Hackers text ATMs for cash via Windows XP flaws

Hackers text ATMs for cash via Windows XP flaws

Summary: With the end of Windows XP support looming, ATMs worldwide are left vulnerable -- and cyberattackers are taking advantage of the fact.

TOPICS: Security, Malware
Screen Shot 2014-03-25 at 09.35.23
Credit: Symantec

Despite early warnings, pleading and even financial lures to upgrade systems from the Windows XP operating system, many of our core services are still running on the soon to be retired system.

It's not just our grandparents that stick stubbornly to Windows XP, which is due for an end-of-life and support retirement on April 8 this year. According to Symantec researchers, the banking industry is likely to be affected on this date, as 95 percent of our ATMs -- computer systems that control access to funds -- are still running on the archaic system.

Microsoft has already warned users that they risk "zero day forever" scenarios if they fail to upgrade, and hackers are looking to cash in on the day that support is withdrawn. Once Windows XP is officially retired, no more patches or fixes will be issued by Microsoft, leaving systems more vulnerable to hacking attempts. This will likely push up the price of vulnerabilities on the black market from an average of $50,000 to $150,000 as the Redmond giant will stop investigating and releasing patches.

How will this affect our ATMs and cash withdrawals? According to Symantec researchers, it's already happening, as hackers target the systems with increasingly sophisticated techniques.

Read this

Microsoft warns Windows XP users risk 'zero day forever'

Microsoft warns Windows XP users risk 'zero day forever'

Microsoft's latest tack in trying to wean users off Windows XP is to warn them of a possible 'zero day forever' scenario in the post-April 2014 support cut-off world.

A new technique that has been discovered is the use of mobile technology to control an ATM remotely. The threat, Backdoor.Ploutus, was originally discovered in Mexico but is now available in the English language, suggesting that the new variation -- Backdoor.Ploutus.B -- is expanding to other countries.

By simply sending a text message to the compromised system, hackers can control the ATM, walk up to it, and collect dispensed cash.

To begin with, a cyberattacker must connect the ATM to a mobile phone via USB tethering. This creates a shared Internet connection, which then can be used to send specific SMS commands to the phone attached inside the ATM. The mobile device, if properly set up, then converts the message into a network packet and forwards it on to the ATM through the USB cable.

The first message sent contains an activation ID to start Ploutus in the ATM. Another message then sends a valid dispense command which dupes the system in to releasing money, which is pre-configured within the malware.

Screen Shot 2014-03-25 at 11.59.43
Credit: Symantec

This particular example demonstrated by Symantec focuses on the theft of cash, but the team say they have found several different forms of malware which target ATMs for other purposes. Some malware analyzed attempts to steal customer card and PIN data, while others attempt man-in-the-middle attacks.

While modern ATMs often have enhanced security, including encrypted hard drives, models running on Windows XP are not protected well against these types of attacks. In addition, while money is usually locked away inside a safe, the computer system often is not -- leaving the access point to cash vulnerable.

See also: Windows XP lives on in ATMs. Crisis?

With specific measures in place, such as upgrading to more secure operating systems, CCTV monitoring, locking down the BIOS to prevent unauthorized media and using full disk encryption, hackers may find compromising ATMs more difficult without an insider on the job.

Topics: Security, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • You need a physical connection to the ATM

    You need a physical connection to the ATM machine. This will automatically limit the number of attacks to a very low percentage. Any ATM in a well traveled area with security cameras will be immune. The target machines will be isolated out of the way ones that most likely run older software which arguably are the ones that should have been upgraded regardless. Once a few get hacked and the liability for the compromise falls on the owner/vendor of the machines they will upgrade them or get rid of them.
    • I agree with your assesment.

      If you hook up via USB and send the dispense cash command, you might think that way you can keep returning to it for more. But by then the hack will have been detected and the ATM probably replaced or USB ports blocked out.
      So I think you might as well just blow open the ATM and grab the cash, rather than going to all this other trouble of hacking.
      • That depens on the device...

        It can be hidden inside the unit (more tricky to install though)...

        There is a catalog entry in the NSA that indicates it could already be there though.
      • This is just one possible scenario

        NJot the graf in the article that says:

        "This particular example demonstrated by Symantec focuses on the theft of cash, but the team say they have found several different forms of malware which target ATMs for other purposes. Some malware analyzed attempts to steal customer card and PIN data, while others attempt man-in-the-middle attacks."

        Some of those may not need the physical access.

        And consider that some ATMs are privately owned and in, shall we say, low-security locations...
    • Exactly

      The point is, they need to physically manipulate the machine, attach a phone to it via USB and install the malware.

      XP is only responsible for 1 part of that chain of events. Given time and effort, they could probably do the same on a Windows 7/8 machine, Linux or OS X, given physical access...

      Moving away from XP might partly mitigate the problem, but it won't eliminate it.
    • Good Point

      No but seriously, when will cheap & sensationalist journalism stop?

      In the end, if an ATM is that open to the external world, someone has to be fired. Same thing for the company that makes them. Again, seriously?
    • never assume

      I'll make just two points.

      Generally, the public's observational skills are very poor. This is why so many crimes easily go unnoticed even in areas with high traffic and cameras. And why eye witnesses are unreliable.

      Second, anyone pretending to be a service tech would not draw suspicion -- not even removing the outer shell. I see such technicians several times per week. Now I wonder if they're all legit.
      • Not Just Poor

        The public's observational skills are poor but that's not it. People are ambivalent. A young woman hit a little girl on a bicycle in Palo Alto and nobody stopped to help the little girl while she lay dying. That's not poor observational skills, that's just apathy.

        If you were to pry open an atm in the middle of San Francisco in broad daylight you think anyone will attempt to stop you? They might even know what you're up to and it wouldn't make any difference.

        I had a roommate who liked to shoot off his guns in the middle of San Francisco. Yes, it's a very high density population. How many people called the police? Just one person, me. People....don't....care....period.
  • The answer to thesis simple

    Hold software manufacturers liable for product defects. MS doesn't have to provide other types of support, but a security flaw is a product defect. Failure to fix it makes you liable, no matter how old your product is. Can you imagine GE being able to say they weren't liable for your house burning down due of faulty wiring in their product because they discontinued it?
    • Unrealistic

      You're comparing apples to oranges. In a way you can almost make the comparison, however the time scale ratio would have to be appropriately matched. Maybe something like 1:8. 1 year of a technology or software product equals 8 years of a non technology or non software based product.

      Each will have a warranty and defects will be fixed by the manufacturer within that warranty period using the ratio. Then maybe your simple answer could hold weight.
    • Brilliant Idea

      I would join that class action in a New York minute!
    • Not quite accurate

      If the house burning down was due to using a product beyond it's expiration date, (like some products do) then they aren't liable. Also, if the wiring is run incorrectly, and that caused the fire, then GE isn't liable as long as they offered proper installation procedures prior to installation.

      But software and house wiring aren't even remotely similar. Security bugs are more like "wear and tear" in my mind, as so many outside factors can change the software in a way previously inconceivable. Windows, Linux, OS X - it doesn't matter if you did 200,000 various software and hardware configurations, next month some new hardware is released and configuration 200,001 is invented.

      Software is like a car - GM doesn't have to support any model forever, and if you get hurt because you're driving an older car that couldn't be kept up to date as GM quit making parts, well, GM isn't responsible - you should have gotten an new car that was supported.
      • Good automotive analogy Mr Farrel

        I own a Chevy that was built in the early 60s, before seatbelts were required equipment. It is now illegal to drive on most streets in the US without wearing a seatbelt, but GM is not required to provide seatbelts to me or anyone else who still owns these vehicles. It is up to me, the end user, to add seatbelts if I want to drive the car on public roads.
        • That's a better analogy, john-whorfin

          I believe you don't need seatbelts in the car to drive it, as it did not come with them - you drive it at your own risk.

          Same with required anti-lock brakes - no need to retrofit your Chevy, it's a drive knowing the risks, deal.

          BTW - I own a 65 Chevelle ragtop - I should have thought of that analogy, but my car came with the optional seat belts in the front!
          • seatbelts

            The reason I use the seatbelt analogy is there are many TV commercials, especially around holidays, reminding us to "click it or ticket". If you are driving without a fastened seatbelt you will get ticket if a police officer pulls you over. You may eventually beat the ticket because the car was not equipped with seatbelts from the factory, but you probably will get ticketed and have to fight it. I don't know if the seatbelt laws have a loophole to allow for cars that had no belts when manufactured.
          • Cars sold without seatbelts are exempt

            I've got numerous '60s muscle cars -- some that came with seatbelts, some that didn't. Cars that did not come with seat belts are exempt from the click-it-or-ticket laws ... but you might still get a ticket from an unknowing cop, but you should be able to effectively contest it in court.

            Cars made without seat belts often did not have suitable anchor points for them, so simply bolting in some belts might actually do more harm than good. The automakers have to carefully engineer and test the seat belt designs to make sure they're safe.

            That's why pre-belt cars are exempt.

            Obviously, if belts were available (optionally) for your classic car, you may have a harder time arguing the point. If you have your car's original build sheet, you could use that as proof that it did not come with belts. (Pontiac owners can get a copy from phs-online.com, btw.) But cars that were available with factory belts are usually simple to add them to, since they have the proper mounting points and the belts are engineered for the specific application.
      • GM Is Facing Lawsuits Over Defects In Products No Longer Produced

        While some of GM's more current models have the ignition key defect it appears to go back to model's produced a decade ago and for which GM still may have a liability. They may get out of the older liability because of their bankruptcy filing but not because they are not legally libel.
        • @z_saberman

          In the US, the statute of limitations for no-charge automotive recalls is 8 years from the original date of sale of the vehicle, and it applies to manufacturing defects. So GM is not legally liable unless the defect is reported in that time frame.

          To more directly address baggins_z's, original post, "Can you imagine GE being able to say they weren't liable for your house burning down due of faulty wiring in their product because they discontinued it?", I'd point out that the issue here is not faulty wiring in XP, but use of it in a way not intended, which tends to void warranty claims. A few years ago analog TV broadcasts were discontinued in the US. Millions of televisions that worked fine before this now require extra hardware to be functional. By baggins_z's rationale, TV manufacturers should have been required to supply that hardware to owners of analog televisions free of charge, even though they did not turn off the analog broadcasting equipment. Instead, the US government supplied vouchers to pay part of the cost in keeping these TVs functional, since they were responsible for turning off the transmitters. A lot of people were unhappy about having to upgrade, but it was not the manufacturers who made it necessary, so they did not have to pay for the fix.
    • In this case, ATMs are provided by other companies

      So really, it isn't Microsoft's issue, as it is the company selling the ATMs to banks that didn't upgrade the OS to a modern version (or didn't bother to actually use the right OS like XP Embedded - which is still going to receive updates from MS).
    • You have to realize

      Who is posting, baggins_z is an ABMer that has nothing better to do than troll and make crap up. Ther reality is XP needs to die and it is the fault of the ATM creators and the banks that they haven't beeb updated.

      Plus most ATMs are running XP embedded and that is still under support so this hack is a bunhc of FUD from the writer and of course from baggins_z.