Two news items made the rounds last week. Both involved hacking, and both are (probably) bogus. I think the news says more about us as users of technology than it does about the technology itself.
First, bloggers were wringing their hands over the planned wind-down of Windows XP. After 13 years, it’s time for XP to ride off into the sunset, and so Microsoft warned users that it would stop developing new fixes and new patches for XP. No big deal, right?
Within hours of each other, nearly a dozen different blogs were keening about security risks at bank ATMs. Seems many, if not most, of the automated teller machines installed in the U.S. use Windows XP as their operating system. (You’d never know it, because the user interface is covered by bank-branded replacements.) “ATMs to get hacked!” they wailed. “XP vulnerability spells doom for banking!”
Geez, people, have you never heard of embedded systems? Just because Aunt Edna’s old PC will stop getting automatic updates doesn’t mean the ATM network is suddenly exposed. Do they really think ATMs are connected to the public Internet? Without a firewall? And have been downloading random updates from Microsoft all this time? And that they run downloaded code?
Even the most inexperienced, first-year embedded programmer would know better than that. Any respectable ATM would execute one, and only one, program. A program stored directly in ROM. That’s ROM without an E or a P, by the way, as in not erasable and not programmable. A ROM that’s been checked, double-checked, and checksum-ed out the wazoo. Does anyone really think banks would let their ATMs run anything else? “Oh, Mister Rockefeller! We got a new software update from that nice Nigerian prince who’s been writing to us! Shall I download it to all of our ATMs?”
The fact that those ATMs are running Windows XP is largely irrelevant, and the fact that XP no longer gets regular updates from Redmond is equally irrelevant. Nobody at Diebold is simply slapping their firmware on the latest XP release du jour. It’s an embedded system, and that means closed box. I don’t recall ever hearing about ATMs getting hacked before, and XP’s status won’t change that. The ATMs will be just as secure tomorrow as they ever were.
Meanwhile, and apparently coincidentally, a number of news outlets frightened us all away from our refrigerators. Evidently about 100,000 home appliances had been hacked, a sinister side effect of the encroaching Internet of Things. “You see?” the report seemed to warn, “you start connecting stuff to that Internet thing the kids are talking about and this happens!”
According to second-hand reports, about 750,000 spam e-mails had been sent from a botnet made up of consumer-electronics goods, including home routers, smart TVs, and “at least one refrigerator.” Naturally, nearly every outlet led with the refrigerator example. The e-mails apparently went out in seven spasms over a period of two weeks.
The fact that the initial report originated from a hitherto relatively unknown anti-malware company wasn’t suspicious in itself. After all, these are exactly the kind of guys you’d expect to be on top of the latest trends in new viruses, Trojans, and security issues in general. But a closer reading of the report suggests that its wording was calculated to generate maximum fear and media exposure.
The report also says the researchers tracked the spambots back to their originating IP addresses. Fair enough, but IoT devices in general (and home electronics in particular) usually share an IP address with several other devices on the same local network. In a home network, for instance, every PC, tablet, TV, and game console sits behind a single cable or DSL router, and thus shares a single IP address. How do the researchers know the spam came from the game console and not, say, a PC running Windows XP (snark) on the same network?
In their defense, the researchers said they probed the offending IP addresses, and “things” would answer. That’s swell, but I can probe my own router’s WAN IP and get various devices to answer, too. Port forwarding, NAT translation, firewalls, and other techniques are all designed specifically to make identifying devices difficult or impossible. The device that answers to a ping isn’t necessarily the same one that manages SMTP mail services.
Then there’s the software question. How, exactly, do you infect a hundred thousand different devices running different operating systems on different processor architectures with different – radically different – connectivity features and options?
The devices reportedly included a mix of ARM, MIPS, and other processor architectures. A “vast number” were running Linux, but not all. (And there are many variations of Linux.) Some use mini-httpd; some use Apache. In short, it’s a pretty mixed bag of hardware and software. What malware runs on routers and NAS and TVs and game consoles and at least one refrigerator?
It’s not like infecting a raft of Windows XP machines (oops, there I go again) where it’s a homogeneous target environment. What could all of those devices have in common that would allow them all to be infected? Not Java; not assembly code; not an OS exploit. It’s one thing to leave a device vulnerable – neglecting to reset the factory-default password, for example – but it’s another thing to somehow implant it with malware that’s able to send out e-mail on a regular schedule.
What this ATM XP and IoT FUD remind me of is Y2K. Remember that? Everyone was worried their computer (and they generally were computers 14 years ago) would “go haywire” (a term of art) at the end of 1999 because the clock/calendar hadn’t been programmed correctly to deal with the new date. Or something like that. Nobody was really sure. We just knew it was going to be bad. A few colleagues of mine made good money rewriting code for panicked clients who were sure – just sure – that Y2K would ruin their equipment. Too bad that kind of lucrative opportunity only comes along once every thousand years.
The same effect seems to be working here. Combine a faulty understanding of technology with a vague unease about the pace of progress and you have all the ingredients for a witch hunt or a Martian invasion. It’s all too easy to prey on the fears of the populace. And with so many people getting their news through social media, it’s the attention-grabbing memes that spread, not the ones that are important. Or true. In a sense, our attention-deficit culture is the real victim, infected by a need to rapidly confirm or deny our preconceived bias.
3 thoughts on “XP ATM IoT FUD”
“Cash machines raided with infected USB sticks”
Not a networked hack but maybe using XP did make them vulnerable.
Sorry, Jim, but you’re going to have wait more than a thousand years to get that next income bump. We do four digits now, so you’ll have to wait until the year 9999. Then we can all freak out again.
As usual, the experts are smarter than me.
Regarding the “infected” consumer electronics, they weren’t technically infected in the usual sense of contracting a virus or hosting malware. Rather, the devices in question all had email-sending capability without proper safeguards. The malefactors simply made use of free e-mail relays that were sitting around unguarded.
The researchers further theorized that, although such devices aren’t usually connected to the Internet directly, they are probably connected through a router that supports UPnP, making it (deliberately) simple for said devices to open up WAN ports to themselves.
Here’s more detail: