By Aravinda Korala and Kit Patterson (from KAL), supported by Michael Moltke (FortConsult), and Alex Gherman
The “Meltdown” and “Spectre” attacks have been big news since the 3rd January, 2018. They arise from hardware security vulnerabilities in Intel, AMD and ARM chips that were initially postulated by Anders Fogh on a German cyber website around July last year as a possible threat, but were subsequently demonstrated as a real threat publicly last week.
The good news is that this information was first made available secretly to the major Operating System (OS) vendors allowing them to patch their operating systems and enabling them to rush out fixes to help secure PCs and phones.
So what then is the situation for ATMs? Are ATMs potentially vulnerable to these attacks? The short answer is yes, but don’t panic just yet.
Global ATMs are mostly built on Windows PCs that are carefully locked down.
The immediate threat is the Meltdown attack. This attack method allows malware to potentially read any data item on a Windows PC including from Windows kernel memory, any physical memory, and any memory belonging to other processes on the same PC. Global ATMs are mostly built on Windows PCs that are carefully locked down.
Let’s analyse the risks and what needs to be done to reduce these risks on ATMs.
The world has around 3 million bank-grade ATMs most of which run Windows 7 or Windows XP. All ATM types are at risk as the defect is hardware chip related and not caused by an OS vulnerability. In this article, we will focus on bank-grade ATMs running Windows 7 or Windows XP.
Let’s start with the good news. The ATM industry does not store its transaction processing secrets inside the ATM PC core – instead, they are stored inside hardware Encrypting Pin Pads (EPPs). This means the encryption keys that ATMs rely on to do transactions are held safely inside the EPP and consequently are unaffected by the new attack methods.
Not only are these keys protected inside the EPP, the method of remotely injecting these keys into the EPP using what is known as “Remote Key Loading” is also safe in our view from a Meltdown attack. EPPs have an isolated secure internal environment that is not at risk to attacks of this type.
However, that alone does not put ATMs completely in the clear. If an attacker is able to get malware onto an ATM, it would be possible to access sensitive information (such as an account number on the customer’s card) and potentially certain types of passwords such as an ATM supervisor login password that may be held transiently in memory.
The question then becomes - can a hacker get new malware easily onto an ATM?
Anti-Virus software was never the right answer for ATM protection and this threat highlights that most clearly
Most ATMs are well protected from malware. The gold standard is to use a technology called “Whitelisting” that automatically prevents the ATM from running unrecognized programs, libraries, and scripts. Whitelisting would automatically block any new malware from being executed on an ATM and is an excellent first defence.
However, not all banks use whitelisting on ATMs. Some banks use Anti-Virus software and others use no malware protection at all (which, of course, makes no sense).
Anti-Virus (AV) was never the right answer for ATM protection and this particular threat highlights that most clearly. As the threat is very new, AV software does not have the signatures needed to identify this threat.
As a minimum the AV signatures would have to be updated on ATMs, but that is hard to do, since as we have said actual malware written to implement these threats has not yet been identified. But worse, it is currently thought that malware using this technique may look too much like “normal software” and therefore be hard to distinguish.
There is a final irony for banks using AV on ATMs. It turns out that Microsoft’s security patch for Meltdown will actually be blocked by many 3rd party AV products as these products access the CPU in intrusive ways that the new patch will close. There is a lesson here then for banks about ATM protection.
AV was never the right answer to secure ATMs, and on this occasion, AV software may actually make your ATMs more vulnerable. Our advice to banks is to change your ATMs to use whitelisting immediately.
However, that is not the only urgent task in protecting a bank’s ATMs. In order to protect against Meltdown, banks must also distribute Microsoft’s new security patch for Windows dated “1801.” There were some initial concerns about a performance hit from this patch, but the benchmarks do not bear that out. Although whitelisting alone could protect against any new malware, we also recommend the “1801” patch as a second line of defence for several reasons.
One of those reasons is “internal attacks”. Whitelisting can be compromised by rogue internal bank staff who can modify whitelisting settings. KAL always recommends that nobody at all be given admin access to ATMs but, unfortunately, many banks allow admin access of ATMs to employees. This is a security judgement banks make, but Meltdown would allow easy compromise of ATM software using admin privileges.
So, our second strong recommendation for banks is to never give admin access to ATMs to any staff. It just is not required. All valid maintenance actions on an ATM can be carried out using standard privileges, and indeed any staff member that has admin access to an ATM can install and run any malware on it with ease – not just Meltdown.
If you are a bank running XP on your ATMs, you need to ask that Microsoft issues a patch immediately to fix this vulnerability.
There is the elephant in the room we have not yet mentioned - some banks are still running Windows XP on ATMs. Officially Microsoft is not creating any more security patches for Windows XP. If you are a bank running XP on your ATMs, you need to ask that Microsoft issues a patch immediately to fix this vulnerability.
The good news is that the Windows 10 patch for Meltdown is already available for supported OS versions and these are listed here.
Why do we not hear a lot of cheering? The reason is that most Western banks still run 32-bit Windows 7 on their ATMs which is not yet covered. KAL are not aware at the time of writing when the 32-bit fix will be available from Microsoft, but you will need to install it as soon as it is available.
So overall, while Meltdown and Spectre should be taken seriously it’s important to remember that there are a wide range of unique aspects to ATM security. By concentrating on what’s important and actively applying all of the best security techniques, it is possible to stay ahead of the threats even when new ones like these emerge.
FortConsult is part of NCC Group and has one of the most experienced teams of IT security consultants in the world. Together with NCC Group, we have over 1000 consultants and are the trusted advisors of more than 15,000 clients worldwide. We have more than 35 office locations across the globe and advise clients in a broad range of industries on virtually any matters relating to IT security.