USB Sticks Used In Robbery of ATMs 252
First time accepted submitter JeffOwl writes "BBC is reporting that thieves are infecting ATMs with malware using USB sticks. The malware creates a backdoor that can be accessed at the front panel. The thieves are damaging the ATM to access a USB port then patching it back up to avoid notice. This indicates that the crew is highly familiar with the ATMs in question. Once the ATM is infected, the thieves use a 12 digit code to bring up the alternate interface. The thieves, not wanting their crew to go rogue, have built a challenge-response access control into their software and must call another member who can generate the response for them."
Re:That's what you get (Score:4, Interesting)
My bank still uses os/2 on their ATMs.
Re:That's what you get (Score:4, Interesting)
ATMs generally run on commodity hardware and a commodity OS (most I've seen are Windows NT 4.0 and newer).
Re:That's what you get (Score:4, Interesting)
I don't know any Linux or unix machine which would be compromised merely by plugging a memory stick. Hint, hint: autorun. Furthermore, you presumably wouldn't get administrative access.
It doesn't require autorun. A usb device that emulates a keyboard or other input device would do the trick. Send the keystrokes necessary to break in. Think Linux is immune? How about the keystrokes necessary to reboot the machine and start up in single user mode? Even if single user mode has been protected, the usb device could provide both keyboard emulation and cdrom emulation -- during reboot the hack could boot to alternate media. The real fail is a design that allows access to the hardware (physical access is full access) and not the choice of operating system.
Re:That's what you get (Score:4, Interesting)
You should read up on what a security nightmare the voting machines are, it's appalling. Doesn't help that there are a dozen or more manufacturers, all of them being sold on the basis of friendly back slaps with local politicians rather than actual analysis of the hardware and software (which is always closed source). Testing procedures are a joke, by design, and even systems that fail testing get sold on the promise of an update in future firmware versions. Don't overlook punch card counters either, they put out by far the largest deviations from exit polls of any of the machines.
Crooks are better at security than the banks!! (Score:5, Interesting)
At least they built a challenge response system into their hack, that's just f*'ing funny to me!!
Re:That's what you get (Score:4, Interesting)
Err, not really. If we're building a *nix ATM, then you can fix it in one go: If the USB port requires elevated privs just to mount/use anything plugged into it (say, a long numbered sequence entered from the ATM keypad, unique to that machine, that would translate to a variation of "sudo /bin/mount"), the whole USB stick trick falls flat.
Not sure if there would even be a feasible analog for that in embedded XP/CE/WE