Cash machines in malware risk as embedded Windows XP reaches end of life

Tens of thousands of cash machines could become vulnerable to malware and DDoS attacks next month when support for the embedded version of Windows XP comes to an end.

From January 2016, Microsoft will be issuing no further security patches or updates for the OS which is still used in the majority of ATMs to deliver cash to customers in the UK and elsewhere around the world.

According to IT security firm Abatis, the lack of security updates makes the ATM network far more at risk from sustained hacker attacks and malware infection as well as more vulnerable to theft and denial of service (DoS) attacks.

The desktop version of Windows XP ceased to be supported by Microsoft in July 2014. While the embedded version was given extended support until January 2016, to allow banks time to upgrade the OS, many ATMs still rely on the old operating system.

“This presents major problems for the banks and puts their customers' cash at risk, which is the last thing anyone wants as they check their accounts after a costly Christmas and early sales,” said Kerry Davies, CEO at Abatis. “The problem is made worse by the fact that traditional defences have been shown to be increasingly inadequate at stopping the latest malware attacks.”

While cash machines aren't directly connected to the internet, the threat of an inside job could put machines and customers at risk.

Microsoft has been charging for extended support for Windows XP for a while now, around $600 per machine for OSs such as Windows Server 2013. The UK government is said to have paid £5 million for extended support. A Freedom of Information request made by Motherboard magazine found that over 35,000 machines used by the Metropolitan Police were still using Windows XP.

Talking to, Catalin Cosoi, chief security strategist at Bitdefender, said that no more system updates means a higher risk of infection.

“Microsoft no longer takes responsibility for solving glitches in outdated software. This means the code can remain exposed to threats for an indefinite period of time. Banks may ultimately be breached and lose money as a result, but this will most likely not affect customers directly,” he said.

He added that DDoS attacks against the cash machine network would be difficult to undertake due to their isolation from the internet.

“So far, we have mainly seen ATM attacks using skimming devices and malicious software. There have been instances of cyber-attacks on financial institutions via web-based ATM control panels used by bank employees,” he said.

“Employees were tricked into disclosing their credentials through classic phishing schemes. Once inside, cyber-criminals increased the withdrawal limit on customer payment cards they had access to and changed other fraud and security-related controls.”

Tim Erlin, director of security and product management at Tripwire, told SC that just because the vendor stops producing patches doesn't mean attackers stop exploiting vulnerabilities on these systems.

“Running an unsupported operating system on your ATMs is an example of how what you don't know really can hurt you. It may seem like a stable system, but when something goes wrong, or it's being attacked, you're out of luck for support,” he said.

“The reason companies like Microsoft provide extended support and notifications is to give customers time to plan and budget for upgrades. ATM owners should be taking advantage of that time frame. All technology becomes obsolete at some point, and with embedded devices like ATMs, the cost of upgrade should be planned for at deployment time.”

Alan Calder, executive chairman of IT Governance, told SC that over time the lack of updates will increase the likelihood that attacks will be successful, “but attackers still have to identify vulnerabilities and craft exploits to be successful. Attackers would have to gain access to the operating system in order to mount an attack and this is not so easy.”

He continued: “A far bigger problem is errors that could exist in the bank's software when they roll out software updates. Over time, sophisticated attackers – which could include insiders with access to the operating system – might be able to access customer and account information. Any responsible financial institution would have started dealing with the XP phase out some years back.”

Benn Morris, senior partner at PTP Consulting, told SC that if an ATM which runs on an unsupported operating system has an exploitable vulnerability that cannot be patched, this could be a way for an attacker to upload malware.

“However, if an ATM vendor doesn't use any further security software to protect their hardware and applications running on the ATM, they are opening themselves up to issues irrespective of the age or support of the OS. However, if you can't update the known issues, you will have to rely solely on the third-party software applications to cover these,” he added.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.