Incident: ATM Malware Exploits Windows CE Vulnerabilities Causing Cash Dispensing Failure

Published Date: 2010-07-28

Postmortem Analysis
Timeline 1. The software failure incident happened in November 2009. [2297] 2. The software failure incident happened in November 2009. [2312]
System 1. Tranax ATMs' remote monitoring system 2. Triton ATMs' security flaw that allowed unauthorized programs to execute on the system 3. Windows CE operating system used in both Triton and Tranax ATMs 4. Microsoft's Windows XP operating system used in bank ATMs in Eastern Europe [2297, 2312]
Responsible Organization 1. Barnaby Jack, director of security research at IOActive Labs, was responsible for causing the software failure incident by demonstrating hacks against ATMs at the Black Hat security conference [2297]. 2. Security researchers at Trustwave, based in Chicago, were responsible for discovering malware attacks on bank ATMs in Eastern Europe [2297].
Impacted Organization 1. ATM users who could potentially have their financial information compromised and lose money due to the vulnerabilities in the ATM software [2297, 2312] 2. ATM manufacturers Triton and Tranax, as their systems were hacked and vulnerabilities were exposed, leading to potential financial losses and reputational damage [2297, 2312] 3. Trustwave, a security research firm based in Chicago, who discovered similar malware attacks on bank ATMs in Eastern Europe and raised concerns about potential attacks in the United States [2297]
Software Causes 1. Vulnerabilities in the remote monitoring feature of Tranax ATMs, allowing for authentication bypass and remote access without a password [2297, 2312]. 2. Security flaw in Triton ATMs that allowed unauthorized programs to execute on the system, which was later patched to only allow digitally signed code to run [2297, 2312]. 3. Malware attacks on bank ATMs in Eastern Europe targeting machines running Windows XP, including those made by Diebold and NCR, requiring insider access to place malware on the ATM [2297].
Non-software Causes 1. Lack of physical security measures: The ATM machines had vulnerabilities that allowed unauthorized access, such as using a standard key that could be easily purchased online to open the front panel of the machine [2297, 2312]. 2. Insufficient customer awareness and action: Despite patches being released by the ATM manufacturers to fix security vulnerabilities, customers who did not apply the fixes left their machines vulnerable to attacks [2312].
Impacts 1. The software failure incident allowed the researcher, Barnaby Jack, to demonstrate two successful hacks against ATMs, causing them to spew out cash, which garnered attention and applause from the audience [2297, 2312]. 2. The vulnerabilities in the ATMs, specifically in the systems made by Triton and Tranax, allowed unauthorized programs to execute, leading to the potential exploitation of the machines [2297, 2312]. 3. The software failure incident highlighted the security flaws in ATMs, potentially exposing customers to financial risks and loss of funds [2297, 2312]. 4. The incident raised concerns about the security of ATMs in general, as the researcher mentioned that vulnerabilities were found in all ATMs he examined, indicating a widespread issue in the industry [2297, 2312]. 5. The software failure incident led to the patching of security vulnerabilities by the ATM manufacturers, Triton and Tranax, after being brought to their attention by the researcher, but the effectiveness of these patches depended on customers applying them [2312]. 6. The incident showcased the ease with which ATMs could be hacked using software vulnerabilities, potentially encouraging malicious actors to exploit similar weaknesses in other ATMs [2297, 2312].
Preventions 1. Implementing security patches promptly: The software failure incident could have been prevented if the ATM vendors, such as Triton and Tranax, had applied security patches promptly to address the vulnerabilities identified by researchers like Barnaby Jack [2297, 2312]. 2. Disabling remote monitoring features: To prevent remote attacks like the one demonstrated by Jack, ATM owners should disable remote monitoring features that could be exploited by hackers [2297]. 3. Upgrading locks with unique keys: Using high-security locks with unique keys, such as the Medeco lock, could have prevented unauthorized access to the ATM systems through physical means like opening the front panel with a standard key [2297, 2312]. 4. Conducting regular security evaluations: Regular security evaluations and assessments of the ATM software could have helped identify and address vulnerabilities before they could be exploited by malicious actors [2297, 2312].
Fixes 1. Patching the security vulnerabilities in the ATM software identified by the researcher Barnaby Jack [2297, 2312]. 2. Implementing a defense mechanism against potential attacks, such as an optional lock upgrade kit with a unique key for the ATM systems [2297, 2312]. 3. Disabling remote monitoring features that could be exploited by attackers to gain unauthorized access to the ATM systems [2297]. 4. Ensuring that only digitally signed code can run on the ATM systems to prevent unauthorized programs from executing [2297]. 5. Conducting thorough evaluations of the software for vulnerabilities and addressing any identified weaknesses to enhance the security of the ATM systems [2312].
References 1. Barnaby Jack, director of security research at IOActive Labs [Article 2297] 2. Security researchers at Trustwave, based in Chicago [Article 2297] 3. Triton representatives at a press conference [Article 2297] 4. Triton's vice president of engineering, Bob Douglas [Article 2312]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident related to hacking into ATMs and exploiting vulnerabilities has happened again at Triton. Barnaby Jack demonstrated hacks against Triton ATMs at the Black Hat security conference, showing how he could exploit security flaws to make the machines spew out cash [2297]. The Triton ATMs were found to have a security flaw that allowed unauthorized programs to execute on the system, which was later patched by the company [2297]. Additionally, Triton's ATMs were vulnerable to being opened with a standard key that could be purchased online for about $10, allowing unauthorized access to the system [2312]. (b) The software failure incident related to hacking into ATMs and exploiting vulnerabilities has also happened at Tranax. Barnaby Jack demonstrated hacks against Tranax ATMs at the Black Hat security conference, showcasing how he could exploit a remote access vulnerability to gain full access to the machines without needing a password [2312]. Tranax's remote monitoring system had an authentication bypass vulnerability that allowed attackers to access the system over the internet or dial-up, which was later addressed by advising customers to disable the remote system [2297].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be seen in the vulnerabilities discovered by researcher Barnaby Jack in the ATMs manufactured by Triton and Tranax. Jack found security flaws in the systems that allowed unauthorized programs to execute, enabling him to reprogram the ATMs remotely or through physical access using malware loaded on a USB stick [2297, 2312]. (b) The software failure incident related to the operation phase is evident in the exploitation of vulnerabilities in the ATMs by hackers. Jack demonstrated how he could connect to the ATMs through a telephone modem and force them to dispense cash without needing a password, showcasing the risks posed by unpatched machines in operation [2297, 2312].
Boundary (Internal/External) within_system (a) within_system: - The software failure incident described in the articles is primarily within the system. The vulnerabilities and programming errors found by the security researcher, Barnaby Jack, allowed him to gain complete access to the ATMs and exploit them to make the machines dispense cash [Article 2297, Article 2312]. - Jack demonstrated techniques that could be used to open the built-in safes of many ATMs made by the same companies, indicating vulnerabilities within the system [Article 2312]. (b) outside_system: - There is no explicit mention of contributing factors originating from outside the system in the context of the software failure incident described in the articles. The focus is on vulnerabilities within the ATMs themselves and the methods used to exploit them [Article 2297, Article 2312].
Nature (Human/Non-human) non-human_actions (a) The software failure incident occurring due to non-human actions: - The software failure incidents described in the articles were primarily due to vulnerabilities and programming errors in the ATM systems themselves, such as security flaws that allowed unauthorized programs to execute on the system [2297]. - Barnaby Jack demonstrated hacks against ATMs by exploiting vulnerabilities in the systems, such as an authentication bypass vulnerability in the remote monitoring feature of the Tranax ATM and a security flaw in the Triton ATM that allowed unauthorized programs to run [2297]. - The vulnerabilities in the ATMs allowed Jack to remotely reprogram the machines, upload malware, and exploit the systems to make them dispense cash or capture sensitive data [2297]. - Jack highlighted that the vulnerabilities he found in the ATMs allowed him to gain complete access to the machines and learn techniques to open the built-in safes of many other ATMs made by the same companies [2312]. (b) The software failure incident occurring due to human actions: - The articles do not specifically mention any software failure incidents caused by human actions. The focus is primarily on vulnerabilities in the ATM systems themselves that were exploited by the researcher to demonstrate hacks and security weaknesses.
Dimension (Hardware/Software) hardware, software (a) The software failure incident occurring due to hardware: - The software failure incident reported in the articles is related to ATM vulnerabilities that allowed hackers to exploit hardware components of the ATMs. For example, in the case of Triton ATMs, the PC motherboard that dispenses cash from the vault was protected only by a standard key that could be purchased online for about $10, allowing the hacker to force the machine to accept malicious software [2297, 2312]. - Additionally, the vulnerability in the Triton ATMs was related to the physical lock on the system, which was not unique and could be easily opened with a standard key [2297, 2312]. (b) The software failure incident occurring due to software: - The software failure incident in the articles primarily occurred due to vulnerabilities in the software running on the ATMs. For example, the Tranax ATM vulnerability was related to a remote access vulnerability that allowed full access to an unpatched machine without requiring a password [2297, 2312]. - The software vulnerabilities allowed the hackers to exploit the ATMs by uploading malicious software or firmware onto the systems, enabling them to control the machines and manipulate them to dispense cash or capture sensitive data [2297, 2312]. - The software vulnerabilities were exploited by the hackers to gain complete access to the ATMs and perform actions like forcing the machines to disgorge their entire supply of cash without authentication [2297, 2312].
Objective (Malicious/Non-malicious) malicious, non-malicious (a) The software failure incident described in the articles is malicious in nature. The incidents involved deliberate hacking and exploitation of vulnerabilities in ATMs by security researcher Barnaby Jack. Jack demonstrated how he could remotely reprogram ATMs, exploit security flaws, and install malware to make the machines dispense cash or capture sensitive data like account numbers and PINs [2297, 2312]. These actions were carried out with the intent to harm the system and exploit it for financial gain. (b) The software failure incident is also non-malicious in the sense that the vulnerabilities exploited by Jack were not intentionally introduced by the ATM manufacturers. Instead, they were programming errors and security flaws that were discovered and reported by Jack to the companies, leading to patches being released to address the vulnerabilities [2297, 2312]. The vulnerabilities were present in the ATMs due to oversight or lack of thorough security testing rather than intentional malicious actions by the manufacturers.
Intent (Poor/Accidental Decisions) poor_decisions (a) The intent of the software failure incident related to poor_decisions: - The software failure incidents related to the ATM hacks demonstrated by Barnaby Jack at the Black Hat security conference were primarily due to poor decisions made in the design and implementation of the ATM systems [2297, 2312]. - Vulnerabilities such as an authentication bypass vulnerability in the remote monitoring feature of Tranax ATMs and a security flaw in Triton ATMs allowed unauthorized access and execution of malicious programs on the systems [2297, 2312]. - The Triton ATMs used a uniform lock on all systems, making them vulnerable to unauthorized access with a $10 key available online. Although Triton offered a lock upgrade kit with a high-security lock, not all customers chose to upgrade, leading to continued vulnerabilities [2297, 2312]. - The software flaws and vulnerabilities in the ATM systems were exploited by Jack to demonstrate how easily an attacker could manipulate the machines to dispense cash or capture sensitive data [2297, 2312]. (b) The intent of the software failure incident related to accidental_decisions: - The software failure incidents related to the ATM hacks demonstrated by Barnaby Jack were not accidental but rather intentional actions taken to exploit vulnerabilities in the ATM systems [2297, 2312]. - Jack's research and demonstration at the Black Hat conference were deliberate efforts to highlight the security flaws in ATMs and raise awareness about the vulnerabilities present in these systems [2297, 2312]. - The vulnerabilities discovered in the ATM systems were not accidental but were the result of poor design choices and security oversights that allowed for unauthorized access and manipulation of the machines [2297, 2312].
Capability (Incompetence/Accidental) development_incompetence (a) The software failure incident occurring due to development incompetence: - The articles describe how security researcher Barnaby Jack demonstrated vulnerabilities in ATMs manufactured by Triton and Tranax due to security flaws and programming errors [2297, 2312]. - Jack found vulnerabilities that allowed unauthorized programs to execute on the systems, leading to the possibility of exploiting the ATMs to dispense cash or capture sensitive data [2297]. - The Triton ATM had a security flaw that allowed unauthorized software to run on the system, and the company released a patch to address this issue [2297]. - Jack mentioned that he found vulnerabilities in all the ATMs he examined, indicating a lack of robust security measures in the development of these systems [2297, 2312]. (b) The software failure incident occurring accidentally: - The articles do not mention any accidental factors contributing to the software failure incident. The incidents described were deliberate hacks and vulnerabilities identified by the security researcher Barnaby Jack [2297, 2312]. - Jack's demonstration at the Black Hat conference was intentional to highlight the vulnerabilities in the ATMs and raise awareness about the security risks associated with these machines [2297, 2312]. Therefore, based on the information provided in the articles, the software failure incident was primarily due to development incompetence rather than accidental factors.
Duration permanent (a) The software failure incident described in the articles is more aligned with a permanent failure. The vulnerabilities and programming errors discovered by the security researcher, Barnaby Jack, allowed complete access to the ATMs, enabling attackers to exploit them to dispense cash or capture sensitive data [2297, 2312]. These vulnerabilities were present in the code of the ATMs and required specific actions to be taken advantage of, indicating a fundamental flaw in the software design that could not be easily rectified without patches or upgrades. Additionally, the fact that the researcher found similar vulnerabilities in all the ATMs he examined suggests a systemic issue in the software security of these machines, making the failure more permanent in nature.
Behaviour omission, value, other (a) crash: The software failure incident described in the articles does not involve a crash where the system loses state and does not perform any of its intended functions. (b) omission: The software failure incident involves an omission where the system omits to perform its intended functions at an instance(s). This is evident in the demonstration by researcher Barnaby Jack where he showed how the ATMs could be hacked to spew out cash, indicating a failure in the security mechanisms of the ATMs [2297, 2312]. (c) timing: The software failure incident does not involve a timing issue where the system performs its intended functions correctly but too late or too early. (d) value: The software failure incident involves a failure related to the system performing its intended functions incorrectly. This is seen in the demonstration where the researcher was able to manipulate the ATMs to dispense cash without proper authorization, indicating a flaw in the system's security protocols [2297, 2312]. (e) byzantine: The software failure incident does not exhibit a byzantine behavior where the system behaves erroneously with inconsistent responses and interactions. (f) other: The other behavior observed in the software failure incident is related to a security vulnerability that allowed unauthorized access to the ATMs, enabling the attacker to manipulate the machines to dispense cash inappropriately. This highlights a critical flaw in the security design of the ATM systems [2297, 2312].

IoT System Layer

Layer Option Rationale
Perception processing_unit, network_communication, embedded_software (a) sensor: The software failure incident related to ATM hacking demonstrated by Barnaby Jack at the Black Hat security conference did not involve sensor errors. Instead, the hacks targeted vulnerabilities in the ATM systems themselves, such as reprogramming the ATM remotely over a network or exploiting security flaws to execute unauthorized programs on the system [2297, 2312]. (b) actuator: The failure was not related to actuator errors as the hacks demonstrated by Barnaby Jack did not involve manipulating the physical components of the ATM machines directly. Instead, the focus was on exploiting vulnerabilities in the software and security mechanisms of the ATMs [2297, 2312]. (c) processing_unit: The software failure incident was primarily related to errors in the processing unit of the ATMs. Barnaby Jack demonstrated how he was able to exploit security flaws and vulnerabilities in the processing units of the ATMs to gain unauthorized access, reprogram the machines, and make them dispense cash or capture sensitive data [2297, 2312]. (d) network_communication: The failure involved contributing factors introduced by network communication errors. Barnaby Jack demonstrated hacks that exploited vulnerabilities in the network communication features of the ATMs, such as remote monitoring systems that could be accessed over the internet or dial-up. By leveraging these network communication weaknesses, he was able to remotely access and manipulate the ATMs [2297, 2312]. (e) embedded_software: The software failure incident was directly related to errors in the embedded software of the ATMs. Barnaby Jack exploited security flaws in the embedded software of the ATM systems, allowing him to upload malicious programs, overwrite firmware, and execute unauthorized code on the machines. The vulnerabilities in the embedded software enabled the hacks demonstrated at the Black Hat conference [2297, 2312].
Communication connectivity_level [a2297] The software failure incident described in the articles is related to the communication layer of the cyber physical system that failed. The failure was due to contributing factors introduced by the network or transport layer. Specifically, researcher Barnaby Jack demonstrated hacks against ATMs by exploiting vulnerabilities in the remote monitoring features of the systems, which could be accessed over the internet or dial-up connections. Jack reprogrammed the ATMs remotely over a network and also used a USB stick loaded with malware to exploit security flaws in the systems' communication protocols. Additionally, the Tranax ATM hack was conducted using an authentication bypass vulnerability in the system's remote monitoring feature, which could be accessed over the internet or dial-up connections.
Application TRUE [2297, 2312] The software failure incidents described in the articles were related to the application layer of the cyber physical system. The failures were caused by vulnerabilities and programming errors in the ATMs' software that allowed hackers to gain complete access to the machines, exploit security vulnerabilities, and manipulate the systems to dispense cash or capture sensitive data. These incidents involved bugs, security flaws, and unauthorized access to the ATMs' software, which align with the definition of failures at the application layer due to bugs, errors, and incorrect usage.

Other Details

Category Option Rationale
Consequence property, non-human (d) Property: People's material goods, money, or data was impacted due to the software failure - The software failure incident involving ATM hacks demonstrated by researcher Barnaby Jack at the Black Hat security conference resulted in ATMs spewing out money, with one attack making an ATM spit out dozens of bills [2297]. - The malware discovered on bank ATMs in Eastern Europe last year was designed to capture account numbers and PINs, allowing attackers to instruct the machine to eject cash and potentially steal up to $600,000 from a fully loaded bank ATM [2297]. - In a separate incident, a Bank of America employee was charged with installing malware on ATMs, enabling him to withdraw thousands of dollars without leaving a transaction record [2297].
Domain finance (a) The failed system was related to the finance industry, specifically automated teller machines (ATMs) used for dispensing cash and conducting financial transactions [2297, 2312]. The incidents described in the articles involved security vulnerabilities in ATMs manufactured by companies like Triton, Tranax, Diebold, and NCR, which are crucial components of the financial infrastructure for cash withdrawals and banking services. The vulnerabilities allowed unauthorized access to the ATMs, leading to incidents of cash spewing out, unauthorized withdrawals, and the capture of sensitive financial information like account numbers and PINs. (h) The software failure incident was directly related to the finance industry, as it involved security vulnerabilities in ATMs that are essential for manipulating and moving money for profit [2297, 2312]. The exploitation of these vulnerabilities could potentially lead to financial losses, unauthorized cash withdrawals, and the compromise of sensitive financial data of ATM users. (m) The failed system was not related to any other industry mentioned in the options provided.

Sources

Back to List