Researchers demo 'easy' Windows-based ATM hack

Security experts have claimed that up to 90 percent of UK ATMs could be at risk from attacks such as worms or malware, as they rely on desktop PC technology
Written by Nick Heath, Contributor

Security experts have hacked ATMs to show how easy it is to steal money and bank account details from modern cash machines.

ATMs today face the internet-born threat of worms and denial-of-service attacks, as well as the risk of malware that can harvest customer data or hijack machines.

Up to 90 percent of the ATMs in the UK could be at risk from these attacks as they rely on desktop PC technology (usually Intel hardware and Windows operating systems) linked to other machines — some connected to the internet — in the bank's network, according to experts.

Security vendor Network Box illustrated this threat by showing that only the PIN was encrypted when information was sent from a US ATM to networked bank computers.

The card numbers, card expiry dates, transaction amounts and account balances were clearly readable in plain text to anybody intercepting the data as it travelled through the network.

"Cabinet" ATMs, commonly found in shops, pubs and restaurants, potentially face an even greater danger, with researchers from Information Risk Management (IRM) able to open their safes and take them over.

IRM used a key bought via the internet to unlock the cabinets of three ATMs, allowing its analysts to install software that logged customers' bank details or dispensed money on command.

An early warning of this insecurity in modern ATMs came in 2003 when the Nachi internet worm infiltrated "secure" networks and infected ATMs from two financial institutions, while the SQL Slammer worm indirectly shut down 13,000 Bank of America ATMs.

Martin Macmillan, business development director with ATM security specialist Level Four Software, said: "The technology behind ATMs has changed dramatically over the last few years. Banks have largely moved their ATMs across to run operating systems such as Windows connected to a greater range of servers over an IP network.

"It creates a lot of security issues because an ATM becomes like a PC with attached devices — it has to be kept up to date with hot fixes and patches. It is a much more complex beast and the security aspects of that need to be at the forefront of a bank's mind."

He said it is important for banks to be able to monitor ATM systems at the Windows level for any security holes and to be able to shut the network down in a controlled manner if any problems arise.

Mark Webb-Johnson, chief technology officer of Network Box, said in the report: "The ATM industry is presented with the same security issues that we all face with our workstations that are connected to internet. A compromised ATM could result in a network being forced offline, and/or lost customer data and stolen identities."

Gyan Chawdhary, senior security consultant with IRM, told ZDNet.co.uk's sister site, silicon.com, that the shift among ATMs to modern PC infrastructure means it now only requires minimal programming knowledge to hack ATM machines successfully once access had been gained to its system.

Chawdhary said: "If you are a programmer and you have some programming experience then it is a cakewalk. If an exploit will work on a home or office computer then it will work on these ATMs."

Researchers from IRM were even able to unlock and clear out the safes in two out of the three UK cabinet ATMs, opening the safe using a default key code they obtained from a safe manual online.

They also reset the cabinet ATMs software using a piece of wire jammed into the receipt slot, giving them access to the engineering mode where they could control the machine.

Macmillan added that the stability of the Windows-based ATMs was worse than their OS2-based predecessors, saying some ATMs suffered downtime of up to 30 percent.

Link, the company that runs more than 61,000 cash machines in the UK, said there are stringent measures in place to prevent anybody from accessing its systems and that it will immediately shut down a network the moment it detects an intrusion.

Graham Mott, a senior Link spokesman, said: "The Link network takes the threat of a criminal attack very seriously and is constantly looking for ways to enhance system security."

Network Box warns that the software firewalls used to protect ATMs are not able to prevent DoS attacks or harvesting of consumer's personal data after the data travels through the bank's network.

It says the most effective way to protect from these new threats is to use a multifunction device with routing, firewall, intrusion detection system/intrusion prevention system and VPN capabilities, positioned in front of, and protecting, the ATM network.

It adds this device should be separated from the rest of the bank's network and that all traffic coming out of the ATM should be encrypted.

Editorial standards