Securing ATMs against Meltdown and Spectre
by Aravinda Korala and Kit Patterson (KAL ATM Software), with assistance from Michael Moltke (FortConsult), and Alex Gherman
Meltdown and Spectre attacks have been big news since Jan. 3. Both arise from hardware security vulnerabilities in chips from Intel, AMD and ARM — weaknesses that were initially postulated by Anders Fogh on a German cyber website last July, and last week were publicly demonstrated to be very real, indeed.
The good news is that this information was first made available privately to the major operating system vendors, allowing them to patch their operating systems and enabling them to rush out fixes to help secure PCs and mobile phones.
So what, then, is the situation for ATMs? Are they potentially vulnerable to these attacks? The short answer is yes.
The more immediate threat is the Meltdown attack, which allows malware to read potentially any data item on a Windows PC, including that from Windows kernel memory, any physical memory and any memory belonging to other processes on the same PC.
But don't panic just yet.
Assessing the threat
The world has approximately 3 million bank-grade ATMs, most of which run Windows 7 or Windows XP, and most of which are carefully locked down. That said, all ATM types are at risk in the current case, as the defect is hardware chip-related and not an OS vulnerability. In this article, we will focus on bank-grade ATMs running Windows 7 or Windows XP.
It is first important to note that the ATM industry does not store its transaction processing secrets inside the ATM PC core: It secures them instead inside hardware encrypting pin pads. This means that the encryption keys ATMs rely on for transactions are held safely inside the EPP and consequently are unaffected by the new attack methods.
What's more, the method of remotely injecting these keys into the EPP using remote key loading is also safe, in our view, from a Meltdown attack. EPPs maintain an isolated secure internal environment that is not at risk to attacks of this type.
However, this does not put ATMs completely in the clear. If an attacker were able to get malware onto an ATM, it would be possible to access sensitive information (such as an account number on the customer's card) and, potentially, certain types of passwords such as an ATM supervisor login password that might be held transiently in memory.
The question then becomes how easily a hacker can get new malware onto an ATM.
The wonders of whitelisting; the 'antis' of antivirus
Most ATMs are well protected from malware. The gold standard is a practice called "whitelisting" that automatically prevents the ATM from running unrecognized programs, libraries, and scripts. Whitelisting blocks any new malware from being executed on an ATM and represents an excellent first defense.
However, not all banks use whitelisting on ATMs. Some banks use antivirus software, while others use no malware protection at all (which, of course, makes no sense). Antivirus was never the right answer for ATM protection and this particular threat highlights this fact most clearly.
As this threat is very new, AV software does not yet include the signatures needed to identify it. At a minimum, the AV signatures would have to be updated on ATMs, but this is hard to do, since, as we have said, the actual malware written to implement these threats has not yet been identified.
Worse, it is believed that malware using this technique might look too much like "normal software" and therefore be hard to distinguish.
There is a final irony for banks using AV on ATMs: The Microsoft security patch for Meltdown will actually be blocked by many third-party antivirus products, as they must access the CPU in intrusive ways that the new patch will not permit. In this instance, AV software might make ATMs more vulnerable to attack, not less so. Our advice to banks is to implement whitelisting immediately.
However, this is not the only urgent task in protecting a bank's ATMs. In order to protect against Meltdown, banks must also distribute the new Microsoft security patch for Windows, dated "1801."
There were initial concerns about a performance hit from this patch, but the benchmarks do not bear them out. So, although whitelisting alone could protect against any new malware, we also recommend the "1801" patch as a second line of defense for several reasons.
Who needs admin access? Nobody
One of these is internal attacks. Whitelisting can be compromised by rogue internal bank staff who can modify whitelisting settings. KAL always recommends that nobody be given admin access to ATMs. It simply is not required. All valid maintenance actions on an ATM can be carried out using standard privileges.
Unfortunately, though, many banks do allow it. It's a security judgement, but with ATM admin access, any staff member can also easily install and run any malware — not just Meltdown.
Of course, there is the elephant in the room that we have not yet mentioned: Some banks are still running Windows XP on ATMs. Officially, Microsoft is no longer creating security patches for Windows XP. If you are a bank running XP on your ATMs, you need to ask that Microsoft immediately issue a patch to fix this vulnerability.
The good news is that the Windows 10 patch for Meltdown is already available for supported OS versions. So, why do we not hear a lot of cheering? Because most Western banks still run the as yet unsupported 32-bit Windows 7 on their ATMs. As of this writing, KAL is not able to say when the 32-bit fix will be available from Microsoft, but you will need to install it as soon as it is.
In sum, while Meltdown and Spectre should be taken seriously, it's important to remember that there are a wide range of unique aspects to ATM security. By concentrating on what's important and actively applying all of the best security techniques, it is possible to stay ahead of the threats — even when new ones like these emerge.
KAL ATM Software is the preferred supplier to major financial institutions including Citibank, UniCredit, ING, Westpac and China Construction Bank.
FortConsult, part of NCC Group, serves as trusted IT security advisor to more than 15,000 clients through a global network of 1,000 consultants and 35 international offices.
Companies: KAL ATM Software