“Because that’s where the money is.” – Willie Sutton, when asked why he robs banks
When you think of secure, reliable, mission-critical computers, you naturally think of Windows, right? It’s obvious. It’s so bulletproof, especially Windows XP.
That’s evidently the thinking behind many, and perhaps most, of the world’s automated teller machines (ATMs), which are little more than PC motherboards connected to a cash drawer. Everything you know and love about Windows is on display (sometimes literally), including its file system, patch history, security protocols, command prompt, help system, and the dreaded Blue Screen of Death.
If you want to rob a bank today, all you really need is a USB thumb drive, a CAT5 cable, and a passing familiarity with Windows. No Tommy gun or 1934 Ford Fordor Deluxe sedan required. Oh, and it helps to have a fake bank guard’s uniform.
Unlike, say, your home Wi-Fi router or a PlayStation 5, the average ATM isn’t based on custom hardware or custom software. “An ATM is basically a block of metal with a PC computer inside,” says Bruno Gonçalves de Oliveira, a “white hat” ATM security expert at Trustwave SpiderLabs. As such, it’s susceptible to most of the usual Windows hacks – if you can get near it. It’s physical security, not cybersecurity, that protects the majority of ATMs. And it’s not that hard to get inside one of the machines, as Oliveira has documented.
The first – and sometimes, the only – level of protection is a metal box surrounding the PC motherboard and other components. It’s typically sheet metal with a lock or two to keep out evildoers. But PCs need ventilation, so the boxes have holes in them to promote airflow. These holes are sometimes large enough that Oliveira has been able to insert tools, remove cables, or otherwise tamper with the computer, all without so much as unlocking the enclosure.
Not that unlocking it is all that difficult. “Any person with entry-level expertise” in lock picking can do it, he says. “You don’t need the skills to open a bank vault or crack a safe” in order to gain access to an ATM computer.
But surely you can’t just waltz into a bank and start picking the locks? You might be surprised. First off, not all ATMs are inside banks. They’re so ubiquitous now that many are in remote, unmonitored locations. Second, SpiderLabs has found that bank employees don’t take much interest in the “maintenance guy” standing around the ATM. Having a toolbox and a uniform helps.
ATMs often have cameras, and these are usually little more than USB-connected webcams. A USB connection implies a USB cable and a USB port, and these both present security holes. It’s sometimes possible to disconnect the camera and plug a different USB device in its place. A USB flash drive, for example. With your own software on it.
Then there’s the network, which is usually wired Ethernet, although some ATMs have wireless GSM connections, particularly in remote areas. That Ethernet cable has to go somewhere, which means it sometimes snakes across the floor to another computer. Oliveira has found unprotected CAT5 cables dangling out the backs of ATMs, making network-based attacks almost too easy.
Once you get inside the metal box, the security is lax there, too. Exposed USB, keyboard, mouse, and Ethernet jacks are common. Sometimes these have been disabled in Windows’ security settings, but oftentimes they’re not, and plugging in a keyboard allows access to the Windows UI. USB ports will sometimes recognize – and even autoload – whatever they find on a flash drive.
With a keyboard connected, it’s easy to press Alt-Tab to switch tasks. If that doesn’t work, try pressing F1, the default Help key for Windows. The Windows Help system was designed to work even when applications crash, with the side effect that it breaks out of the security “sandbox” and allows user access to a command prompt and other programs.
Rebooting can work, too. BIOS passwords are often left with their default or changed to something criminally simple, like 0000. Most BIOS bootloaders will happily boot from whatever medium you specify, opening the door to any operating system you care to bring along on your heist.
Variety and inconsistency seem to be the order of the day. Some ATM manufacturers are good about changing passwords, managing user privileges, and locking out unwanted programs. Others seem content with Windows’ default settings. Some banks add their own layer of security, while some leave the manufacturer’s settings alone.
Most ATMs use CEN/XFS, the optional Windows APIs for banking applications. The standardized APIs make it easy to develop financial software, but they also present a security hole, says Oliveira. You can’t protect an API from misuse; you can only catch mistakes. Windows might prevent a legitimate program from passing the incorrect number of parameters, but it can’t prevent a malicious program from using the API correctly and opening the cash drawer. Thus, the onus is on the operating system to prevent malicious software from running in the first place. And many ATMs just don’t do that.
Although Windows allows system administrators to control access to applications, it’s harder to control individual components of Windows that can be leveraged for nefarious purposes. Oliveira uses the example of a malicious .DLL file that’s on the system’s approved whitelist but that has been corrupted or rewritten to do bad things. Common Windows files like MSBuild.exe and RunDLL32.exe both provide good gateways into the heart of the system, he says.
ATMs have nice touch-screen GUIs and many play video, either as a cheerful user interface, or to kill time while it counts out the bills, or to promote the bank’s other services. Video playback is mediated by the operating system, and therefore difficult to replace. Video plugins can bridge the connection between the ATM application and the OS, giving hackers a chance to escape the application sandbox.
Do most ATM thieves simply take the money and run, or do they play a longer game and leave malware behind? “They’ll normally inject something into the ATM,” says Oliveira. “They don’t want just the money. They want it running something for them.” Infected ATMs can harvest users’ debit card information, for example. It might also have access to the Windows file system, with whatever trove of information that contains. Many ATMs don’t bother to encrypt their file systems, by the way, even though it’s a built-in feature of Windows.
Are ATMs getting better? Are there any secure, hack-proof ATMs out there? Oliveira is blunt: “No.”
Surely, Windows must be the problem and so a shift away from the generic PC platform would be an improvement? He’s not so sure. “Windows is updated constantly, so it gets better on its own.” It’s a better choice than Linux, for example, which has even more gaping holes in it than Windows does.
I’m no security expert, but it seems like ATMs suffer from the monoculture syndrome. They’re all so similar that one virus, one type of attack, could flatten them all. It becomes economically attractive to work on ATM malware, and not just for the obvious reason of the cash drawer in front. If you successfully crack one Windows-based ATM, you’ve got a leg up on them all.
Maybe diversity is the answer. Custom hardware and custom software would fragment the ATM market, and in this case, that’s a good thing. Plus, custom hardware is obscure by its very nature. Unless you’re using Raspberry Pi or some other commercially available hardware platform, your average hacker won’t know where to start. Security through obscurity might actually work in this case. Or at least help.
There are plenty of RTOS vendors creating secure operating systems, too. It’s not as though the high-reliability market didn’t exist before ATMs. If Green Hills Integrity-178 RTOS can fly military aircraft, I’m pretty sure it can handle a different kind of cash machine.
As it stands, your neighborhood ATM might be less secure than the cash register at your local McDonald’s. Although to be fair, those also run Windows… and sometimes Doom. Just be careful if you see B.J. Blazkowicz pitching low-interest loans.