Okay, here’s a new way to use memory sticks to spread malware — though to be fair, at least this method doesn’t rely on people being stupid enough to pick up strange thumb drives and stick them in their computers.
In a story that has “Law and Order — ripped from the headlines!” all over it, according to the BBC some bad guys in Germany figured out how to cut holes in an ATM, reach in with a thumb drive running a program, and plug it into the ATM’s USB port, upload the program, remove the thumb drive, plug the hole back up, and then use the program uploaded from the thumb drive, with a 12-digit PIN, to tell the ATM to empty its cash drawer. To show the care with which the bad guys wrote the program, it let them pick the biggest bills first, and it required a code from one of the other bad guys, to ensure that none of the bad guys went rogue and started going freelance. When the machine was empty, it would go back to its usual interface, reported the International Business Times.
Presumably the bad guys show up at night, when there aren’t employees around to hear the sound of dozens of bills going whfft-whfft-whfft out the ATM at once.
Because of the knowledge required to cut into the ATM at the right place, write the program, and plug in the thumb drive (ATMs have USB ports? Who knew? What for?), it’s thought to be an inside job, because they displayed “profound knowledge of the target ATMs.” You think?
Presumably the little program shuts down the ATM’s camera as well, because these bad guys haven’t been caught yet. In fact, we’re not really sure this is exactly how the thing works; the unnamed European bank where this is happening asked for help when ATMs’ cash drawers kept turning up empty, and this is conjecture from investigators. They did discover the little program is called hack.bat, which apparently was a Clue. The program has been found on four ATMs thus far.
Researchers — who asked to remain anonymous — revealed the system in a talk at the Chaos Computing Conference in Hamburg, Germany. (They may be anonymous, but they’re readily visible in the recording, and one of them is female, so it shouldn’t be that hard to figure out who they are.)
We’ve written before about the importance of securing USB ports to keep people from, deliberately or not, using them to download data or infect systems with malware, but using them to zombiefy an ATM is a new one. One presumes that ATM manufacturers will quickly be coming up with ways to secure the USB port. If nothing else, they could spend 75 cents and plug something into them so they’re less accessible. Setting up security cameras that aren’t controlled by the ATM is probably on the list as well.
Interestingly, the ATMs in question run Windows XP — yes, the same one that’s supposed to stop being supported as of April 8. It’s previously been said that the unsupported Windows XP could end up harboring all sorts of viruses after that date, which some people chalked up to Fear, Uncertainty and Doubt sowed by Microsoft to get people to migrate. But the notion of viruses targeting ATMs and teaching them to spew out money is an interesting one.
Naturally, the story is charming hackers of all stripes who are busily exchanging war stories about the insecurity of ATMs — models of which are readily available on eBay for convenient home research.
This raises the question of what other things these days have USB ports in in them, or run Windows XP, that could be exploited. Video poker machines? Candy and cigarette machines? Medical equipment?
Incidentally, security researcher Barnaby Jack, scheduled to give a talk earlier this year on hacking implanted medical equipment — who mysteriously died of unrevealed causes days before his presentation, though Reuters said law enforcement had ruled out foul play — presented at Black Hat in 2010 on exactly how to break into an ATM, including how he used social engineering to gain valuable information about the ATM.