Hackers text ATMs for cash via Windows XP flaws

With the end of Windows XP support looming, ATMs worldwide are left vulnerable -- and cyberattackers are taking advantage of the fact.
Written by Charlie Osborne, Contributing Writer
Screen Shot 2014-03-25 at 09.35.23
Credit: Symantec

Despite early warnings, pleading and even financial lures to upgrade systems from the Windows XP operating system, many of our core services are still running on the soon to be retired system.

It's not just our grandparents that stick stubbornly to Windows XP, which is due for an end-of-life and support retirement on April 8 this year. According to Symantec researchers, the banking industry is likely to be affected on this date, as 95 percent of our ATMs -- computer systems that control access to funds -- are still running on the archaic system.

Microsoft has already warned users that they risk "zero day forever" scenarios if they fail to upgrade, and hackers are looking to cash in on the day that support is withdrawn. Once Windows XP is officially retired, no more patches or fixes will be issued by Microsoft, leaving systems more vulnerable to hacking attempts. This will likely push up the price of vulnerabilities on the black market from an average of $50,000 to $150,000 as the Redmond giant will stop investigating and releasing patches.

How will this affect our ATMs and cash withdrawals? According to Symantec researchers, it's already happening, as hackers target the systems with increasingly sophisticated techniques.

A new technique that has been discovered is the use of mobile technology to control an ATM remotely. The threat, Backdoor.Ploutus, was originally discovered in Mexico but is now available in the English language, suggesting that the new variation -- Backdoor.Ploutus.B -- is expanding to other countries.

By simply sending a text message to the compromised system, hackers can control the ATM, walk up to it, and collect dispensed cash.

To begin with, a cyberattacker must connect the ATM to a mobile phone via USB tethering. This creates a shared Internet connection, which then can be used to send specific SMS commands to the phone attached inside the ATM. The mobile device, if properly set up, then converts the message into a network packet and forwards it on to the ATM through the USB cable.

The first message sent contains an activation ID to start Ploutus in the ATM. Another message then sends a valid dispense command which dupes the system in to releasing money, which is pre-configured within the malware.

Screen Shot 2014-03-25 at 11.59.43
Credit: Symantec

This particular example demonstrated by Symantec focuses on the theft of cash, but the team say they have found several different forms of malware which target ATMs for other purposes. Some malware analyzed attempts to steal customer card and PIN data, while others attempt man-in-the-middle attacks.

While modern ATMs often have enhanced security, including encrypted hard drives, models running on Windows XP are not protected well against these types of attacks. In addition, while money is usually locked away inside a safe, the computer system often is not -- leaving the access point to cash vulnerable.

See also: Windows XP lives on in ATMs. Crisis?

With specific measures in place, such as upgrading to more secure operating systems, CCTV monitoring, locking down the BIOS to prevent unauthorized media and using full disk encryption, hackers may find compromising ATMs more difficult without an insider on the job.

Editorial standards