Many of the 65,000 ATMs in the UK will become less secure once Microsoft ends extended support for the embedded version of its Windows XP operating system next month, according to security experts.
From January 2016, Microsoft will be issuing no further security patches or updates for flavours of Windows still used by the majority of ATMs in the UK (and in many other countries around the world).
Support has already been wound down but next year it will be discontinued unless banks upgrade or bridge the gap with expensive custom support contracts.
“The desktop version of Windows XP ceased to be supported by Microsoft in July 2014 and while the embedded version was given extended support until January 2016, most ATMs still rely on the old operating system,” said Kerry Davies, chief exec at Abatis, a security software firm that is promoting its technology as a means for banks to protect cash machines.
Abatis warns that the lack of security updates puts the ATM network at greater risk from hacker attacks and malware infection. This warning comes from a firm touting security technology for embedded systems, so there’s a clear self-interest at play, as experts have noted.
Nonetheless, it would be unwise to dismiss the issue of cash machine security on those grounds, not least because malware has already been used to infect ATMs and steal money through various scams.
Many of the cons have cropped up in hotspots such as Mexico and Russia and some have involved assistance from corrupt insiders. Few, if any, have relied on exploiting operating system vulnerabilities, although lack of anti-malware protection has arguably been a factor in some frauds.
Banking customers may still be able to pay for custom premier support from Microsoft, we're told.
UK startup Abatis is marketing what it promotes as a cheaper alternative to defend ATMs, based on its Host Integrity Technology, as a means to defend against malware. The technology is designed to block unauthorised modifications or unwanted write operations or executables in real time, preventing either hacking or malware infection in the process.
El Reg asked Microsoft to comment on Abatis’s warning on Friday. By Monday lunchtime, the best its PR reps could offer was to point us towards a microsite offering general information to customers about Windows XP Embedded on its retirement plan.
This site explains that the curtain comes down on the Extended Support Cycle for Windows XP Embedded on 12 January 2016, 21 months after the desktop version of XP was retired.
Any machine still running Windows XP Embedded Service Pack 3 (SP3) from mid January onwards is therefore at greater risk because software updates and support have been withdrawn. The plug gets pulled on Windows Embedded for Point of Service SP3 slightly later on 12 April 2016.
Windows Embedded Standard 2009 – which is based on Windows XP, and originally released in 2008 – will be supported for three years until January 2019 but running that would require an operating system upgrade for cash machines running the older software.
Other security experts counsel against alarm while urging action to update ageing systems. “The end of support for Windows XP Embedded does not mean that the next day these machines will be hacked into or taken down,” said Ben Herzberg, security research manager at Imperva.
“For any bank that follows information security guidelines, ATMs are behind a layered protection architecture, where the OS is only one of the layers. But the ATMs are on a separate network, with strict firewall rules and several security controls stopping any attacker long before they get to those systems.”
Herzberg compared the situation faced by unpatched ATMs to that faced in industrial control systems environments, where running obsolete operating systems has been common practice for many years.
“A similar situation exists on many ICS (Industrial Control Systems) where old and unsupported operating systems are still being used in production environments, and are not replaced because the cost would be very high,” Herzberg explained.
Despite ATMs having additional layers of protection, even absent of operating system software updates, “having an outdated and unsupported operating system on a machine that is able to hand out cash to clients is still a considerable risk,” Herzberg concluded.
“Bottom line: Don’t panic, but try to update ATMs to a supported OS as soon as possible,” he added. ®