Windows Cash-Machine Worm Generates Concern
Dec 9, 2003 2:04 PM PT
Concerns about computer viruses and worms are spreading beyond the PC arena as embedded software and systems vulnerable to attack are introducing risk to several unique technology sectors, including automatic teller machines (ATMs), emergency response systems and even automobiles.
ATM maker Diebold recently confirmed that this year's Nachi worm infected cash machines of two U.S. banks, highlighting the risk associated with using a Windows-based operating system, which is more popular and therefore more commonly targeted by attackers.
Last January, the Slammer worm knocked out an unpatched 911 emergency response system in Bellevue, Washington, forcing authorities there to switch to manual mode. Such attacks are almost inevitable because the integration and deployment of hardware has become incredibly complex, making auditing and patching insurmountable tasks, iDefense malicious code intelligence manager Ken Dunham told TechNewsWorld.
In addition, Dunham said, increased use of embedded software and systems could have unforeseen side effects that could be devastating.
"The more integrated computers are into our society -- the more they're used to control things remotely -- the more risk there is for a code-based or computer-based attack," he said. "It could be everything from the gate that lets you out of the parking lot, to your car, to the microwave, to the server that investigators use to catch the bad guys."
Locked Down, Not In
Concerns about attacks on embedded systems also have heightened as several companies and industries have transitioned, much as Diebold did, from old operating systems such as IBM's OS/2 software for ATMs to Windows versions, such as XP Embedded.
Dunham said the key to securing embedded software and systems -- which often hide software vulnerabilities more than other, more prominent software -- is releasing it only after extensive testing and without major bugs, "so you don't have situations where people are locked in their cars or have access restricted."
He added that, much like PDAs and mobile phones, the attack opportunity on an embedded software machine is limited by the processing power and other capabilities of the device. However, the case of the infected Diebold cash machines and Slammer's impact on emergency services illustrate that risk remains.
"We may think [embedded systems] are hard to attack, but the incidental effects of attacks have shown that's not the case," Dunham said.
Firewall for Cash
Diebold spokesperson Tiffini Bloniarz could not say whether the company's current strategies are the result of the August infection of ATMs by Nachi, but she told TechNewsWorld that the company is working with Sygate to protect its cash machines with firewalls.
"With security becoming an increasing priority as ATMs migrate to Windows and TCP/IP networks, Sygate and Diebold are working together to ensure Diebold ATMs are equipped with the highest degree of protection against misuse and malicious intent," said a statement from Diebold.
The ATM and electronic voting machine vendor, which recently retracted legal threats over criticisms of the security and administration of its elections machines, said it will begin shipping the Sygate Security Agent software with ATMs by the end of this year. Diebold also has offered to install the software on existing ATMs, the company said.
Bloniarz said Diebold produced about half of the estimated 200,000 bank-owned ATMs in the United States, but she added that the company is not sure how many are running Windows.
Fear of Unknown
Dunham said concerns about attacks on embedded software and systems are even more significant than attacks on standard PCs, considering that the issues to date have involved secondary or incidental effects, such as bringing down emergency systems.
"These side effects are impacting things, and attackers are learning from it," he said. "Once we have a targeted attack, we'll have a real significant situation on our hands."
He added that the true effects of migrating to the heavily targeted Windows environment will not be fully realized until attackers pounce on vulnerabilities.
"Considering embedded software and firmware solutions, we are going to have more concerns about what we don't know," Dunham said.