A talk demonstrating security weaknesses in a widely used automatic teller machine has been pulled from next month's Black Hat conference after the machine vendor placed pressure on the speaker's employer. Juniper Networks, a provider of network devices and security services, said it delayed the talk by its employee Barnaby Jack …
Useful legal argument
Whilst a vulnerable manufacturer would understandably wish such information suppressed, that such vulnerabilities exist at all largely dismantle a Bank's argument that their systems are secure and that an ATM theft "must be" the result of the Customer's carelessness.
security by lawyer
instead of getting a competent programmer to spend a few hours closing the holes, spend millions on lawyers trying to keep it quiet - makes sense to me
Where did you read about millions being spent on lawyers? Maybe you can link us to that article, because -this- one says that Juniper got a single nastygram asking for time for their programmers to spend a few hours closing the holes.
Why general-purpose OS?
I have to say that I agree with Juniper (and the ATM vendor) in this case. While I do think the ATM vendor, and perhaps the affected ATMs, should be named and shamed, I don't think any details should be given, nor an unsecured demonstration. Given the resulting effect this would have on banks worldwide, the details should be kept secret until the vendor creates a patch and the banks have patched their machines.
Having said that, I seriously question why ATMs use general-purpose operating systems such as Windows (or Linux, or OSX, or BSD, etc). ATMs only require a limited set of functionality. This should be offered through a custom OS which only includes the required functionality. Moving ATMs to Windows (or any other general-purpose OS) is just as stupid as moving warships to Windows.
When will they learn?
Always build the control software for these from the ground up, it may be tempting to use an off-the-shelf kernel (UNIX, WinNT, GNU/Linux, or whatever) but there wiull always be a vulnerability in the code. There shouldn't even be enoguh code in there to even warrant using a full-blown OS anyway. The machine only should have just the keypad, card reader, display and a modem and some sort of peripheral control system (For dispensing reciepts, money, etc.).
Most modern ATMs contain a maintenance mode to flash the BIOS, dump logs, etc. If they made the control board simple enough that an engineer could easily swap the board when it is malfunctioning or needs an upgrade. Then they would no longer need any NVRAM or any other writable memory and have all data sent over an encrypted VPN and have all the camera footage / transaction logs written to a central database. Dip it in epoxy and then only the engineers who make the board will ever know how the thing works. While this solution would be much more expensive than the current method, it will be far more secure.
If there is a known, demonstrated vulnerability in these machines, they should all be SWITCHED off until a fix is in place. It is just stupid to leave them operating when they are known to be vulnerable.
I'd be more worried about how the black hats are gaining access to the machine than what OS it's running.
Regardless of what OS it's running if it's physically secure and the comms are secure then all bets are off as there's no way for the black hats to inject malware AFAIK, it's not as if the machine itself is going to respond to phishing emails or you can code your own from the keypad on the front..
Just think for a minute...
Are you lot suggesting that a custom OS, or control software would be invulnerable? Seriously? I suspect it would probably be less secure, what with only a very few eyes checking the code. Also, would you be happy to pay for the additional cost to the bank for developing their own OS?
@David Swales - It's a bit early to say that this is proof that ATM fraud can show up as a withdrawal from a customer's account as 1) We don't know what the vuln is and 2) we don't know if it actually works. It's also not clear if any banks use the software in question.
@ Goat Jam - Yes, that's sensible - someone makes an un-verified suggestion that there is a vulnerabillity in an ATM's software so all of the banks with that ATM turn it off. I can't see any problem with that.
Re: Why general-purpose OS?
In a sane world sure, but I've seen them before with NT4 STOP errors on (around 8 years ago, kinda hoping they have upgraded those since).
I highly doubt someone would write a custom OS and design the panic function to look exactly the same as NT4 unless it's some cunning ploy to trick people into thinking it really is NT4 just so they try and can't crack it!
If it gets released...
Anyone want to bet that the exploit is ridiculously simple? Buffer overflow in the card reader perhaps? I think that one has been done before to crash ATMs in the past.
Surely only they [the ATM operators] stand to loose money...And its a cost they are willing to risk, balanced against the cost [cost to customer] of shutting down every ATM. I think they are right!
cost to world of turning off atms = Trillions [in inconvienience, delays, lost sales etc]
cost of loses to un-known vuln = Thousands maybe?
its not like every ATM in the WORLD is suddenly going to discharge ALL its notes.. hmm.. what? a film?
ATM + WiFi hotspot concerns?
This is one of the reasons why the idea of BT shoving wifi equipment in cashpoints concerned me no small amount.
Do you really think that a wifi hotspot in a dialup ATM is going to be a problem for network security? It'll almost certainly be ADSL with a wifi access point on the end, total network isolation, there will be about as much chance as someone using a wifi hotspot to monitor your POTS telephone as there will someone obtaining access to the ATM network for the 30secs it is dialled up at a time.
The PCI wouldn't tolorate anything that would possibly allow internet traffic to cross onto the ATM network.
@David Swales, this fantasy that ATM cards, credit cards, etc. are invulnerable is a British thing. Here in the US, the banks fully acknowledge the existence of fraud.
@Chris C, agreed! Using especially Windows, some regular distro, etc. is stupid. IBM used to make a specific ATM OS (and probably still sells it..), they even had a special crypto processor with a self-destruct so any jiggery-pokery to try to get card numbers etc. out of it would just result in a broken ATM.
That IBM OS was called OS/2.
Most ATMs used to run OS/2 - I believe many still do - making them the largest installed base of the OS.
IBM gave up on it a long time ago but I do belive a few die hards are trying to keep it going,but the idea of a self destuct chip is a good idea until the assholes get it into their heads that they can do it any time and replace the circuit board with one of their own and their in.gathering all that lovley unencrypted data.evil geates cos it was as much Microsoft as IBM that killed os/2
- Leaked screenshots show next Windows kernel to be a perfect 10
- Amazon warming up 'cheapo web video' cannon to SINK Netflix
- Something for the Weekend, Sir? I need a password to BRAKE? What? No! STOP! Aaaargh!
- Episode 13 BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
- Vulture at the Wheel Ford's B-Max: Fiesta-based runaround that goes THUNK