Hacking ATMs - A conference talk about the current security state of Windows XP driven cash machines

A few days ago the 30th edition of Germany’s Chaos Communication Congress took place, a high-profile event for IT-security and net-culture related topics. Started 30 years ago (!), this once-tiny super-nerd event has reached (positive) mainstream (media) popularity, and as usual the talks are really really good. Did I mention Julian Assange (Wikileaks) and Sarah Harrison (who made Snowden’s escape possible) took part ? But more on that in another post.

The most interesting talk I’ve currently seen is this one: “Electronic Bank Robberies – Stealing Money from ATMs with Malware” by two anonymous speakers. The topic and the way the criminals take is not new, and that’s the point: Even in late 2013 most ATMs use Windows XP (!) as the host operating system [1][2][3][4]. Yes, casual Windows XP (not a special version or something), which will officially reach End of Life on April 8th 2014. No more bugfixes, even for possible hard security bugs. It’s okay, as XP is now 14 years old, and people who still use a 14 years old Windows version (in IT-years, that’s like 100 years) in 2014 are simply a little bit retarted and have obviously absolutly no IT skills, but changing the OS of 100.000s+ ATMs all over the globe might be a little bit more difficult. In fact that’s a big topic in the bank scene.

Anyway, the talk shows how easy it is to break into a Windows XP by cutting into the ATM and plugging an USB stick onto the printer port, which holds a special software giving the attackers full control over the ATM’s system (and that’s possible on up-to-date Windows XPs !). To be fair, we have to realize that this is not possible for the average guy. The attackers need to have very detailed insights on the way ATM software works, and so it’s an inside-job.

By the way, there’s a nice explaination for this: The costs of updating and security-improving ATMs is much much higher than replacing stolen funds by criminal takeovers. So for banks, the risk is calculateable. As there are only a few hacks per year, this is a clear optimization of costs vs. benefits.

http://www.youtube.com/watch?v=0c08EYv4N5A

This article was written quite a while ago (9 years), please keep this in mind when using the information written here. Links, code and commands might be outdated or broken.

Random articles

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Hacking ATMs – A conference talk about the current security state of Windows XP driven cash machines

Random articles

Leave A Comment Cancel reply

Going node.js at Netflix (Slides by Micah R of Netflix)

Angelina Fabbro talks about “CSS4” in this excellent conference video

Create a fast, perfect and bootable 1:1 Windows backup (full clone of HDD) for SSD migration

Wow! Facebook devs have rewritten and fixed PHP, releasing it as new language called “Hack” today

How to install PHP curl extension (in 5 seconds)

How to get a single table out of a massive MySQL .sql database backup file (mysql dump splitter)

How to fix the ugly font rendering in Google Chrome

Install MINI in 30 seconds inside Ubuntu 14.04 LTS

SASSmeister is a real-time JSfiddle for SASS / CSS. Awesome!

Microsoft enters post-password era with Hello (promo video)

Vote for “Hack” for HipHop/HHMV support (future style PHP) in PHPStorm 8

Perfect HTML email templates for perfect HTML emails (outlook!) with INK

PHP 6.0 will be PHP 7

PHP Caching Best Practices by Eli White (video from PHP UK Conference 2014)

[Link] How to create, read, update and delete (CRUD) with PDO, MySQLi and MySQL the right way (prepared statements)

A PHPStorm shortcuts cheat sheet (for Windows, Mac OS and Linux)

Microsoft announces “holographic” 3D interfaces (promo video)

How to hack time (KUNG FURY promo campaign)

First view on Zend Framework 3 by Matthew O’Phinney

JavaScript ECMAScript6 – A short video introduction (5min)

How to install/setup latest version of PHP 5.5 on Debian Wheezy 7.0/7.1/7.2 (and how to fix the GPG key error)

Quick fix for 404 error in WordPress category / tag page

How to enable mod_rewrite in Ubuntu 12.04 LTS

Why Modern PHP is Awesome And How You Can Use It Today (Slides by Matt Stauffer)