feature article
Subscribe Now

XP ATM IoT FUD

New Technologies Raise New Fears

Two news items made the rounds last week. Both involved hacking, and both are (probably) bogus. I think the news says more about us as users of technology than it does about the technology itself.

First, bloggers were wringing their hands over the planned wind-down of Windows XP. After 13 years, it’s time for XP to ride off into the sunset, and so Microsoft warned users that it would stop developing new fixes and new patches for XP. No big deal, right?

Within hours of each other, nearly a dozen different blogs were keening about security risks at bank ATMs. Seems many, if not most, of the automated teller machines installed in the U.S. use Windows XP as their operating system. (You’d never know it, because the user interface is covered by bank-branded replacements.) “ATMs to get hacked!” they wailed. “XP vulnerability spells doom for banking!”

Geez, people, have you never heard of embedded systems? Just because Aunt Edna’s old PC will stop getting automatic updates doesn’t mean the ATM network is suddenly exposed. Do they really think ATMs are connected to the public Internet? Without a firewall? And have been downloading random updates from Microsoft all this time? And that they run downloaded code?

Even the most inexperienced, first-year embedded programmer would know better than that. Any respectable ATM would execute one, and only one, program. A program stored directly in ROM. That’s ROM without an E or a P, by the way, as in not erasable and not programmable. A ROM that’s been checked, double-checked, and checksum-ed out the wazoo. Does anyone really think banks would let their ATMs run anything else? “Oh, Mister Rockefeller! We got a new software update from that nice Nigerian prince who’s been writing to us! Shall I download it to all of our ATMs?”

The fact that those ATMs are running Windows XP is largely irrelevant, and the fact that XP no longer gets regular updates from Redmond is equally irrelevant. Nobody at Diebold is simply slapping their firmware on the latest XP release du jour. It’s an embedded system, and that means closed box. I don’t recall ever hearing about ATMs getting hacked before, and XP’s status won’t change that. The ATMs will be just as secure tomorrow as they ever were.

Meanwhile, and apparently coincidentally, a number of news outlets frightened us all away from our refrigerators. Evidently about 100,000 home appliances had been hacked, a sinister side effect of the encroaching Internet of Things. “You see?” the report seemed to warn, “you start connecting stuff to that Internet thing the kids are talking about and this happens!”

According to second-hand reports, about 750,000 spam e-mails had been sent from a botnet made up of consumer-electronics goods, including home routers, smart TVs, and “at least one refrigerator.” Naturally, nearly every outlet led with the refrigerator example. The e-mails apparently went out in seven spasms over a period of two weeks.

The fact that the initial report originated from a hitherto relatively unknown anti-malware company wasn’t suspicious in itself. After all, these are exactly the kind of guys you’d expect to be on top of the latest trends in new viruses, Trojans, and security issues in general. But a closer reading of the report suggests that its wording was calculated to generate maximum fear and media exposure.

The report also says the researchers tracked the spambots back to their originating IP addresses. Fair enough, but IoT devices in general (and home electronics in particular) usually share an IP address with several other devices on the same local network. In a home network, for instance, every PC, tablet, TV, and game console sits behind a single cable or DSL router, and thus shares a single IP address. How do the researchers know the spam came from the game console and not, say, a PC running Windows XP (snark) on the same network?

In their defense, the researchers said they probed the offending IP addresses, and “things” would answer. That’s swell, but I can probe my own router’s WAN IP and get various devices to answer, too. Port forwarding, NAT translation, firewalls, and other techniques are all designed specifically to make identifying devices difficult or impossible. The device that answers to a ping isn’t necessarily the same one that manages SMTP mail services.

Then there’s the software question. How, exactly, do you infect a hundred thousand different devices running different operating systems on different processor architectures with different – radically different – connectivity features and options?

The devices reportedly included a mix of ARM, MIPS, and other processor architectures. A “vast number” were running Linux, but not all. (And there are many variations of Linux.) Some use mini-httpd; some use Apache. In short, it’s a pretty mixed bag of hardware and software. What malware runs on routers and NAS and TVs and game consoles and at least one refrigerator?

It’s not like infecting a raft of Windows XP machines (oops, there I go again) where it’s a homogeneous target environment. What could all of those devices have in common that would allow them all to be infected? Not Java; not assembly code; not an OS exploit. It’s one thing to leave a device vulnerable – neglecting to reset the factory-default password, for example – but it’s another thing to somehow implant it with malware that’s able to send out e-mail on a regular schedule.

What this ATM XP and IoT FUD remind me of is Y2K. Remember that? Everyone was worried their computer (and they generally were computers 14 years ago) would “go haywire” (a term of art) at the end of 1999 because the clock/calendar hadn’t been programmed correctly to deal with the new date. Or something like that. Nobody was really sure. We just knew it was going to be bad. A few colleagues of mine made good money rewriting code for panicked clients who were sure – just sure – that Y2K would ruin their equipment. Too bad that kind of lucrative opportunity only comes along once every thousand years.

The same effect seems to be working here. Combine a faulty understanding of technology with a vague unease about the pace of progress and you have all the ingredients for a witch hunt or a Martian invasion. It’s all too easy to prey on the fears of the populace. And with so many people getting their news through social media, it’s the attention-grabbing memes that spread, not the ones that are important. Or true. In a sense, our attention-deficit culture is the real victim, infected by a need to rapidly confirm or deny our preconceived bias. 

3 thoughts on “XP ATM IoT FUD”

  1. Sorry, Jim, but you’re going to have wait more than a thousand years to get that next income bump. We do four digits now, so you’ll have to wait until the year 9999. Then we can all freak out again.

  2. As usual, the experts are smarter than me.

    Regarding the “infected” consumer electronics, they weren’t technically infected in the usual sense of contracting a virus or hosting malware. Rather, the devices in question all had email-sending capability without proper safeguards. The malefactors simply made use of free e-mail relays that were sitting around unguarded.

    The researchers further theorized that, although such devices aren’t usually connected to the Internet directly, they are probably connected through a router that supports UPnP, making it (deliberately) simple for said devices to open up WAN ports to themselves.

    Here’s more detail:
    http://www.proofpoint.com/threatinsight/posts/your-fridge-is-full-of-spam-part-ll-details.php

Leave a Reply

featured blogs
May 13, 2022
The Cadence Learning and Support Portal is useful to academia in many ways: Online Training, Rapid Adoption Kits (RAKs), Generic Process Design Kits (GPDKs), troubleshooting database, and so much... ...
May 12, 2022
Our PCIe 5.0 IP solutions, including digital controllers and PHYs, have passed PCI-SIG 5.0 compliance testing, becoming the first on the 5.0 integrators list. The post Synopsys IP Passes PCIe 5.0 Compliance and Makes Integrators List appeared first on From Silicon To Softwar...
May 12, 2022
By Shelly Stalnaker Every year, the editors of Elektronik in Germany compile a list of the most interesting and innovative… ...
Apr 29, 2022
What do you do if someone starts waving furiously at you, seemingly delighted to see you, but you fear they are being overenthusiastic?...

featured video

Synopsys PPA(V) Voltage Optimization

Sponsored by Synopsys

Performance-per-watt has emerged as one of the highest priorities in design quality, leading to a shift in technology focus and design power optimization methodologies. Variable operating voltage possess high potential in optimizing performance-per-watt results but requires a signoff accurate and efficient methodology to explore. Synopsys Fusion Design Platform™, uniquely built on a singular RTL-to-GDSII data model, delivers a full-flow voltage optimization and closure methodology to achieve the best performance-per-watt results for the most demanding semiconductor segments.

Learn More

featured paper

Build More Cost-Effective and More Efficient 5G Radios with Intel® Agilex™ FPGAs

Sponsored by Intel

Learn how Intel® Agilex™ FPGAs ease development of 5G applications by tackling constantly evolving requirements with flexible, highest performance-per-watt fabric, while providing a path to production and scale with Intel® eASIC™ and full ASIC implementations.

Click to read more

featured chalk talk

High Voltage Charging Solution for Energy Storage & Backup Systems

Sponsored by Mouser Electronics and Analog Devices

Today there is growing demand for energy storage with more power, longer range, and longer run time. But the question remains: how can we increase our energy storage given the energy storage mediums on the market today? In this episode of Chalk Talk, Amelia Dalton chats with Anthony Huyhn from Analog Devices about the benefits of high voltage energy storage, why stacked battery cells are crucial to these kinds of systems, how high voltage energy storage systems can reduce conduction loss exponentially and what kind of high voltage charging solutions from Analog Devices are on the market today.

Click here for more information about the Maxim Integrated MAX17703 Li-Ion Battery Charger Controller