Thursday, July 29, 2010

Blackhat, ATMs, and Money Fountains, Oh My!

Security blogs and websites are all buzzing with the news of Barnaby Jack's Blackhat demonstration of ATM insecurity. Wired has coverage, our favorite security monkey has a video, and others including Tony Bradley from PC World covers the important lessons from the talk.

So does the hack tell us something truly new? I don't really think so. For years, many ATMs have been poorly embedded systems, often running commodity operating systems that rely more on physical security provided by locked boxes than on heavily secured operating systems with appropriate security controls. I've written about the insecurity of some ATM uplinks before, and accessing their network connection is often very simple in public locations.

What the exploit does do is serve to point out vulnerabilities in the specific ATMs, both of which were running Windows CE. It also serves as a reminder that any operating system that can be remotely accessed, or that allows its filesystem to be written, or to mount USB devices is vulnerable. Since many ATMs run Windows XP, or even Windows NT, they make attractive targets to those who have pre-written malware that works on Windows systems.

It should also remind us to review what devices we rely on that have embedded PC platforms in them. Windows CE, NT, XP, and various flavors of Linux appear throughout our IT infrastructure, and while we're used to locking down network access, often embedded devices don't provide strong local security. I've run into everything from AV controllers and music players to embedded systems running animal feeding systems for research. Most of the time, my only ability to secure them is to lock them away, limit access to the room they live in, and to ensure that they're on a secured network.

How do you secure your embedded systems? Have you gone so far as to modify appliances that manufacturers don't want changed?