Hacking ATMs – A conference talk about the current security state of Windows XP driven cash machines

A few days ago the 30th edition of Germany’s Chaos Communication Congress took place, a high-profile event for IT-security and net-culture related topics. Started 30 years ago (!), this once-tiny super-nerd event has reached (positive) mainstream (media) popularity, and as usual the talks are really really good. Did I mention Julian Assange (Wikileaks) and Sarah Harrison (who made Snowden’s escape possible) took part ? But more on that in another post.

The most interesting talk I’ve currently seen is this one: “Electronic Bank Robberies – Stealing Money from ATMs with Malware” by two anonymous speakers. The topic and the way the criminals take is not new, and that’s the point: Even in late 2013 most ATMs use Windows XP (!) as the host operating system [1][2][3][4]. Yes, casual Windows XP (not a special version or something), which will officially reach End of Life on April 8th 2014. No more bugfixes, even for possible hard security bugs. It’s okay, as XP is now 14 years old, and people who still use a 14 years old Windows version (in IT-years, that’s like 100 years) in 2014 are simply a little bit retarted and have obviously absolutly no IT skills, but changing the OS of 100.000s+ ATMs all over the globe might be a little bit more difficult. In fact that’s a big topic in the bank scene.

Anyway, the talk shows how easy it is to break into a Windows XP by cutting into the ATM and plugging an USB stick onto the printer port, which holds a special software giving the attackers full control over the ATM’s system (and that’s possible on up-to-date Windows XPs !). To be fair, we have to realize that this is not possible for the average guy. The attackers need to have very detailed insights on the way ATM software works, and so it’s an inside-job.

By the way, there’s a nice explaination for this: The costs of updating and security-improving ATMs is much much higher than replacing stolen funds by criminal takeovers. So for banks, the risk is calculateable. As there are only a few hacks per year, this is a clear optimization of costs vs. benefits.

http://www.youtube.com/watch?v=0c08EYv4N5A

Hacking ATMs – A conference talk about the current security state of Windows XP driven cash machines

Slides from International PHP Conference 2014

[RePost] Goodbye LAMP: Going Nginx, NoSQL, HHVM (41min conference talk with Arne Blankerts)

Need motivation ? Check out these 2 awesome “FORBES 30 under 30” lists (web, UI, games)

Redesigning the PHP logo – who wants ?

Killer-feature in PHPStorm: Search everywhere

How to professionally test on old Internet Explorer versions

Extremely easy SASS in Laravel (with pure PHP)

The Times talks about Times New Roman (3min video)

Learn AngularJS in 20 (or 90) minutes with Dan Wahlin

Stressed and unrelaxed while coding ? Try some ultra-deeply-relaxing ASMR audio clips. It will change your life. Seriously.

SensioLabs, creator of Symfony and Silex PHP frameworks, gets $7 million capital

How to copy Vagrant boxes (or duplicate them)

How to show the available version of a package (before doing apt-get install)

The Times talks about Times New Roman (3min video)

Laracon 2013 – Kapil Verma: Engineering Complex Applications with Laravel 4 (40min video)

How to use the PHP 5.5 password hashing functions

PHP 5.7 gets refactored core, is 10%-30% faster than PHP 5.5! Wow!

Experimenting with HHVM at Etsy (Link)

New project: Building a naked PHP skeleton / boilerplate application from scratch

GitHub finally introduces repo traffic stats

PHP.net hacked, but most things are fine again

Frontend Ops Conf 2014 – Sarah Goff-Dupont: Git, Continuous Integration and Making It Pretty (31min video)

Hacking ATMs – A conference talk about the current security state of Windows XP driven cash machines

Get Github’s code colors in PHPStorm (2014 style)

Microsoft enters post-password era with Hello (promo video)