Re: Windows-based cash machines 'easily hacked'

[Chris Buechler <funsec () chrisbuechler com>]

Larry Seltzer wrote:
> "Windows-based cash machines 'easily hacked'" 
>
> This article basically makes two charges: ATMs aren't encrypting enough
> data and the boxes they are stored in can be broken into. The former is
> obviously an application error and the latter is obiously a hardware
> issue. What was the point of putting "Windows" in the title? Yes, they
> do make a quick vague accusation about Windows ATMs being less reliable
> than OS/2 ATMs. Right.
>   

They're absolutely right, they just seem to have cut some important 
facts out of the article. These Windows-based ATMs are a security 
nightmare. It's not Microsoft's fault, it's the incompetent vendors who 
put them out, like NCR.

Here's a nmap of a common NCR Windows XP-based ATM just like you'll find 
at many bank branches around the world (and happens to be where this one 
is):

Not shown: 1692 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
1025/tcp open  NFS-or-IIS
1026/tcp open  LSA-or-nterm
2000/tcp open  callbook


Compared to a common, old plain green screen NCR OS/2 ATM:

Not shown: 1696 closed ports
PORT     STATE SERVICE
2000/tcp open  callbook

Note the only port they actually require is TCP 2000. Why is the Windows 
ATM listening for RPC, NetBIOS, and more?!  That aggravates me to no end 
every time I see it (I've scanned a ton of these things, they're all the 
same). Plus it's an unpatched machine that never updates itself. The 
*least* NCR could have done is firewall off everything but the one port 
required for the ATM to work. Then barring any issues in their software, 
it would be immune to Windows issues. These things have gaping holes 
from a long list of missing critical patches, if you have network access 
to a Windows ATM it's child's play to execute anything you want on one. 
I haven't dug into it far enough to see how far you can really go, but 
the OS is very easily exploitable. At that point it's probably easy to 
make it spit out money.

Granted you need access to internal networks to do this, but still. 
These machines cost $20K+ USD a pop, yet apparently the people 
developing them are utterly inept.

The reliability claim is true as well - I'd be willing to bet you've 
never seen a crashed OS/2 ATM. I haven't. But I've seen more crashed 
Windows-based ATMs than I can recall, with error messages on the screen, 
or actually displaying the Windows desktop on the screen, etc.

You can't license OS/2 ATMs anymore, so banks are stuck with these 
disaster-waiting-to-happen Windows ATMs.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.