Researcher Discovers ATM Hack, Gets Silenced 229
Al writes "A researcher working for networking company Juniper has been forced to cancel a Black Hat presentation that would have revealed a way to hack into ATMs. The presentation focused on exploiting vulnerabilities in devices running the Windows CE operating system, including some ATMs. The decision to cancel was made to give the vendor concerned time to patch the problem, although the company was notified 8 months ago. The article mentions a growing trend in ATM hacking: In November 2008 thieves stole nearly $9 million from more than 130 cash machines in 49 cities worldwide. And earlier this year, the second biggest maker of ATMs, Diebold, warned customers in an advisory that certain cash machines in Eastern Europe had been loaded with malicious software capable of stealing financial information and the secret PINs from customers performing ATM transactions."
Re:WinCE when you say that (Score:5, Informative)
I can't believe that people use WinCE for a real world application that requires security and reliability. The morons who built these systems are reaping the reward for their ignorance.
A lot of ATM's were previously running IBM OS/2 and were pretty stable. Not only are these ATMs now exploitable but they are also much slower than before they were "upgraded" to WinCE.
Upgrades are supposed to improve functionality or improve performance but the text UI actually got about 2X slower to respond.
They got the ability to talk though (Score:5, Informative)
They are now much easier for the disabled to use. While it was possible for someone who was blind to use an OS/2 ATM, it relied more or less on memorizing what to do. The buttons had braille on them but there wasn't really any feed back other than beeps. So it was a situation of memorize the key presses to do what you want. New ATMs have headphone jacks and can give audio feedback, allowing those with vision problems to use them much easier.
MS doesn't recommend WinCE either . . . (Score:3, Informative)
. . . from TFA:
The operating system used in the affected system, Windows CE, poses hurdles to a quick fix. Microsoft recommends that Windows CE is used for "low-end cash-dispensing ATMs," while Windows XP Embedded and Windows XP Professional are used on more full-featured ATMs, according to a white paper on kiosk and ATM operating-system platforms issued by the software maker. Windows XP Embedded, the latest version of which is Windows Embedded Standard 2009, and Windows XP Professional are more secure because they are easier to update, the software giant says.
Not forced! (Score:5, Informative)
The article is transparent in saying that he chose to cancel his own presentation on his own volition, because it hadn't been fixed yet.
Re:If it's an exploit for ATM *Machines*... (Score:3, Informative)
Re:Ridiculous (Score:3, Informative)
Maybe in some regards, but the electrocuting ATM isn't a great example.
Oh, I dunno, it's not like there hasn't been precedent for companies systematically ignoring lethal electrocution hazards in their work. [go.com]
There exist numerous product safety laws that could affect the criminal culpability of decision makers in a company who refuse to address serious known safety concerns in their products.
As of 2008, with the passing of the Consumer Product Safety Improvement Act of 2008 [cpsc.gov], the criminal penalty for "knowing, willful violation" is 5 years instead of only 1 year per the original 1972 Comsumer Product Safety Act. So yeah, the risk of imprisonment is something company officers have to consider, outside of a simple cost/benefit analysis. But realistically, if you play the game right, you may be able to stonewall and obfuscate well enough to make "willful, knowing" violation unprovable, taking that risk off the table. After that, consumer protection penalties are just another number in the "cost" side of the equation, with a "probability of occurrence" value that gets artificially deflated (because that stuff never happens to us).
Re:If it's an exploit for ATM *Machines*... (Score:1, Informative)
Digital Versatile Disc
Re:If it's an exploit for ATM *Machines*... (Score:4, Informative)
Re:If it's an exploit for ATM *Machines*... (Score:4, Informative)
The 'C' in NIC stands for 'Controller', not 'Card'.
some [techtarget.com] people [wisegeek.com], including 3Com [3com.com] and Cisco [cisco.com], disagree [abdn.ac.uk] with [about.com] you. [computerhope.com]