ATMs running Windows XP robbed with USB

A high-tech criminal group in Europe has been infecting ATMs (cash machines) with malware, and then completely emptying the machines without a trace. The group has not yet been caught and the attacks continue — and thus very few details have been released — but we assume that they’ve already made off with millions of pounds/euros. The best bit: The hack is carried out by plugging an infected USB stick into ATMs that run Windows XP. Not many people know this, but most of the world’s ATMs run some flavor of Windows. In the olden days, it wasn’t too unusual to find an ATM that had crashed with a blue screen of death (BSOD), and to this day it’s still fairly common to hear the standard Windows “ding” when interacting with an ATM. A conventional ATM might consist of a standard Windows XP PC (or perhaps XP Embedded), connected to a display, a secure keypad, cryptoprocessor, various other bits of hardware, and of course the vault (where the money is stored). The ATM boots up normally, then launches into a full-screen program that manages all of the tasks that a customer might want to carry out. Unfortunately, just like your Windows PC, some ATMs also have USB sockets — and just like your PC, some ATMs will automatically boot whatever’s plugged into the USB socket. The USB socket is hidden behind the ATM’s fascia, but it can be revealed if you know where to cut — and once you’ve loaded the malware on, you can easily cover up the hole. If you have knowledge of the ATM’s software, it’s possible to use malware to inject new features, or disable existing ones. In a word, once you’ve infected the ATM, it’s fairly easy to steal its money with complete impunity. You may have noticed that we’re talking in generalities here — but that’s because it’s all we have. Two German researchers, who have asked to remain anonymous, were contacted by the European bank that had discovered this attack earlier in the year. They analyzed the disk image of an infected cash machine, and worked out that the high-tech criminals must’ve reverse-engineered the ATM’s client software and injected a new menu. When triggered by a code entered on the keypad, the menu gives the criminals direct access to the ATM’s cash-dispensing functions. ”For sure, they had to have a profound knowledge of ATMs,” said one member of the research team. “Most likely they actually had one to test. Either they stole one and reverse engineered the cash client, or most likely, they had someone on the inside.” As you can imagine, given the fact that most ATMs are powered by Windows XP, this isn’t exactly a new attack vector. According to Wired, some banks have upgraded their ATMs to prevent them from booting from external USB drives. This particular attack only affects the cash machines of a sole (undisclosed) bank in Europe, and the researchers say that the malware doesn’t appear to harvest customer PINs or other sensitive data. Basically, they install the malware, wait for the machine to be refilled with cash, and then empty the machine out — presumably in the middle of the night, as it takes quite a while to withdraw thousands of bills. Moving forward, there isn’t a whole lot banks can do, except for upgrade their ATMs — but, as you can imagine, that’s a slow and expensive task. The upgrades filter out slowly, too, so while the ATMs in Berlin might be safe, ATMs deployed in developing countries might take a lot longer to be updated. The only saving grace is that developing a hack like this requires a lot of time and expertise — but considering the attack appears to be untraceable, and can be used repeatedly to accrue millions of euros/dollars, it’s probably worth it. Some other operating systems, including Linux, are used by ATMs, but it’s mostly a Windows-dominated market.