Robbing ATMs by SMS: Not in the real world

Robbing ATMs by SMS: Not in the real world

Summary: Why would anyone with the ability to execute Backdoor.Ploutus, which Symantec says is used to rob ATMs with text messages, bother with it?

TOPICS: Security

It's odd how Windows XP can be about to reach end-of-life, and suddenly there's a mad rush to make money off it. Well that's what business is all about, in this case the computer security business.

The latest example is Symantec's story of a Windows XP vulnerability being used to allow attackers to dispense cash from ATMs using an SMS text message. It raises a question: Why have banks and ATM companies taken so long to deal with Windows XP and threats like this one, which Symantec names Backdoor.Ploutus? It's because they don't see them as real threats, and they have a point.

I touch on some of this in a recent story in which I find that any bank in which the ATMs can be attacked to the point of running malicious code on them has bigger problems than Windows XP on those ATMs. In any actual bank, an ATM will have heavy physical shielding protecting it from any use other than that for which it was designed: stick your card in, press buttons, take cash. Of course there are other ATMs, like the ones in convenience stores, which are often less secure physically.

Most of Symantec's blog post about Ploutus deals with what the malware does once installed. But how does it get installed? Unlike a regular PC, you can't trick the user into visiting a malicious web site or running an email attachment. That's because the scenario for Ploutus requires:

  • Physical access to the insides of the ATM
  • The ability to reboot the ATM and to have it boot off the USB port
  • The lack of just about any security software or other measures on the ATM.

In some cases, such as in a bank, access to the insides of the ATM, is heavily guarded. Even in the case of the convenience store, you have to be able to pick the locks and you have to deal with security cameras. I'm sure it can be done, but it's not easy. (Yes, you could get access with an insider, but with an insider you could do a lot worse damage than this.)

The Ploutus malware is installed by booting the ATM off mass storage attached through the USB port, at which point it installs the malware on the hard disk. This requires that the ATM be set to allow booting off the USB port before the hard disk, or at least that the attacker have BIOS access to reset the boot order. Maybe this is easy in an ATM, I don't know, but if it is then it represents more mistakes made by the ATM operator.

If the attacker can boot off the USB and the hard disk is encrypted, then game over. The attack won't work. If the ATM is running decent antivirus or any of many types of security software which would detect Ploutus (like a firewall that sees the USB traffic), then the ATM will likely shut itself off and report the problem.

If an attacker had this level of access to an ATM, why would they bother with using the SMS method at all? In the real world, ATM criminals take a much less complicated attitude towards their craft: They just steal the whole ATM, take it away and use a blowtorch to open the safe inside. Yes, "smash and grab" is a big problem for ATMs. Malware isn't.

This episode, like so many before it, illustrates an unfortunate characteristic of the security industry: they exaggerate like crazy. They never admit to mitigating factors, even big, obvious ones like those in force with Backdoor.Ploutus. Yes, there may be a software vulnerability here, but it's not the actual problem.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Why bother?

    Because ATMs get reloaded with money...

    And it is possible skim a LOT of cash and bank/credit cards if it survives across reboots...
    • It's going to be found quickly

      You have to leave a cell phone inside the ATM tethered through the USB port. Anyone who opens it to refill it will see.
      Larry Seltzer
    • He's right - why bother? What he's saying is that

      for you to be able to do everything needed to do this, there are far less easier and riskier then doing all that for a one time payout.

      Is getting caught as the insider worth the risk, as there is no other way to do this without help.
    • Nice FUD

      Most of these machines are running XP embedded that has support to 2015 but of course you will take any chance you get to to troll against Microsoft.

      Access to the USB port is a must but you conveniently forgot to mention that part. I have seen money stolen from a bank vault before, of course it was an inside job for someone with access not some theoretical hack via SMS with a cell phone attached to a highly secure atm with a USB port exposed, sheesh.
      • No, they're not

        ATM industry people tell me that very few ATMs run the embedded version. They run the Pro version of XP "with embedded restrictions". For more on this read
        Larry Seltzer
        • Exactly

          Why do some people in this forum claim that "most" ATMs run the embedded version of XP?
    • What a crock jessepollard

      Reread the article. And then think.

      Its obvious that will probably hurt you, but please try.

      You sound like an ABM nut.
  • what you doing Bill gates?

    actually i just dont knwo what he is doing with that so called windows xp :@
    Hackers text ATMs for cash via Windows XP flaws
    • Did you even read the article?

      They can't send an SMS to XP in the cash machine, because XP doesn't have drivers for an SIM module, oh and there is no SIM card module in the ATM.

      The crooks have to break open the device, find a way to reboot the machine off of external media, copy some files across to the hard drive, attach a phone to the USB port, reboot again and then reseal the housing on the machine.

      After that, they can start sending SMS to the machine...

      And if they can do that, then it is irrelevant what OS the ATM is running, they could as easily do that with a newer version of Windows or with Linux, having access to the hard drive without the OS loaded is the key.
  • USB traffic ...

    ... is traffic generated from a wireless usb nerwork card.
    has nothing to do with rebooting from usb. :-(
    • Huh?

      I have no idea what you said
      Larry Seltzer
    • reread the article

      they must first install the malware by booting from an external, USB attached storage device.

      Then they attach a phone, which sends signals upon receipt of an SMS...
  • I don't see this as implausible

    This doesn't seem all that implausible, though. It's not really an external threat, for the reasons mentioned above, but I could definitely imagine a black-market USB device which a rogue employee could (after subverting camera security) install into the ATM which emulates the tethered phone's role in the Symantec proof-of-concept, small enough to be difficult to detect visually but silently collecting bank information to be transmitted wirelessly to a mobile device, to be exploited via the traditional means.
    • I'm smelling a whole lot of "if"

      coming off this plan.
    • You dont see this as implausable?? Well..

      ..the only way its not implausible if its carried out by some nut who would go to the trouble to scale Mount Everest to find snow.


      I suppose it depends somewhat on what your personal idea of what implausible means, but trust me, by the dictionary definition, this IS implausible and that means very unlikely.
  • Recent ATM Compromise

    A recent article (within past six months) documented a case where an ATM was compromised by crooks drilling a hole into the case where the USB port is. They then inserted a USB stick to install the malware. The malware was such that a code could be typed into the ATM to show the number of bills in the machine. If sufficient large bills were present, another code would dispense them. The bank didn't know what happened until they reviewed security footage and discovered what the crooks were doing.

    Although physical security helps, it doesn't always protect against these problems.
    • Agreed. But at the same time, No OS

      can prevent, or protect against those types problems
      • Yes, The OS Can Prevent USB Thumb Drive Infection

        Even XP can protect against this. Don't run the ATM software as local admin. Disable booting from USB. Disable autorun on removable storage. Password protect the BIOS.

        If you really want protection without patching and virus definition updates, add a white list product like McAfee's Solidcore. Solidcore also offers enterprise-level reporting that gathers attempted violations to the white list and if executables and libraries loaded in memory get corrupted.

        Kind of amazing anything related to financial transactions isn't required to run this type of protection.
        • I talk about this in the story

          In the case you cite where the attackers drilled holes they could only have installed malware by rebooting the ATM, unless the ATM actually had autorun enabled, which I have a hard time believing. So once again, it could only work if there was no defense-in-depth on the system, no hard drive encryption, probably no security software at all.
          Larry Seltzer
        • I meant from an "inside job" aspect

          they physically drilled a hole in the side of the case - not something that you can do unnoticed in the middle of a busy super market...