USB Sticks Used In Robbery of ATMs

First time accepted submitter JeffOwl writes "BBC is reporting that thieves are infecting ATMs with malware using USB sticks. The malware creates a backdoor that can be accessed at the front panel. The thieves are damaging the ATM to access a USB port then patching it back up to avoid notice. This indicates that the crew is highly familiar with the ATMs in question. Once the ATM is infected, the thieves use a 12 digit code to bring up the alternate interface. The thieves, not wanting their crew to go rogue, have built a challenge-response access control into their software and must call another member who can generate the response for them."

That's what you get

[fisted]

That's what you get from running Windows on ATMs, lol.

Re:That's what you get

[fisted]

I don't know any Linux or unix machine which would be compromised merely by plugging a memory stick. Hint, hint: autorun.
Furthermore, you presumably wouldn't get administrative access.

Re:That's what you get

[Spy+Handler]

no, this is what you get when you put a USB port on a frigging ATM. Whose bright idea was that anyways?

Re:That's what you get

[wvmarle]

Making it easy to install upgrades? Or to connect say, a proper keyboard, to do maintenance?

USB stick is better than over network as physical access is needed. And in this case, they indeed had to physically break the ATM to gain access to this USB port.

Re:That's what you get

[asmkm22]

The USB port is pretty well hidden and secure, which is why the article points out the fact that the thieves appear to be familiar with the machines enough to know where and how to best break that part open. Even the best of security measures won't hold up against an inside job.

Re:That's what you get

[TWX]

I think that it's stupid to allow the USB port to do anything more than provide a Human Interface Device level of access to the OS unless credentials are entered in to the machine to enable those features.

Or, in layman's terms, AT BEST the USB port should only work for a keyboard interface as a prompt for a password until the operator is authenticated.

It's CRIMINALLY STUPID for the USB port to provide any other kind of access by default. It should not give the OS kernel access to media plugged into it. It should CERTAINLY not automatically engage media plugged into it to read it. Arguably, it shouldn't do ANYTHING even with a keyboard plugged in until the technician servicing the machine has otherwise entered passwords, like on an internal keypad.

Re:That's what you get

[jeffmeden]

Because that part of the atm is heavily protected, whereas the usb port is behind a plastic panel.

All of the flames about windows vs linux are a red herring. This is the real design flaw. Any design that assumes the USB interface to the software is not just as important to protect as the cash itself completely ignores why they would ever put the USB port on there in the first place (to make material changes to the ATM software).

Re:That's what you get

most bank of america atms use windows, this is due to some worm virus that shut them down,

if they cared they would use linux, which many gambling machines use

Re:Moral of the story

How exactly would a video camera prevent a masked marauder from drilling?

Re:Moral of the story

[Crudely_Indecent]

When has a video camera ever stopped someone from doing exactly what they intend to do? Youtube is full of examples of people behaving badly in front of a video camera (sometimes - because of the video camera)

Sure, video cameras may cause people to reconsider their behavior - but a criminal intent on committing a crime will just wear a mask or disable the camera with some high-tech sticky tape. If the group is repairing the machines so their modification can't be detected - nobody would be the wiser. They might consider the tape to be the work of a prankster and peel it off.

Maybe if the video camera was attached to a flame-thrower - that might do the trick.

Oh, ffs.

[ledow]

Fail #1: A port that can be accessed without triggering an alarm.
Fail #2: A USB port.
Fail #3: Software running that looks at, and allows unsigned executable code to be executed from, a USB storage device without explicit authorisation.
Fail #4: No intrusion detection whatsoever to notice that this USB device has been inserted, has had code taken from it, that that code has been made executable and executed, or that that code is running with privilege enough to dispense cash.

I stopped caring at #2, if I'm honest.

You can state for all the world that the ATM's need software updates, etc. but there's just no excuse for a commodity device to be able to run arbitrary code without at least BOTHERING to check the authenticity of the code it runs first and ALERTING someone somewhere that that's what's happening (i.e. alert the branch, alert the central bank, etc.).

There's nothing stopping you issuing your updates over the local banking network, even, if that's what you want to do. Just make sure they are signed, verified, encrypted and secured. Honestly, you can't download a fecking game or movie nowadays without requiring DRM... and this is where DRM, code-signing and all that other stuff we do is supposed to be being used the most.

General purpose computers SHOULD NOT BE USED in security-conscious situations.

If your ATM isn't a SecureBoot machine (at a minimum), with code-signing explicitly required for any and all updates, and ALL WAYS to execute external code disabled, you're just a fecking idiot.