Is ATM security threatened by Windows XP support cutoff? Well, yes, but … Many of the 65,000 ATMs in the UK will become less secure once Microsoft ends extended support for the embedded version of its Windows XP operating system next month, according to security experts. From January 2016, Microsoft will be issuing no further security patches or updates for flavours of Windows still used by the …
Nearly - but if I had a zero day on XP embedded in my pocket now I woulnd't use it for a couple of weeks.
Then I know that if it still works it will always work. AND I can also check the patches issued for whatever followed WinXP Embedded to see if the flaws fixed also existed in the older OS - and again, I know they won't be patched.
The opportunities for exploit are much higher if I know that the systems will never be patched.
I know the bank I used to work for hadn't applied updates for years... although to be fair they hadn't had any problems either.
This particular bank is till using XP on the majority of its desktops... again to be fair they haven't had any problems there either.
I know some will say that the problems may be undetected but I think if un-patched XP on the desktop was going to bite them it would have done so by now. Mind you there'll come a time when there Virsu and Firewall software will go out of support and that might cause a few problems......
Mind you there'll come a time when there Virsu and Firewall software will go out of support and that might cause a few problems......
Given that some business grade AV & firewall vendors are still supporting Win2000 (SP4) in their current products, that might be some time off, provided customers keep paying ...
You don't apply updates to XP embedded, its not like XP desktop. It has a service that recieves pushed updates over the network and silently installs them
Also because its componentized, its likely to be the the the bare minimum OS (the bare minimum on xpe can be as low as a 50mb kernel and win32 runtime system or anything upwards of that), and having much less in the way of attack vectors. It almost certainly don't have IE, nor many of the other system service vectors of desktop windows.
I worked with XPe for years and only about 1 in 50 patches were actually applicable to our deployed images, the vast majority of them were low priority, and given the closed nature of a cashpoint (no way of loading malware, unless you are tom cruise), I'm far from worried. Changing systems were be far riskier
> (no way of loading malware, unless you are tom cruise),
Ah, he's going to stand next to it and rant about Scientology? Or will he actually make it watch one of his movies? Either way, the hardware will fry itself just to be relieved of it's misery.
but do we really believe that every ATM running XP is getting security patches applied immediately upon release every time?
You can imagine wanting to get some cash on a Wednesday morning, for the machine to say "Installing updates (5 of 43). Please do not take any money."
"It took ages at the bank this morning, they fucked up the updates again..."
@Lost all faith
Thanks for the ATM advice, I will stick to ATM's in the bank lobby where a camera can see me withdraw cash from my account if the teller is not available. And from my post about a week ago on POS...
"As I just told the missus...
We will pay cash when ever POSsible! Glad we're not in the US"
>dont look too closely youre travelling on rail ...
Unless the requirements have changed in recent years none of the critical systems on the UK's railways ie. those that actually control the movement of trains, will be running an MS OS! because the contractual requirement on the supplier was for a 20 year minimum operational life; XPE only had a 15 year life and no source code access...
I live in an area prone to hurricanes and other power-interrupting weather events. On two occasions, I happened to be been near an ATM when the power came back on. One of those was a "through the wall at a bank" device and the other a "freestanding in a convenience store/chemist's" type. The bank device gave no clue as to operating system but the freestanding one very briefly showed the familiar XP logo.
I don't know what the rules are on your side of the pond but, here in Yankville, freestanding ATMs often charge exhorbitant fees on top of any transaction fees imposed by your bank. My personal policy is to never trust these since A) you never know who's been able to poke around the device and B) I'm too cheap to pay the extra fee unless I'm in absolute dire straits for cash. Given that I've never seen a USB port or hatch leading to one on a "through the wall" bank ATM, I believe these less likely to be compromised or even ABLE to be compromised in any manner that could be described as easy. I could, of course, be very wrong...
Surely an ATM should, by basic definition, be connected to a private "secure" network and not the public Internet? Additionally there should be no accessible ports without having physical access to the device (in which case the problem is your staff, not your hardware).
One rogue staff member with access to one ATM - then let the internal "secure" network carry the malware to every other ATM - can you say "PAYDAY".
For ATMs (and other sensitive systems), the program loader should be modified so that only digitally signed executables (including DLLs) can be loaded - this would reduce the possibility of malware execution.
Because sometimes we find flaws in things that let you escape from the secure mode in which you're supposed to be trapped. Sure, I'd hope that with a cash machine that wouldn't be possible, but sometimes really _weird_ shit gets through.
I heard a story of a PoS terminal many years ago where one of the custom buttons on the unit mapped directly to shift. Hold down for 8 seconds and up came the "Do you want to turn on accessibility mode?" dialogue, which brought the start menu to the foreground with it. From there one could get at the "Run" menu and bad things happened.
Again, I'd hope that you couldn't pull such a trivial trick on a cash machine... but you never know. All it takes is for someone to work out that you _can_ and then it's just a race between the machine being robbed dry and the bank taking it out of service if there's no patch available.
Basic rule of security, if it is connected in some way to a device on the Internet it is on the Internet. ATMs are connected to the bank's computers so they know customer PINS, accounts, and balances. These computers are also accessible via the Internet for online banking. Therefore ATMs are connected, albeit, indirectly to the Internet.
Now getting access to the ATM and doing something is probably very difficult. But in principle and with some sloppiness, bugs, etc. an ATM could be hacked from the outside and the inside.
And true there much easier ways to defraud people and the bank than attacking the ATM itself such as skimmers. And this lowers the possibility of an attack on the ATM.
Basic rule of security, if it is connected in some way to a device on the Internet it is on the Internet. ATMs are connected to the bank's computers so they know customer PINS, accounts, and balances. These computers are also accessible via the Internet for online banking. Therefore ATMs are connected, albeit, indirectly to the Internet.
Most ATMs are usually connected directly to the bank via some oldie goldie connections (X.25, maybe some DS0s for more modern ones). They usually connect to a network that is heavily isolated from the true internet. Pretty much anything going through to the mainframes will be firewalled as hell, and there's no way you'll get out to the internet if you're entering through the ATM links. And that's if you even have TCP/IP access. Last time I checked, many ATMs were still using propietary protocols from the pre-TCP/IP world like SNA. Then again, that was when most ATMs were still running OS/2 WARP.
That said ... the easiest way to get stuff off those XPe devices might just be a USB port.
Why?
Just because the OS I put on the PC when built (just before 7 release) still works and does what I need it to with no whinging about 16 bit programs, or that Alt-Enter gives me a full size CMD prompt.
Can't see why I should pay more for another OS when the one on it works.
And I do have an escape route a 500GB drive with Linux Mint Cinnamon on it and WINE, it can access C and D as well which are the two NTFS drives.
Not all games though work in Linux
No it will not work.
XPE is a slimmed down OS, no windows updates or if you do you fill up the flash.
I had a young developer helping in IT when we tried to deploy Neoware XPE thin clients to do RDP to a terminal server farm. He said it was locked down so they could ONLY run RDP. 6 months later they are connecting to the un-encrypted city WIFI, surfing porn and have a fake AV trojan running on it.
LOL as soon as I seen that they got a HP running ThinPro(Linux) for RDP and the issue was solved.
The same intern tried to get the Cisco VPN client, McAfee Enterprise client, Sun JRE for our ERP system and Sprint 3G modem to work and found out XPE looks like windows but is really missing too much windows to get windows apps to work.
If the atm manufacturers were serious about security then they would not be cancelling support on 'old' atm's that have an upgrade path to win7 - in the case of one vendor they even went so far as to sell upgrade kits only to advise customer that they were cancelling support end of 2016 AFTER the customers bough the upgrade kits - and when a new installed atm is close to 50k then it's to be expected that there will be many atm's that are still running winxp after support ends...
as a caveat (and as someone mentioned ealier) most banks do run atm's in a completely private and separate network, going direct to the system driving the atm....this makes the chances of something happening much lower - and there have to be 2 staff present whenever an ATM is serviced - so the likelihood of a staff member install a virus is also a limited vector...
Any machine still running Windows XP Embedded Service Pack 3 (SP3) from mid January onwards is therefore at greater risk because software updates and support have been withdrawn. The plug gets pulled on Windows Embedded for Point of Service SP3 slightly later on 12 April 2016.
Can't wait until these ATMs start displaying a solicitation to install Windows 10 Embedded in the lower right-hand corner of the screen....
Just another crisis invented by a company with the silver bullet that will fix it.
Would it really be cheaper to license this software, test it so that it doesn't do more harm than good, and then deploy it to every ATM or just move to a supported OS?
And as many have pointed out, ATMs are extremely limited in their ability to interact with any untrusted code, so the usual rules don't apply.
Seriously, this should be a cut-down Linux purpose built for the task.
I blame lazy IT managers for this.
And I say that from a position of knowledge of one particular company that an in-law worked at. Their IT manager told the systems design folks to just use Windows because it was easier. I think he just wanted his bonus.
Anon because I think there may still be some contractual stuff that still applies to the in-law.
There should be no practical difference to using a cut down, purpose built, Linux OS, to using a cut down, purpose built, windows OS for the task. This is not a consumer windows system with all sorts of services running in the background doing who knows what, it is the bare minimum to run one single, specific, application.
If you recall the fairly recent hacking competition where they had the full windows, Linux and OSX primed to be hacked, first to compromise it wins a laptop etc. No-one even bothered to try on the first day when it was just the OS installed. All the attack vectors were through things installed on top of the base OS.
I'd be far more worried about the less-than-minimum-wage guy in India who wrote the bank's application running on the thing, compromising it at source, than someone breaching Windows.
Why on Earth does an ATM need to use a complex OS at all? ISTM that a simple board with one of the plethora of low-end SoC chips and a few hundred kB of RAM and Flash (if that) would easily be able to cope with the functions required of an ATM - and while obscurity does not equate to security, it would be more difficult to find an attack vector for an embedded SoC running relatively simple custom code than a complex multi-tasking general OS that is readily available to potential attackers - and a heck of a lot easier to check the code for security flaws before deployment. After all, the required functionality is not all that more complex than a modern washing machine - albeit with a lot more checks & guards in the code to ensure that memory corruptions and hardware/mechanical faults result in a safe failure mode. In fact everything apart from encryption and VGA screen driver could be achieved using an 8 bit PIC running at a few MHz. I'm sure the money saved by using a Raspberry Pi instead of a full PC motherboard would pay for a couple of competent SoC programmers - which is all you'd need to develop & maintain it.
Maybe if all the banks clubbed together they could afford this sort of bespoke development. :)
As an extra benefit, if all banks were using a common ATM design, there would be less to harmonise when the next merger happened. (That might be sooner than they'd like if some of them are relying on XP to keep their cash safe.)
Yup! Many car manufacturers have got together and created the GENIVI alliance to run a Linux core on CANBUS systems with just the display layer being tweaked by individual manufacturers to give branding.
Surely it would make sense for the banks to do something similar. If they used a cut down Linux system, it would give a new lease of life to all that creaking old hardware.
Windows turns up in a lot more places than you'd think prudent. A lot of industrial control systems run on Windows. Windows XP, in fact. You can't just "upgrade" them because Microsoft has effectively rendered a lot of peripherals and language libraries obsolete when they went to Win7.
The moral of the tale, of course, is that nobody in their right mind should be using Windows for anything more exacting than a desktop running simple user software. Unfortunately corporate management -- and a lot of programmers -- aren't in their right minds these days so Windows persists. Its good to be more-or-less retired; I don't have to deal with this any more.
In some respects it is funny that MS having spent the 80's and 90's getting the world to use it's OS's - which the world did with 2003/XP, making these the bedrock of much of our modern IT environment -
decided it would be a good idea to simply ditch these OS's and deliver a whole series of cocked up OS's (Win7 was really just the production ready version of Vista, and Win10 still has a long way to go before it can be regarded as a production ready version of Win8).
I expect many in the embedded market to be seriously thinking about what to replace these legacy XP systems with - it wouldn't surprise me if MS has already been put on the list of non-contenders...
Perhaps I should be brushing up my RTOS & VRTX skills...
"A lot of industrial control systems run on Windows. Windows XP, in fact."
This.
And I've seen some HMI software look for IE6 before starting. Not that the HMI actually uses IE6, but it was written by a Microsoft shop with Microsoft tools. And those tools appear to have been written to keep people from porting the code away from Windows. And stick customers with upgrade fees triggered by MS upgrades. Small shops (without IT departments) just kept their systems on XP/IE6 and now they are stuck. Any maintenance will require an old system for development or rip out the PLCs, take the ladder logic diagrams and start over. With their luck, using a development platform locked to IE10.
"winning the lottery. Twice. In the same Day! With different numbers!!"
But banks are used to winning the lottery every day. Thanks to the Federal Reserve (or the national bank of your choice) forcing truckloads of free money on them in the form of quantitative easing.
Maybe they are waiting for the ATM fairy to appear, wave her wand over their configuration mess and make it all better.
Most of the big ATM manufacturers - namely Diebold, Wincor and NCR - not sure about Triton, but they're mainly into cash dispensers...
I've asked the same question year after year since they shifted from os2 to windows - and have yet to hear a reason from anyone...
The fact that it's a locked down version doesn't really help much - anyone with physical access can always change things in a negative way....
>No - they can't. Physical access to the unit doesn't provide access to the OS - even with diagnostics access.
Oh, come on ... Some bloke managed to rip off a piece of plastic and access a CD-ROM drive, put a CD with malware on it, autorun and 0pla, 0wned. Others have been 0wned via USB as well ... It has happened, not all ATM's are locked-down ... I have seen, and others have reported here, that some ATM's run Windows XP Pro, I have seen BSOD's on several which confirm that - I doubt a dumbed-down XPE system has "Windows XP Professional" printed on the BSOD, right ?
"UK startup Abatis is marketing .. Host Integrity Technology, as a means to defend against malware"
Didn't this used to be called a ROM. Which begs the question as to why an Embedded OS needs protection against malware. Of course no one in his right mind would run an ATM on Windows in the first place.
Many medical instruments are attached to some form of Windoze. I worked for a company that made pacemakers, and while the pacemaker itself was a low power 8 bit micro, they usually had an interface to a more powerful (read windows) computer. Some medical instruments also use Windows as a nice "shiny-shiny" interface to those who can only deal with a mouse.
I've heard stories of medical equipment that was "certified" by the FDA and "locked down" in hospital environment. Then used as an email machine by the operator only to be nicely infected. But since it was "certified" and now allowed updates, they couldn't even put an anti-virus on it.
And we thought computers made things better. Guess again if you are using vulnerable software.
Was also thinking of going back to OS/2 - but then the ne'er-do-wells will start to code and target OS/2 as well.
A hardened, minimal Linux distro should do the trick.
Unfortunately, no matter the OS, the weak point is the technical person maintaining/installing the system... if you can get said tech in your pocket, then you're guaranteed access to the kingdom.
Unless said machines are set up and tested before they're getting rolled out, and the field install tech only need to plop it down and switch it on. Also, said field install tech will NOT have the password(s) for the currently installed OS.
Meh, can be going on for hours like this. There's too many security vulnerabilities.
Almost every street level Vietnamese police station and office, as well as the data entry centres for the Internal Security Police, are filled with aged computers running that great OS - Windows XP.
Another curious feature is the fact most have the same serial number! Of course, since the very same police monitor software piracy, the latter shouldn't prove an insurmountable problem.
Perhaps the solution is to switch to Linux to avoid a big hardware bill.
- Most (there are some exceptions) ATMs run Windows XP Pro not embedded.
- Many are moving to Windows 7
- These ATMs have most Windows services disabled and most common desktop attack vectors aren't available (no outlook, web browsing etc).
- Windows is the platform of choice because it has an abstraction layer called XFS that gives a standard interface to the underlying devices so (theoretically) one ATM application can run on any vendor's ATM. This isn't going to change any time soon.
- These ATMs also have virus scanners installed - which can cause more problems than they solve because they're not designed for an 'unattended' environment where the user can't babysit them.
- The most prepared banks have fit for purpose security products installed which are designed for ATMs and include AV, HDD encryption, firewalls, whitelisting, USB device control/blocking etc
- A different OS won't add much more (if any) security beyond what is already available to the banks today.
This reminds me of an appliance running XP Embedded I worked with many years ago. It actually got Conficker! But this wasn't some hyper-slimmed down version but rather vanilla no-service-pack XP without some of the fluff - you could plug in a monitor or RDP to it and use it just like a normal desktop. AFAIK XPE means you build a custom install image and can enable exactly what you need - I guess a certain vendor didn't bother.
On an ATM related note, I've actually found an ATM with the UI made in Flash! Fiddle with the touchscreen a bit and it gives you. the right-click menu from the standalone Flash Player... atleast they could've used AIR so it resembled a normal application.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
