Diebold ATMs hit by Nachi Worm

red floyd writes "The Register is reporting confirmation that Diebold ATMs were hit by the Nachi worm back in August. Apparently some Diebold ATMs run XP Embedded, and got hit with a variant of the RPC DCOM worm. Seems that they hadn't yet applied the available patch."

Diebold spins it.

[grub]

A patch for the critical RPC DCOM hole had been available from Microsoft for over a month at the time of the attack, but Diebold had neglected to install it in the infected machines.

Nice spin, Diebold. I highly doubt these were the only unpatched machines. It's likely more accurate to say "these unpatched machines, of which there are many more, weren't well protected on their respective VPNs". Think about it: the infection had to come from somewhere, right? Other unpatched machines are probably much better protected on their respective private networks.

Re:Diebold spins it.

I watched guy patch an ATM once.

It was done from a laptop.

My guess is that an infected laptop managed to screw things up (but no-one would admit to that). If it were because of a network connection, it would have been an 'all or nothing' infection and would've spread like wildfire. I'm not sure how exactly ATMs are connected, but they have to be networked in the grander scale of things for the system to work properly.

Anyways, my bet is an unsecure laptop - that's how most RPC hole attacks I've seen have spread recently. Having said that, we'll see lots of posts of an anti-MS nature in response to this story, when in actual fact, it's down to user bad practise, patch deployment and the fact that some people get a kick out of writing this stuff in the first place...

Re:Diebold spins it.

[SatanicPuppy]

It's just as likely to be a scrap of code inloaded off the back of a credit card. Why in Gods name would anyone use a proven insecure operating system as the base for a series of teller machines? Are ATMs so complex that you need a whole operating system running on the damn things? I seriously doubt it.

The answer to this is to make a simple, purpose built program, which is INCAPABLE of running externally introduced code. You need to patch? Run the software off a CD/DVD, and when you need to change the code, change the CD. Nothing to get cracked, nothign to get corrupted, nothing but hardwired code. Burn an extended BIOS on a rom chip to run the physical end. Then lock the whole thing up in a metal box, and BAM its as secure as you can make it.

Diebold should go back to making safes and padlocks, because they sure as hell don't know crap about ATMs and Voting Machines.

Re:Diebold spins it.

[pmz]

Why in Gods name would anyone use a proven insecure operating system as the base for a series of teller machines?

Because their executives are idiots and their engineers are sheep.

Re:Diebold spins it.

[austad]

Most Diebold ATM's run OS/2. But there's a push from some banks for them to install windows on them, even though the banks don't manage them. I used to work for a company that had ATM's with Diebold, and the engineer I talked to was unhappy that they were putting windows on them, but it's customer demand. It's simply some jackass that works for a bank and thinking they should run windows, when he has no idea how an ATM even works.

As far as VPN's go, for the most part, the ATM's either dial up, or are connected to a LAN that has some sort of WAN connection back to its respective bank. I don't know of any that use VPN's, although it is entirely possible. Keep in mind that Diebold simply provides the machines and fixes them when they break, it's up to the bank or whoever to provide the connectivity and other supporting servers/equipment.

Just goes to show..

[iantri]

I think this just goes to show that consumer operating systems are a bad idea to put on important machines that need to be reliable.

I'd think QNX or something else very simple and reliable would be a much better choice to rnu on ATM machines..

Re:Just goes to show..

[psyconaut]

Ahhh....but if you used a proper embedded operating system for an embedded device, you wouldn't be able to hire programmers who have completed a 6-week Visial Basic/.NET programming course at their local community college to write your business critical applications ;-)

-psy

Someone's going to come up short...

[abb3w]

The customers at large will; it will most likely be reflected in higher account/ATM fees. Banks will likely pass on the cost of theft just like merchants do the cost of shoplifting. Which sucks for the honest folk out there... all seventy-two of them.

Diebold ATM (in)Security

My company provides vulnerability assessment and penetration testing services to financial services clients and we crack these things all the time.

The old ones run OS/2 v3.0 and a vulnerable version of sendmail, the slightly newer ones run Windows NT 4.0, with almost no patches installed and a default username and password.

Once you gain access, it is possible to directly control the hardware using the utilities already on the system, including dumping the cash drawer :) The latest ones run either Windows 2000 or Windows XP, and have almost the same software as the Windows NT systems, just with more vulnerabilities.

At this point Diebold has not patched ANY of the RPC vulnerabilities, let alone the Messenger or Workstation bugs. Each of these ATM's is connected to an ethernet segment somewhere waiting for someone to rob it.

During the Blaster peak, a friend of mine was talking about the XP ATM's in London constantly rebooting... They put these cmd-shell-waiting-to-happen boxes directly on the Internet. Thank god for companies like Diebold and Microsoft, their problems created a market and a community that is still picking up steam.

That explains it

I remember thinking how weird it was to have my ATM suggest an exclusive opportunity to increase the length of my penis.

Just lame

[GillBates0]

"But worms are always going to be able to infect a lot more interesting machines than individual intruders are." Moreover, before reaching an ATM network, a human attacker would likely encounter more alluring high-finance targets along the way. "They're going to have to go through a lot of juicer networks first."

Just the fact that ATM machines are reachable from the public Internet is a huge cause of concern to me. A VPN connection without an intervening firewall at the ATM machine itself (which they claim they are installing now) is plain ridiculous.

You are then just hoping that none of the insiders will try to sabotage the machines, either knowingly, or unknowingly because of an infected laptop etc. They have to realize that VPN is a VIRTUAL PRIVATE network, and NOT a dedicated line, and hence, security measures have to be MUCH more stronger than if it was a REAL private connection. Does it take rocket science to figure that out?

And then there's that quote from the " Windows expert and "chief hacking officer" that malocious hackers will probably not go for ATM machines, even though they are reachable/hackable, because of other "jucier targets", presumably the bank network itself. Most malicious hackers would do it just for the fun of making an ATM machine spew out cash, if they figure out they can make it do that. That is a very lame assumption from a security expert.

And finally, for your reading convenience, here's an earlier /. story which mentions that 65% of the ATMs will be running a stripped down version of Windows by 2005.

What impact to ATMs, other than going offline?

[Slider451]

There's no personal data stored in an ATM. It's just a dumb terminal.

And Nachi basically makes the machine unusable.

Without specific code that target's ATMs, this is merely a generic nuisance that happened to hit what some consider a sensitive device.

Scary when you think what could happen, and frustrating when you think of the loss of trust in the security admins. But let's keep this in perspective. Nothing serious happened and it's a big step to get to where something serious will happen.

Hopefully those responsible have been sacked, and the new security llamas won't make the same mistakes.

Re:False sense of security still in effect

[Angstroem]

I still don't see any reason why a ATM machine must run a bloated operating system. That thing needs:

(1) A display driver; any text console is sufficient, but if the banks prefer to show logos and useless graphics, fine, make it a simple framebuffer device.

(2) A rudimentary keyboard controller; any 4x4 matrix will easily do the job. Make it 8x8 and you have more keys you'll ever need.

(3) Some additional hardware controls to perform currency selection and output, and receipt printing.

(4) A network driver to hook the ATM machine into the banking network plus the relevant service applications including mandatory security services. Shouldn't be much different from setting up credit card terminals, BTDT.

So why does anyone need anything like a striped down consumer OS, no matter if it is Windows Embedded or some embedded Linux for that?

But if I decide to use it, then I better hurry and apply any goddamn bugfix meant to close wide-open security holes. Plus, I keep my networks strictly separated and eventual gateway points heavily firewalled. How could Nachi enter the money transfer network anyway?

Somebody obviously did not make their homework, both on ATM and network infrastructure design.

Re:RPC vulnerability

[kobaz]

I am no windows expert here. But I tried disabeling as many services as possible for a win2k server i built for someone. When I disabled RPC and rebooted, the machine no longer functioned. Apartently RPC is a critical service that needs to be running in order for windows to function properly.

I had to boot up in safe mode and do some registry hacking to get RPC back up and running, because everything from windows explorer to control panel, to msie would fail to load. After managed to turn RPC back on, the machine worked "perfectly". As perfect as a windows machine can operate, hah.

Re:They wouldn't be allowed to patch it anyways

[Valar]

We have a new record! Someone didn't even make it all the way through the article TITLE. First, it was rtfa (the linked article). Then it was rtfa (the slashdot article). Now do we need to go to rtft (read the fucking title)? The article is about diebold ATMs, not voting machines.

Embedded XP? What were they thinking?

[Cajun+Hell]

WTF goes through somebody's head when they decide to use MS Windows for an embedded project?!

Windows' strength, pretty much its only strength, is legacy compatability. But an ATM doesn't need to run Excel or some 8-year-old custom Visual Basic application that an irresponsible manager got the company locked into. Really, it's ok to use decent software for embedded projects, nothing should hold you back.

Using Windows in an ATM, sounds like a classic application of the saying: "When the only tool you have is a hammer, every problem looks like a nail."

Re:False sense of security still in effect

[RealProgrammer]

A virus like this bypasses zero levels of account security.

What color is the sky in your world?

This worm was caught because it wasn't expecting to be on an ATM. It thought it was on just another XP box on some network and started scanning. Suppose the next worm is patient, stealthily looking for ATMs?

Malignant code could potentially monitor any device I/O it wanted. How about grabbing the bits on your ATM card swipe and saving them in an arrary with the PIN you just typed? No need to decipher anything, just send a day's worth in a batch and self-destruct.

The attacker can then recreate your ATM card from the bits on the stripe.

You're right, we're still safe.

ATM Horror

[h4rm0ny]

A few years ago when I was a naive young UNIX programmer I came to the cash machine and got the firght of my life. There, floating over the blocky PIN login screen was a windows Illegal Error box.

Up until that moment I had always assumed the cash machines were running some specially written firmware on specially made hardware. This was a massively important and widespread system after all.

Oh - how young I was.

IBM warned 'em

[Cybrex]

The timing on this is perfect, as I just read an article yesterday (in InfoWeek, I believe) about the effect of IBM's plan to discontinue OS/2 support on ATM manufacturers. The article was a couple of months old, but focused on them suggesting that financial institutions migrate their ATMs to Linux instead of Windows. It seems that the big ATM manufacturers (including Diebold, which featured heavily in the article) are leaning heavily toward Windows despite IBM's recommendation that they go with Linux. Their attitude is that they're running Windows on the back end, so they want it in the ATMs as well.

Well, now they're getting what they wanted, and I doubt that they'll learn from this. Large banks seem to have a monolithic mindset that's averse to anything new. They're also decidedly pro-Microsoft.

IBM offers some very effective solutions for integrating Linux-based ATMs with both UNIX and Windows-based back end systems. That companies like Diebold insist on going with insecure, unstable (I've seen an ATM stuck with a BSOD!) software for such sensitive systems is asinine.

-Cybrex