Cash crash ahead? ‘Death’ of Windows XP could leave 95% of world’s ATMs vulnerable

As many as 95% of ATM machines around the world could be vulnerable from April onwards, when Microsoft cuts off regular security patches for Windows XP on April 8. Most ATM machines in the U.S. and worldwide still run the ageing operating system – and some banks may continue ‘indefinitely’.

The Verge reports that ATM software company KAL estimates that just 15% of American ATMs will upgrade to Windows 7 by April. “That leaves thousands of machines running out-of-date software,” the site said.
A report by Bloomberg Businessweek says that 420,000 ATMs in the U.S. still run Windows XP, according to Robert Johnston, marketing director at NCR, the largest supplier of ATMs in America, and now face a ‘deadline’ to upgrade. After April 8, the machines will be at risk of non-compliance with industry standards, and at increased risk of attacks against the OS.
Speaking to The Verge, NCR said that most ATMs still run the full version of Windows XP, with support ending in April, while a minority run Windows XP Embedded, which will be supported until 2016.
Many banks face costly hardware upgrades to replace ageing machines which cannot support Windows 7 – JP Morgan says 3,000 of its 19,000 ATMs will require “enhancements” to support Windows 7, according to Bloomberg.
The Verge reports that JP Morgan is to buy a custom support contract from Microsoft to extend the life of ATMs running Windows XP.

“The ATM world is not really ready, and that’s not unusual” says Aravinda Korala, chief executive officer of ATM software provider KAL, according to a report by the Daily Mail, which describes XP-powered machines as ‘vulnerable’. “ATMs move more slowly than PCs.”

In a presentation in December, Mr Korala suggested that some banks intended to continue to use XP-powered machines ‘indefinitely’.

Earlier this month, Microsoft affirmed that XP would no longer be “a supported operating system”, but that it would provide assistance to users in the form of antimalware signatures for some months after the April deadline for patches, as reported by We Live Security here. “To help organizations complete their migrations, Microsoft will continue to provide updates to our antimalware signatures and engine for Windows XP users through July 14, 2015.”
Despite Microsoft setting April 8, 2014 as the “end of support” date for Windows XP, around a third of PCs worldwide still run the operating system, according to research firm Net Applications.

“We will continue to help our customers complete their migrations as Windows XP end of life approaches,” Microsoft said via its blog post. The company made it clear, though, that Windows XP was a less safe option than newer versions of its OS. “Our research shows that the effectiveness of antimalware solutions on out-of-support operating systems is limited. Running a well-protected solution starts with using modern software and hardware designed to help protect against today’s threat landscape.”

Windows XP users already face a higher risk of malware infection, as reported by We Live Security here. Per 1,000 PCs scanned, 9.1 XP machines had been infected – as compared to 1.6 for Windows 8, according to a report by Neowin.

“Microsoft Windows XP was released almost 12 years ago, which is an eternity in technology terms. While we are proud of Windows XP’s success in serving the needs of so many people for more than a decade, inevitably there is a tipping point where dated software and hardware can no longer defend against modern day threats and increasingly sophisticated cybercriminals,” Microsoft wrote in a statement last year.

Not Enough Evidence the Internet of Things Botnet Actually Exists

There was a report last week about a spam botnet using "Internet of Things" devices—a refrigerator, even!—but the evidence supporting this claim feels a little circumstantial.
As PCMag.com reported late last week, cloud security company Proofpoint claimed a botnet sent out 750,000 spam messages in waves between Dec. 23 and Jan. 6. While most of the messages were sent by conventional means, such as personal computers and mobile devices, more than 25 percent came from non-traditional sources, including "100,000 everyday consumer gadgets, such as home-networking routers, connected multi-media centers, televisions, and at least one refrigerator," Proofpoint said.
Researchers have repeatedly warned that the surging popularity of smart appliances and devices (this year's CES was heavily dominated by "Internet of Things") meant attackers would start taking advantage of these devices to launch attacks. Security Watch even highlighted the vulnerabilities in Internet of Things as part of its look-ahead for 2014. However, Proofpoint's report is not definitive proof that such a botnet already exists.
A Look at Proofpoint's ClaimsTo be clear, there is nothing that jumps out in Proofpoint's report as being impossible. The attackers took advantage of the fact that many of these networked devices still had default passwords or had been configured incorrectly, Proofpoint said. This is nothing new, since researchers have been demonstrating how to install a backdoored firmware onto vulnerable routers since 2008.
Proofpoint warned that the growing popularity of Internet of Things would encourage attackers to try to hack these devices. Considering that many of the devices run some kind of Windows operating system or Linux, and increasingly, Android, this is also very plausible. Several researchers demonstrated attacks against non-PC devices at last year's Black Hat and DEFCON, including cars, Samsung Smart TVs, and home surveillance cameras. Consumers generally don't think about updating the firmware on their wireless routers, let alone their TVs and garage door openers. There is no question that these devices are ripe for compromise.
"The Internet of Everything means everything is hackable," Michael Daly, CTO of cybersecurity and special missions at Raytheon, told Security Watch.
So if a botnet of Internet of Things, or "thingbots," as Proofpoint calls it, is possible, what is the problem? The thing is, Proofpoint's report doesn't provide a lot of details about the botnet itself. There is no information about what kind of command-and-control server the botnet was supposedly using, or even how the researchers came up with the 100,000 number in the first place.
While it's possible that smart devices were connected directly to the Internet, it's not very likley as most home networks have multiple devices connected to the router. It isn't clear at this point how the researchers were able to tell that spam was sent by a compromised refrigerator, rather than, say, a compromised Windows machine on the same network. Consumer routers also generally use Network Address Translation (NAT) so that all the traffic going out to the Internet uses the same public-facing IP address, instead of having each device have its own address.
As an aside, this will change with IPv6, but I wonder whether enough home networks are IPv6-enabled at the moment to make a difference with this report.
Skepticism, Not Disbelief
Proofpoint also mentioned that the botnet restricted the mail sent to just 10 spam messages per IP address. This seems like a whole lot of work for so little gain. Spammers generally blast out as many spam messages as possible—sending small volumes over a period of time is not really part of their traditional M.O.
As it stands, there is nothing that says Proofpoint is incorrect in its claims of the "first proven Internet of Things (IoT)-based cyberattack," but there is not enough evidence to accept this claim at face-value, either. Ars Technica was skeptical about this particular botnet and asked Paul Royal, a research scientist at Georgia Tech who specializes in network and system security, to weigh in. "The aggregate of the information doesn't paint an adequately compelling picture that what they're asserting occurred actually occurred," Royal told Ars Technica.
That said, we need to start thinking of ways to start protecting our devices.
These smart devices can be compromised in the same way mobile devices are: through apps. Just as mobile devices can be compromised if a malicious app is installed, some of these home appliances and networked devices may support apps such as Twitter and Facebook, said Christian Crank, a security researcher at TrainACE. In the case of a set-top TV box or a smart TV, the user may be tricked into downloading something malicious. The average home should not download apps that would allow the appliance to check messages, access contacts, send SMS/MMS messages, or make a call, Crank said. Users should also make it a point to turn on the built-in firewall on their routers.
There is no need to wait till the attackers do successfully compromise our TVs, fridges, and thermostats before we wake up to security.