A new form of malware dubbed “Tyupkin’ has been infecting automated teller machines (ATMs) in Europe, Asia and Latin America. The attack, which was first reported by security firm Kaspersky Lab, requires physical access to an ATM for the malware to be loaded.
The idea that malware can be loaded onto a vulnerable ATM is not a new one. Mike Park, managing consultant at Trustwave, told eWEEK that the same technique is what the late hacker Barnaby Jack used in his ATM hacking talk at the Black Hat security conference in 2010.
“What is new is that it’s being used in the wild more,” Park said. “Previously, it was easier to use card skimmers and well-placed cameras to steal account data or to simply grab the ATM with a pickup truck.”
The Tyupkin malware clearly demonstrates an uncommon level of sophistication for criminal activities, according to Daniel Petro, senior security analyst at Bishop Fox.
“Tyupkin takes effort into concealing its tracks so as much money can be extracted as possible,” Petro said. “In the past, ATM attacks have not necessarily been concerned with remaining stealthy, as much as simply being able to get to the cash and get away.”
At the heart of the Tyupkin exploitation of ATMs is the simple fact that it requires physical access to an ATM. Because of this, physical security elements, including proper locks and security monitoring, should be in place to limit access.
Gregory Wasson, malicious code program manager at ICSA Labs, told eWEEK that when it comes to exploitation, in his view, physical access almost always wins.
“There is no difference whether it is a skimmer that was installed or malware, as both require physical access,” Wasson said. “If a system can’t prevent someone from accessing it, then it is practically impossible to protect.”
Petro echoed that same sentiment, noting that once the attacker has physical access to a computer system, all bets are off. That said, ATMs have some specific physical security challenges, such as the fact that they are intended to be used by the unattended public.
“Buying better locks can help, but there’s also a long list of hardening techniques that can be applied to ATMs to improve their security,” Petro said. “Replacing outdated Windows XP operating systems, removing unnecessary IO ports like CD-ROM drives and application whitelisting are some of the techniques on this list.”
Trustwave’s Park added that from the physical security perspective, unless the ATM is one that is built into the wall of a bank, getting physical access is pretty straightforward, as locks are easily picked or access can be obtained by removing screws from air vents.
“Some ATMs we’ve tested actually had cable holes large enough to simply reach up and gain access,” he said.
For various reasons, many ATM deployments have not implemented some obvious security controls, including the use of antivirus (AV), system BIOS passwords and secure configurations, according to Park.
“Some businesses have indicated AV would cause the process of withdrawing cash or doing other transactions to become so slow that it would be unusable,” he said.
The lack of a BIOS password and secure configuration means that the BIOS on the ATM does not have a password to prevent tampering on startup and the default configuration of the BIOS is such that it can allow an attack.
“For instance, on the last two ATM tests we have done, we discovered the BIOS was configured to look for boot media in the USB, then the CD, then the hard drive,” Park said. “This means if we put in a bootable USB or CDDVD with another operating system, the ATM will boot into our operating system without needing to change the BIOS.”
Another physical challenge that faces ATMs is the actual lock that is in place on an ATM cabinet. Park noted that in many instances, most ATMs from a single manufacturer, or even just a single bank, share the same key.
“Once an attacker can obtain one of these keys via theft or other means [buying them in underground markets, on the Internet, making copies, etc.], they can get into any ATM of the same bank or even manufacturer,” Park said. “Businesses have said this is necessary because otherwise field technicians would have giant, unmanageable key chains.”
As an additional step, Trustwave has recommended that businesses also use full disk encryption so that when an ATM is rebooted or shut down, the operating system and the data on the disk are encrypted and unreadable, Park added.
“This would prevent the criminals from being able to boot into an alternate operating system to install malware or alter the operating system settings of the ATM,” he said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.