A talk demonstrating security weaknesses in a widely used automatic teller machine has been pulled from next month's Black Hat conference after the machine vendor placed pressure on the speaker's employer. Juniper Networks, a provider of network devices and security services, said it delayed the talk by its employee Barnaby …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Tuesday 30th June 2009 20:10 GMT Anonymous Coward

Useful legal argument

Whilst a vulnerable manufacturer would understandably wish such information suppressed, that such vulnerabilities exist at all largely dismantle a Bank's argument that their systems are secure and that an ATM theft "must be" the result of the Customer's carelessness.

0 0
Tuesday 30th June 2009 20:10 GMT Mike007

security by lawyer

instead of getting a competent programmer to spend a few hours closing the holes, spend millions on lawyers trying to keep it quiet - makes sense to me

0 0
Tuesday 30th June 2009 23:34 GMT Anonymous Coward

@Mike007

Where did you read about millions being spent on lawyers? Maybe you can link us to that article, because -this- one says that Juniper got a single nastygram asking for time for their programmers to spend a few hours closing the holes.

0 0
Tuesday 30th June 2009 23:34 GMT Chris C

Why general-purpose OS?

I have to say that I agree with Juniper (and the ATM vendor) in this case. While I do think the ATM vendor, and perhaps the affected ATMs, should be named and shamed, I don't think any details should be given, nor an unsecured demonstration. Given the resulting effect this would have on banks worldwide, the details should be kept secret until the vendor creates a patch and the banks have patched their machines.

Having said that, I seriously question why ATMs use general-purpose operating systems such as Windows (or Linux, or OSX, or BSD, etc). ATMs only require a limited set of functionality. This should be offered through a custom OS which only includes the required functionality. Moving ATMs to Windows (or any other general-purpose OS) is just as stupid as moving warships to Windows.

0 0
Tuesday 30th June 2009 23:34 GMT Crazy Operations Guy

When will they learn?

Always build the control software for these from the ground up, it may be tempting to use an off-the-shelf kernel (UNIX, WinNT, GNU/Linux, or whatever) but there wiull always be a vulnerability in the code. There shouldn't even be enoguh code in there to even warrant using a full-blown OS anyway. The machine only should have just the keypad, card reader, display and a modem and some sort of peripheral control system (For dispensing reciepts, money, etc.).

Most modern ATMs contain a maintenance mode to flash the BIOS, dump logs, etc. If they made the control board simple enough that an engineer could easily swap the board when it is malfunctioning or needs an upgrade. Then they would no longer need any NVRAM or any other writable memory and have all data sent over an encrypted VPN and have all the camera footage / transaction logs written to a central database. Dip it in epoxy and then only the engineers who make the board will ever know how the thing works. While this solution would be much more expensive than the current method, it will be far more secure.

0 0
Wednesday 1st July 2009 05:18 GMT Goat Jam

Asshats

If there is a known, demonstrated vulnerability in these machines, they should all be SWITCHED off until a fix is in place. It is just stupid to leave them operating when they are known to be vulnerable.

0 0
Wednesday 1st July 2009 08:23 GMT Anonymous Coward

Hmm..

I'd be more worried about how the black hats are gaining access to the machine than what OS it's running.

Regardless of what OS it's running if it's physically secure and the comms are secure then all bets are off as there's no way for the black hats to inject malware AFAIK, it's not as if the machine itself is going to respond to phishing emails or you can code your own from the keypad on the front..

0 0
Wednesday 1st July 2009 08:23 GMT Anonymous Coward

Just think for a minute...

Are you lot suggesting that a custom OS, or control software would be invulnerable? Seriously? I suspect it would probably be less secure, what with only a very few eyes checking the code. Also, would you be happy to pay for the additional cost to the bank for developing their own OS?

@David Swales - It's a bit early to say that this is proof that ATM fraud can show up as a withdrawal from a customer's account as 1) We don't know what the vuln is and 2) we don't know if it actually works. It's also not clear if any banks use the software in question.

@ Goat Jam - Yes, that's sensible - someone makes an un-verified suggestion that there is a vulnerabillity in an ATM's software so all of the banks with that ATM turn it off. I can't see any problem with that.

0 0
Wednesday 1st July 2009 09:39 GMT Anonymous Coward

Re: Why general-purpose OS?

In a sane world sure, but I've seen them before with NT4 STOP errors on (around 8 years ago, kinda hoping they have upgraded those since).

I highly doubt someone would write a custom OS and design the panic function to look exactly the same as NT4 unless it's some cunning ploy to trick people into thinking it really is NT4 just so they try and can't crack it!

0 0
Wednesday 1st July 2009 09:39 GMT MarkJ

If it gets released...

Anyone want to bet that the exploit is ridiculously simple? Buffer overflow in the card reader perhaps? I think that one has been done before to crash ATMs in the past.

0 0
Wednesday 1st July 2009 10:04 GMT Parax

@Goat Jam

Surely only they [the ATM operators] stand to loose money...And its a cost they are willing to risk, balanced against the cost [cost to customer] of shutting down every ATM. I think they are right!

cost to world of turning off atms = Trillions [in inconvienience, delays, lost sales etc]

cost of loses to un-known vuln = Thousands maybe?

its not like every ATM in the WORLD is suddenly going to discharge ALL its notes.. hmm.. what? a film?

0 0
Wednesday 1st July 2009 12:53 GMT Barry Tabrah

ATM + WiFi hotspot concerns?

This is one of the reasons why the idea of BT shoving wifi equipment in cashpoints concerned me no small amount.

0 0
Wednesday 1st July 2009 15:26 GMT Anonymous Coward

@Barry

Do you really think that a wifi hotspot in a dialup ATM is going to be a problem for network security? It'll almost certainly be ADSL with a wifi access point on the end, total network isolation, there will be about as much chance as someone using a wifi hotspot to monitor your POTS telephone as there will someone obtaining access to the ATM network for the 30secs it is dialled up at a time.

The PCI wouldn't tolorate anything that would possibly allow internet traffic to cross onto the ATM network.

0 0
Wednesday 1st July 2009 15:26 GMT Henry Wertz 1

insecure ATMs

@David Swales, this fantasy that ATM cards, credit cards, etc. are invulnerable is a British thing. Here in the US, the banks fully acknowledge the existence of fraud.

@Chris C, agreed! Using especially Windows, some regular distro, etc. is stupid. IBM used to make a specific ATM OS (and probably still sells it..), they even had a special crypto processor with a self-destruct so any jiggery-pokery to try to get card numbers etc. out of it would just result in a broken ATM.

0 0
Wednesday 1st July 2009 16:29 GMT Anonymous Coward

@Henry

That IBM OS was called OS/2.

0 0
Wednesday 1st July 2009 18:33 GMT Ian Johnston

@Chris C

Most ATMs used to run OS/2 - I believe many still do - making them the largest installed base of the OS.

0 0
Wednesday 1st July 2009 22:22 GMT John Dougald McCallum

@ henry

IBM gave up on it a long time ago but I do belive a few die hards are trying to keep it going,but the idea of a self destuct chip is a good idea until the assholes get it into their heads that they can do it any time and replace the circuit board with one of their own and their in.gathering all that lovley unencrypted data.evil geates cos it was as much Microsoft as IBM that killed os/2

0 0