feature article
Subscribe Now

XP ATM IoT FUD

New Technologies Raise New Fears

Two news items made the rounds last week. Both involved hacking, and both are (probably) bogus. I think the news says more about us as users of technology than it does about the technology itself.

First, bloggers were wringing their hands over the planned wind-down of Windows XP. After 13 years, it’s time for XP to ride off into the sunset, and so Microsoft warned users that it would stop developing new fixes and new patches for XP. No big deal, right?

Within hours of each other, nearly a dozen different blogs were keening about security risks at bank ATMs. Seems many, if not most, of the automated teller machines installed in the U.S. use Windows XP as their operating system. (You’d never know it, because the user interface is covered by bank-branded replacements.) “ATMs to get hacked!” they wailed. “XP vulnerability spells doom for banking!”

Geez, people, have you never heard of embedded systems? Just because Aunt Edna’s old PC will stop getting automatic updates doesn’t mean the ATM network is suddenly exposed. Do they really think ATMs are connected to the public Internet? Without a firewall? And have been downloading random updates from Microsoft all this time? And that they run downloaded code?

Even the most inexperienced, first-year embedded programmer would know better than that. Any respectable ATM would execute one, and only one, program. A program stored directly in ROM. That’s ROM without an E or a P, by the way, as in not erasable and not programmable. A ROM that’s been checked, double-checked, and checksum-ed out the wazoo. Does anyone really think banks would let their ATMs run anything else? “Oh, Mister Rockefeller! We got a new software update from that nice Nigerian prince who’s been writing to us! Shall I download it to all of our ATMs?”

The fact that those ATMs are running Windows XP is largely irrelevant, and the fact that XP no longer gets regular updates from Redmond is equally irrelevant. Nobody at Diebold is simply slapping their firmware on the latest XP release du jour. It’s an embedded system, and that means closed box. I don’t recall ever hearing about ATMs getting hacked before, and XP’s status won’t change that. The ATMs will be just as secure tomorrow as they ever were.

Meanwhile, and apparently coincidentally, a number of news outlets frightened us all away from our refrigerators. Evidently about 100,000 home appliances had been hacked, a sinister side effect of the encroaching Internet of Things. “You see?” the report seemed to warn, “you start connecting stuff to that Internet thing the kids are talking about and this happens!”

According to second-hand reports, about 750,000 spam e-mails had been sent from a botnet made up of consumer-electronics goods, including home routers, smart TVs, and “at least one refrigerator.” Naturally, nearly every outlet led with the refrigerator example. The e-mails apparently went out in seven spasms over a period of two weeks.

The fact that the initial report originated from a hitherto relatively unknown anti-malware company wasn’t suspicious in itself. After all, these are exactly the kind of guys you’d expect to be on top of the latest trends in new viruses, Trojans, and security issues in general. But a closer reading of the report suggests that its wording was calculated to generate maximum fear and media exposure.

The report also says the researchers tracked the spambots back to their originating IP addresses. Fair enough, but IoT devices in general (and home electronics in particular) usually share an IP address with several other devices on the same local network. In a home network, for instance, every PC, tablet, TV, and game console sits behind a single cable or DSL router, and thus shares a single IP address. How do the researchers know the spam came from the game console and not, say, a PC running Windows XP (snark) on the same network?

In their defense, the researchers said they probed the offending IP addresses, and “things” would answer. That’s swell, but I can probe my own router’s WAN IP and get various devices to answer, too. Port forwarding, NAT translation, firewalls, and other techniques are all designed specifically to make identifying devices difficult or impossible. The device that answers to a ping isn’t necessarily the same one that manages SMTP mail services.

Then there’s the software question. How, exactly, do you infect a hundred thousand different devices running different operating systems on different processor architectures with different – radically different – connectivity features and options?

The devices reportedly included a mix of ARM, MIPS, and other processor architectures. A “vast number” were running Linux, but not all. (And there are many variations of Linux.) Some use mini-httpd; some use Apache. In short, it’s a pretty mixed bag of hardware and software. What malware runs on routers and NAS and TVs and game consoles and at least one refrigerator?

It’s not like infecting a raft of Windows XP machines (oops, there I go again) where it’s a homogeneous target environment. What could all of those devices have in common that would allow them all to be infected? Not Java; not assembly code; not an OS exploit. It’s one thing to leave a device vulnerable – neglecting to reset the factory-default password, for example – but it’s another thing to somehow implant it with malware that’s able to send out e-mail on a regular schedule.

What this ATM XP and IoT FUD remind me of is Y2K. Remember that? Everyone was worried their computer (and they generally were computers 14 years ago) would “go haywire” (a term of art) at the end of 1999 because the clock/calendar hadn’t been programmed correctly to deal with the new date. Or something like that. Nobody was really sure. We just knew it was going to be bad. A few colleagues of mine made good money rewriting code for panicked clients who were sure – just sure – that Y2K would ruin their equipment. Too bad that kind of lucrative opportunity only comes along once every thousand years.

The same effect seems to be working here. Combine a faulty understanding of technology with a vague unease about the pace of progress and you have all the ingredients for a witch hunt or a Martian invasion. It’s all too easy to prey on the fears of the populace. And with so many people getting their news through social media, it’s the attention-grabbing memes that spread, not the ones that are important. Or true. In a sense, our attention-deficit culture is the real victim, infected by a need to rapidly confirm or deny our preconceived bias. 

3 thoughts on “XP ATM IoT FUD”

  1. Sorry, Jim, but you’re going to have wait more than a thousand years to get that next income bump. We do four digits now, so you’ll have to wait until the year 9999. Then we can all freak out again.

  2. As usual, the experts are smarter than me.

    Regarding the “infected” consumer electronics, they weren’t technically infected in the usual sense of contracting a virus or hosting malware. Rather, the devices in question all had email-sending capability without proper safeguards. The malefactors simply made use of free e-mail relays that were sitting around unguarded.

    The researchers further theorized that, although such devices aren’t usually connected to the Internet directly, they are probably connected through a router that supports UPnP, making it (deliberately) simple for said devices to open up WAN ports to themselves.

    Here’s more detail:
    http://www.proofpoint.com/threatinsight/posts/your-fridge-is-full-of-spam-part-ll-details.php

Leave a Reply

featured blogs
Nov 25, 2020
It constantly amazes me how there are always multiple ways of doing things. The problem is that sometimes it'€™s hard to decide which option is best....
Nov 25, 2020
[From the last episode: We looked at what it takes to generate data that can be used to train machine-learning .] We take a break from learning how IoT technology works for one of our occasional posts on how IoT technology is used. In this case, we look at trucking fleet mana...
Nov 25, 2020
It might seem simple, but database units and accuracy directly relate to the artwork generated, and it is possible to misunderstand the artwork format as it relates to the board setup. Thirty years... [[ Click on the title to access the full blog on the Cadence Community sit...
Nov 23, 2020
Readers of the Samtec blog know we are always talking about next-gen speed. Current channels rates are running at 56 Gbps PAM4. However, system designers are starting to look at 112 Gbps PAM4 data rates. Intuition would say that bleeding edge data rates like 112 Gbps PAM4 onl...

featured video

Improve SoC-Level Verification Efficiency by Up to 10X

Sponsored by Cadence Design Systems

Chip-level testbench creation, multi-IP and CPU traffic generation, performance bottleneck identification, and data and cache-coherency verification all lack automation. The effort required to complete these tasks is error prone and time consuming. Discover how the Cadence® System VIP tool suite works seamlessly with its simulation, emulation, and prototyping engines to automate chip-level verification and improve efficiency by ten times over existing manual processes.

Click here for more information about System VIP

featured paper

Top 9 design questions about digital isolators

Sponsored by Texas Instruments

Looking for more information about digital isolators? We’re here to help. Based on TI E2E™ support forum feedback, we compiled a list of the most frequently asked questions about digital isolator design challenges. This article covers questions such as, “What is the logic state of a digital isolator with no input signal?”, and “Can you leave unused channel pins on a digital isolator floating?”

Click here to download the whitepaper

Featured Chalk Talk

DC-DC for Gate Drive Power

Sponsored by Mouser Electronics and Murata

In motor control and industrial applications, semiconductor switches such as IGBTs and MOSFETS of all types - including newer wide-bandgap devices are used extensively to switch power to a load. This makes DC to DC conversion for gate drivers a challenge. In this episode of Chalk Talk, Amelia Dalton chats with John Barnes of Murata about DC to DC conversion for gate drivers for industrial and motor control applications.

More information about Murata Power Solutions MGJ DC/DC Converters: