ATMs on Windows XP: How Risky Is It?
Microsoft has ended official support for Windows XP. What does that mean for the security of the world's ATMs, most of which run XP?
The vast majority of the world's ATM cash machines run on Microsoft's XP operating system, which officially hit its end of life earlier this week. Does the end of XP pose a security risk for ATMs?
Though XP could create some security issues for ATMs, experts say ATM owners should probably be more concerned by vulnerabilities unrelated to XP that could impact their cash machines. And although Microsoft has ended official support for Windows XP, that doesn't mean there aren't still available support options.
XP on Life Support
A Microsoft spokesperson told eSecurityPlanet that Windows XP customers no longer receive new security updates or non-security hotfixes; therefore, devices running Windows XP should not be considered protected.
"However, it’s important to note that we’ve been working with customers and partners since 2007 about the end of support for Windows XP," Microsoft's spokesperson stated. "It’s fair to say that all our large customers and partners are aware that support has ended for Windows XP and are taking the necessary steps to migrate to a modern operating system like Windows 8.1."
The Microsoft spokesperson noted that if a company has not completed its migration from Windows XP, it can access Custom Support, which is a temporary measure designed to help large customers with complex migrations.
"This support includes critical security updates as new threats are discovered. But a modern operating system, like Windows 7 or Windows 8.1, provides the best technology to stay secure," the spokesperson stated.
Microsoft was unable to comment on any specific banking customers and whether or not they are using the Custom Support option for ATMs. "However, financial institutions like Bank of America, Citibank and Wells Fargo have publicly stated they are taking the necessary steps to protect customers," the spokesperson said.
Not Just XP
Mike Park, managing consultant at security firm Trustwave, does penetration testing on ATMs for a living. While the end of XP is a concern, ATM vendors and banks must worry about non-XP security issues as well.
"One issue that we often run into when we do ATM test is the assumption that it is deployed on a closed network," Park told eSecurityPlanet.
That's an assumption that can leave any ATM, Windows XP-based or otherwise, at risk. Park said that he has seen plenty of ATMs deployed without network-level encryption. When the data link is not encrypted, all an attacker needs to do to obtain access is to plug into the network. While the data cable that goes into an ATM should be secured, that's not always the case. An unsecured cable can give an attacker access.
Having good locks is another ATM challenge. Park said that in the last ATM test that he performed, a member of his team was able to pick the lock in under 10 seconds.
A weak lock on the ATM casing doesn't necessarily mean an attacker will get direct access to cash, however. Secured cash boxes inside an ATM provide additional layers of security. But if an attacker can pick the main lock of an ATM on which the underlying operating system, Window XP or otherwise, is at risk from some form of malware, he can inject malware to get the cash to automatically dispense from the ATM.
"To be fair, the XP thing is just one more issue that we find," Park said. "You shouldn't be running XP because it's just another possible vector of attack and it should be upgraded."
While there are no current known Windows XP vulnerabilities that have not been patched by Microsoft, that is likely to change over time, increasing the risk profile for ATMs. Park has a few suggestions for those that are in the process of migrating to a newer operating system, but are still running XP.
- Use proper physical security on the ATMs. As noted above, make sure locks are strong and data cables are secured.
- Encrypt the operating system hard drive. "Many of our successful attacks occur when we can restart an ATM with a Kali Linux USB and read off the hard drive," Park said. Kali Linux is a popular open-source Linux distribution for penetration testing. If the ATM will boot from the USB and the hard drive is unencrypted, then an attacker can do what they want.
- Constantly test and monitor ATMs.
Finally, Park recommends switching to a newer OS. "In the end, if there is a zero day waiting to happen on Windows XP that can lead to a compromise, you really want to be on an operating system that is as secure as you can get," he said. "If the vulnerability is on XP it's not going to get fixed, whereas if there is a vulnerability in Windows 7 or Linux it will get fixed."
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.