Logo
  • PHP
    • HipHop / HHVM
    • Modern PHP
    • PHPStorm
    • LAMP
    • Laravel
    • Composer
    • PDO
  • JavaScript
    • node.js
    • AngularJS
  • CSS
    • SASS
    • “CSS4” (CSS level 4)
  • HTML
  • Git
  • LAMP
  • Vagrant
  • UI / UX
  • Architecture of …
  • Off-Topic
With ♥ from Berlin
January 4, 2014
Chris
Security
0

Hacking ATMs – A conference talk about the current security state of Windows XP driven cash machines

PreviousNext

A few days ago the 30th edition of Germany’s Chaos Communication Congress took place, a high-profile event for IT-security and net-culture related topics. Started 30 years ago (!), this once-tiny super-nerd event has reached (positive) mainstream (media) popularity, and as usual the talks are really really good. Did I mention Julian Assange (Wikileaks) and Sarah Harrison (who made Snowden’s escape possible) took part ? But more on that in another post.

The most interesting talk I’ve currently seen is this one: “Electronic Bank Robberies – Stealing Money from ATMs with Malware” by two anonymous speakers. The topic and the way the criminals take is not new, and that’s the point: Even in late 2013 most ATMs use Windows XP (!) as the host operating system [1][2][3][4]. Yes, casual Windows XP (not a special version or something), which will officially reach End of Life on April 8th 2014. No more bugfixes, even for possible hard security bugs. It’s okay, as XP is now 14 years old, and people who still use a 14 years old Windows version (in IT-years, that’s like 100 years) in 2014 are simply a little bit retarted and have obviously absolutly no IT skills, but changing the OS of 100.000s+ ATMs all over the globe might be a little bit more difficult. In fact that’s a big topic in the bank scene.

Anyway, the talk shows how easy it is to break into a Windows XP by cutting into the ATM and plugging an USB stick onto the printer port, which holds a special software giving the attackers full control over the ATM’s system (and that’s possible on up-to-date Windows XPs !). To be fair, we have to realize that this is not possible for the average guy. The attackers need to have very detailed insights on the way ATM software works, and so it’s an inside-job.

By the way, there’s a nice explaination for this: The costs of updating and security-improving ATMs is much much higher than replacing stolen funds by criminal takeovers. So for banks, the risk is calculateable. As there are only a few hacks per year, this is a clear optimization of costs vs. benefits.

 

http://www.youtube.com/watch?v=0c08EYv4N5A

 

 

This article was written quite a while ago (9 years), please keep this in mind when using the information written here. Links, code and commands might be outdated or broken.

Random articles

  • Hacked french TV channel exposed passwords in TV interview (video, screenshots, links)Hacked french TV channel exposed passwords in TV interview (video, screenshots, links)
  • Google I/O 2014 – HTTPS Everywhere (video)Google I/O 2014 – HTTPS Everywhere (video)
  • DEF CON 18 – When your computer got stolen and you can still SSH into it: “Pwned by the 0wner” (22min conference talk)DEF CON 18 – When your computer got stolen and you can still SSH into it: “Pwned by the 0wner” (22min conference talk)
  • Windows XP is officially dead from today. Do you know people still using it ? Punch them.Windows XP is officially dead from today. Do you know people still using it ? Punch them.
  • How major web companies (and banks) handle passwords quite wrongHow major web companies (and banks) handle passwords quite wrong
  • Interesting stats on SONY’s hacked passwordsInteresting stats on SONY’s hacked passwords
  • Crossbrowser-safe HTML5 video (IE6+) with a few lines of code and just one .mp4 video fileCrossbrowser-safe HTML5 video (IE6+) with a few lines of code and just one .mp4 video file
  • MINI, an extremely simple barebone PHP applicationMINI, an extremely simple barebone PHP application
  • A quick guideline on how to fix the Hearthbleed bug (and update OpenSSL) on UbuntuA quick guideline on how to fix the Hearthbleed bug (and update OpenSSL) on Ubuntu
atmhackssecuritywindows xp
Share this

Leave A Comment Cancel reply

Going node.js at Netflix (Slides by Micah R of Netflix)

It’s awesome how node.js takes over the absolute AAA-level corporate world. Note that node.js is still an early alpha product

css4

Angelina Fabbro talks about “CSS4” in this excellent conference video

A very interesting talk about the future of CSS – let’s name it “CSS4” as we talk about spec level

Create a fast, perfect and bootable 1:1 Windows backup (full clone of HDD) for SSD migration

In this article I want to share a super-simple, extremely fast and totally free workflow with you that will create

hack-php

Wow! Facebook devs have rewritten and fixed PHP, releasing it as new language called “Hack” today

Exciting stuff is happening: Some years ago Facebook has released an early preview of HipHop, a virtual machine that precompiles

php

How to install PHP curl extension (in 5 seconds)

It’s a common wordpress problem: PHP’s curl extension is not installed! No need to mess around in config files etc,

How to get a single table out of a massive MySQL .sql database backup file (mysql dump splitter)

Imagine the following situation: Somebody backs up an entire MySQL database – a very large one – with common tools.

How to fix the ugly font rendering in Google Chrome

Update, August 2014: Google has rolled out Chrome 37, which finally fixes this issue nativly. Yeah! For historical reasons the

Install MINI in 30 seconds inside Ubuntu 14.04 LTS

This is a guideline on how to install MINI – an extremely simple naked PHP application – more or less

sass laravel

SASSmeister is a real-time JSfiddle for SASS / CSS. Awesome!

Excellent tool for testing out SASS in real-time! SASSmeister.com offers a responsive (!) interface for quick SASS-to-CSS development with some

Microsoft enters post-password era with Hello (promo video)

Just a short promotion clip, but definitly interesting: Microsoft announces Hello, the authentication system inside Windows 10, using fingerprints, iris

1/4

Categories

Search

hiphop php
Vote for “Hack” for HipHop/HHMV support (future style PHP) in PHPStorm 8
Perfect HTML email templates for perfect HTML emails (outlook!) with INK
php-7
PHP 6.0 will be PHP 7
php uk conference
PHP Caching Best Practices by Eli White (video from PHP UK Conference 2014)
php
[Link] How to create, read, update and delete (CRUD) with PDO, MySQLi and MySQL the right way (prepared statements)
phpstorm-8
A PHPStorm shortcuts cheat sheet (for Windows, Mac OS and Linux)
Microsoft announces “holographic” 3D interfaces (promo video)
How to hack time (KUNG FURY promo campaign)
zend framework 3
First view on Zend Framework 3 by Matthew O’Phinney
bitdeli git github stats
php-login goes #2 PHP script worldwide in BitDeli stats
JavaScript ECMAScript6 – A short video introduction (5min)
php
How to install/setup latest version of PHP 5.5 on Debian Wheezy 7.0/7.1/7.2 (and how to fix the GPG key error)
Quick fix for 404 error in WordPress category / tag page
mod-rewrite-ubuntu-14-04-lts
How to enable mod_rewrite in Ubuntu 12.04 LTS
php
Why Modern PHP is Awesome And How You Can Use It Today (Slides by Matt Stauffer)

Tags

apache bash centos composer conference coupon CSS debian fonts framework git GitHub hack HHVM HipHop HTML HTML5 IDE JavaScript JS LAMP laravel linux mod_rewrite MVC MySQL Nginx optimization PHP PHP 5.5 PHP 5.6 phpmyadmin PHPStorm security server SSD Ubuntu UI UX vagrant video virtual machine voucher VPS wordpress
Side-Project: Wordle-Solver:
www.wordle-helper.info

Pages

  • Privacy Policy
 
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Cookie SettingsAccept
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT