Well that's what business is all about, in this case the computer security business.

The latest example is Symantec's story of a Windows XP vulnerability being used  to allow attackers to dispense cash from ATMs using an SMS text message . It raises a question: Why have banks and ATM companies taken so long to deal with Windows XP and threats like this one, which Symantec names Backdoor.Ploutus? It's because they don't see them as real threats, and they have a point.

I touch on some of this in  a recent story in which I find  that any bank in which the ATMs can be attacked to the point of running malicious code on them has bigger problems than Windows XP on those ATMs. In any actual bank, an ATM will have heavy physical shielding protecting it from any use other than that for which it was designed: stick your card in, press buttons, take cash. Of course there are other ATMs, like the ones in convenience stores, which are often less secure physically.

Most of Symantec's blog post about Ploutus deals with what the malware does once installed. But how does it get installed? Unlike a regular PC, you can't trick the user into visiting a malicious web site or running an email attachment. That's because the scenario for Ploutus requires:

  • Physical access to the insides of the ATM
  • The ability to reboot the ATM and to have it boot off the USB port
  • The lack of just about any security software or other measures on the ATM.

In some cases, such as in a bank, access to the insides of the ATM, is heavily guarded. Even in the case of the convenience store, you have to be able to pick the locks and you have to deal with security cameras. I'm sure it can be done, but it's not easy. (Yes, you could get access with an insider, but with an insider you could do a lot worse damage than this.)

The Ploutus malware is installed by booting the ATM off mass storage attached through the USB port, at which point it installs the malware on the hard disk. This requires that the ATM be set to allow booting off the USB port before the hard disk, or at least that the attacker have BIOS access to reset the boot order. Maybe this is easy in an ATM, I don't know, but if it is then it represents more mistakes made by the ATM operator.

If the attacker can boot off the USB and the hard disk is encrypted, then game over. The attack won't work. If the ATM is running decent antivirus or any of many types of security software which would detect Ploutus (like a firewall that sees the USB traffic), then the ATM will likely shut itself off and report the problem.

If an attacker had this level of access to an ATM, why would they bother with using the SMS method at all? In the real world, ATM criminals take a much less complicated attitude towards their craft: They just steal the whole ATM, take it away and use a blowtorch to open the safe inside. Yes, "smash and grab" is a big problem for ATMs. Malware isn't.

This episode, like so many before it, illustrates an unfortunate characteristic of the security industry: they exaggerate like crazy. They never admit to mitigating factors, even big, obvious ones like those in force with Backdoor.Ploutus. Yes, there may be a software vulnerability here, but it's not the actual problem.

Topics: Security

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.