Invasion on ATM OS shut down machines in August

Invasion on ATM OS shut down machines in August
Tags: Diebold, Incorporated, Security
November 25, 2003

NORTH CANTON, Ohio - ATMs belonging to two financial institutions were shut down when the computer worm Welchia invaded their embedded Windows XP operating systems in August. Diebold, manufacturer of the machines, revealed the security breach on Nov. 25, according to a report in New Scientist.

It is the first known case of a worm installing itself on individual ATM operating systems, said Peter Lind, a security expert at Spire Security in Malvern, Penn. Earlier in 2003, the Blaster worm shut down Bank of America ATMs, but only by causing a flood of traffic that clogged the network's bandwidth.

In the Welchia case, the only harm done was that the traffic generated by the worm trying to contact other machines shut down the ATMs.

To infect the ATMs, Welchia exploited a vulnerability in Windows XP called RPC DCOM. Diebold adapted Microsoft's RPC DCOM patch for its ATMs and offered it to its customers. But the two financial institutions did not apply the patch and were infected, said Diebold spokesperson Mike Jacobsen.

Diebold does not know how the worm made it to the closed financial network. But security experts suggest it could have been carried on an infected laptop computer. The laptop would have contracted Welchia while connected to the Internet, and then transferred it when later connected to the financial network.

The worm, also known as Nochi, was not particularly malicious. But it is indicative of a worrying trend, Lind told New Scientist.

"Nowadays it seems that any device that supports any kind of networking is opening the door to access and sometimes that access might be malicious," he said.

Programming an ATM to spew out cash would require access to the private source code that controls the mechanical opening and shutting of the machine. But someone might be able to use a worm that exploited a vulnerability to gain access to that source code, Lind said.

"It doesn't strike me as outside the realm of possibility, although it is a little far-fetched," he said.

Diebold's will install all new ATMs with firewall software, beginning in December. (See related story Diebold and Sygate to boost security for Windows-based ATMs)