Researcher Discovers ATM Hack, Gets Silenced 229
Al writes "A researcher working for networking company Juniper has been forced to cancel a Black Hat presentation that would have revealed a way to hack into ATMs. The presentation focused on exploiting vulnerabilities in devices running the Windows CE operating system, including some ATMs. The decision to cancel was made to give the vendor concerned time to patch the problem, although the company was notified 8 months ago. The article mentions a growing trend in ATM hacking: In November 2008 thieves stole nearly $9 million from more than 130 cash machines in 49 cities worldwide. And earlier this year, the second biggest maker of ATMs, Diebold, warned customers in an advisory that certain cash machines in Eastern Europe had been loaded with malicious software capable of stealing financial information and the secret PINs from customers performing ATM transactions."
Ridiculous (Score:5, Insightful)
So they've had 8 months warning, and now suddenly when researchers want to publish they now want time to fix it? Not indicative of a company that gives a flying fuck about security. They don't deserve time.
WinCE when you say that (Score:4, Insightful)
Release it anyway (Score:5, Insightful)
You don't need a conference to publicize a security problem. Post it on the internet, and the vendor will have plenty of incentive to implement a fix immediately.
Re:What I don't get (Score:4, Insightful)
And some more long-term loving aswell. That is, until she has spend all your money.
Re:Ridiculous (Score:5, Insightful)
Re:Ridiculous (Score:2, Insightful)
Re:Ridiculous (Score:5, Insightful)
Actually, they HAD time to fix it. It still is highly problematic- but the big problem with all this thinking that bars people from disclosing this stuff at the stage it's at right now is the highly flawed thinking that disclosing a vulnerability discloses it to potential attackers which will use it.
It's a bad thing to think the bad guys don't already know what you're showing off and presume that they're not doing it. Depending on the hack, they may be prepping for it or already screwing you over with it and you just don't know it yet. If a white/grey hat found it, I can assure you a black hat either has already found it or will shortly.
Re:Ridiculous (Score:2, Insightful)
Re:Ridiculous (Score:1, Insightful)
Not sure where you see that. As far as I know Diebold, Wincor, and NCR only put out drivers for Win XP for their ATMs. This is a Win CE bug, it's probably a white-label machine.
Re:Release it anyway (Score:2, Insightful)
Re:Ridiculous (Score:5, Insightful)
Companies only move upon losses and public fiascos. Politeness should be gone by 8 months. Honestly, "this can slash your profits to 0 or below" doesn't sound like a cause for concern?
I'm sure departments within the company can make that same argument for losses but those are harder to take care of than simple software fixes that people are nice enough to be willing to tell them what the issue is. I mean how much easier can you get than someone else doing the job for you, that you didn't do originally? etc etc.
Re:Ridiculous (Score:4, Insightful)
You're right they don't deserve it - but giving information to criminals to make it easier for them to steal - thus hurting society as a whole - is not the answer. Unfortunately the security of ATM's is greater then these researches desire to present their work.
Releasing the hole does not hurt society, however, it does hurt Diebold customers and partners.
Another odd device running Windows CE (Score:3, Insightful)
It's unfortunately not too odd to hear that ATMs run Windows (especially with some of the error messages I've seen). But there are even odder devices running Windows.
I work at a somewhat-hated international retailing chain that will go unnamed, and while working there the other night my merchandise scanner, one of the portable hand-held ones used on the floor, froze. Not uncommon, but when I reset it it booted into Windows CE. A normal windows desktop. I tried starting Windows Media Player, but it wouldn't do anything. The funny thing is that when it works properly, it uses minimal ASCII art and no graphics at all.
Why these kind of things need to use Windows is beyond me. Windows, security issues aside, is alright for general purpose machines, but not highly-specialized machines like a scanner or ATM.
Re:Ridiculous (Score:3, Insightful)
Re:Ridiculous (Score:5, Insightful)
Current situation: society as a whole does not know the vulnerability or it's scope, criminals might or might not know the vulnerability and might or might not be actively exploiting it.
Full disclosure:anyone with enough brains and guts can exploit the vulnerability, society at large can take steps to minimize the risk since it is now known what exactly the risk is.
Re:Ridiculous (Score:5, Insightful)
You've made the classic mistake of assuming corporations have any motivation to do the right thing, as opposed to the profitable thing. They don't give a rat's ass who is using this hack. All they care about is the price of their shares. If keeping a dangerous vulnerability semi-secret for a few more months will help their share price, they don't really care how many people get screwed over. Think of it this way: if their ATMs were electrocuting people at random, they would do a cost benefit analysis to figure out the likely damages awarded at trials, and compare that to the cost of fixing the problem. If fixing the problem were more expensive, the company would happily go on killing people. You think they care about your freaking finances?
Re:Ridiculous (Score:3, Insightful)
Releasing the hole does not hurt society, however, it does hurt Diebold customers and partners.
1) Diebold customers/partners did not cause this issue
2) If you use an ATM you are a diebold customer
3) Diebold will pass the cost to companies which use ATMs and they will pass the cost to you
4) It does hurt society as a whole to enable criminals. Just because you are not directly effected does not make you immune to the effects.
Re:Ridiculous (Score:3, Insightful)
Releasing the hole does not hurt society, however, it does hurt Diebold customers and partners.
I'd have to know more details. The manufacturer is not the one who will feel the direct repercussions of this hack - the ATM owners will. It might have been more effective for the researcher to inform some of the larger customers rather than the company. I'd bet that a big bank leaning on Diebold would have been more effective than this researcher disclosing a secret exploit.
Re:Release it anyway (Score:5, Insightful)
You don't think these ATMs will stay up if an exploit is published do you?
The sequence of events goes something like this:
Bank buys shitty ATMs
Exploits are developed
People start stealing from ATMs
Someone gives the ATM manufacturer the exploit and tells them to fix their problem
People continue to steal from ATMs
Someone (publicly) threatens to publish
ATM company says, "hold on give us a minute to fix it"
People continue stealing from ATMs
scenario A
ATM company fixes the problem
Banks and consumers never know their assets were exposed
scenario b
ATM company stalls
people continue to steal from ATMs
someone publishes
a whole lot of money is suddenly stolen in a very short time period
Banks shut down all vulnerable ATMs
Customers notice their ATMs don't work - maybe ask questions
Banks sue ATM manufacturer, become a little more careful about who they do business with in the future
Re:Another odd device running Windows CE (Score:4, Insightful)
Sir, you are confusing Desktop Windows with Embedded Windows. While the source base is starting to be shared, their targets and goals are substantially different. Windows CE IS meant to be highly-specialized for highly-specialized machines. You don't even have to build in graphical output. I've seen usable CE images take up ~2MB of memory total.
Re:Ridiculous (Score:5, Insightful)
Re:Ridiculous (Score:3, Insightful)
You're making the assumption that it's a simple software fix. There isn't always someone who knows the software, understands the problem and can figure out how to resolve it in the code.
A lot of companies hire the cheapest people they can to implement ill-defined code which is duct taped together and released as a product. Once the product is released, all of the expensive ($10/hr) programmers are fired and the product is supported by a group of people who have a script to follow and get paid $2/hr. Once you purchased a product, what incentive does the company have to put a lot of time and money into supporting you? The only incentive is to add enough functionality to get more customers to purchase the product, which you just happen to benefit from.
I recently spent a lot of time trying to debug a problem that was being blamed on infrastructure, but turned out to be a known bug in one of the open source java components which was being used in a commercial product. There wasn't anyone employed by the vendor who understood that component, they just relied on it as a critical piece handling all communications in their product.
It's nice to work with people who actually comprehend their job, but that's clearly in the minority. The larger the company you're dealing with, the higher the probability that there are people in critical positions whose actions cannot be distinguished from random noise. Comprehension is not a measurable metric, which causes many managers to consider it unnecessary.
Re:Ridiculous (Score:4, Insightful)
What i think this guy should do is to publish the name of the problematic bank and/or ATM vendor, and give their users a month to withdraw all of their assets from that bank (since they clearly don't care about their customers' finances) and move to another one (of their own choosing). I'm sure as hell they would fix the problem ipso facto. My 2 cents.
Re:Ridiculous (Score:3, Insightful)
The one and only thing that makes them fix it is the near certain knowledge that the vulnerability will be exposed far and wide after a deadline. It is reasonable to give an extension if it's really a hard problem to solve, but they must feel nearly certain that the problem will come out in public.
I do agree that it's not a good idea to assume that only the good guys know about the vulnerability.