Flaws have been found and fixed in Kaspersky Lab's security software for cash machines and other embedded systems. Hackers can exploit the bugs to circumvent anti-malware defenses in ATMs.
Although Kaspersky responded promptly to the discovery and developed and released a patch, one wonders how long it will take for the updates to be installed in equipment around the world, if ever.
Georgy Zaytsev, a Positive Technologies researcher, uncovered a vulnerability in the Applications Launch Control component of Kaspersky Embedded Systems Security 1.1 and 1.2 during a security audit of cash machines relying on the technology.
Exploitation of the programming blunder involves overloading Kaspersky's software to the point where it would be unable to process file verification requests. This means malware can circumvent whitelisting controls that may otherwise have blocked infections. Even then, cybercrooks would still have to string together other tricks to actually jackpot targeted ATMs and trick them into dispensing cash. For one thing, miscreants would have to find a way to inject and run malicious executables on the ATM.
"The vulnerabilities that have been reported to us by Positive Technologies do not directly allow the withdrawal of cash from the ATM. It would require several conditions to coincide in order for such an attack to work: for example, before exploiting these vulnerabilities, an attacker would first need to infect the system with malware – bypassing all the protection components of the solution – and launch it within the system," a Kaspersky Lab spokesman told El Reg.
To overwhelm the antivirus, an attacker would need to add a large amount of arbitrary data to the end of an executable file. When this program is started, the system computes its hash and checks this against a list of approved signatures to decide whether to allow or block the execution. With a large file, the process takes longer than the time allotted for verification. When this time interval runs out, the program is started anyway. This is a one-shot attack because the hashing process is not halted, and the system caches signatures. Therefore, the next time that executable is started, Kaspersky's software will be able to immediately realize the file is bad and stop it.
Alternatively, a hacker can start multiple instances of the security application simultaneously, causing the technology to hang and allowing the miscreant to start an unauthorized file. Kaspersky Embedded Systems Security 2.0 is not vulnerable to either of these attacks.
Meanwhile, Kaspersky's security update addresses another vulnerability discovered by Positive Technologies: this flaw can be exploited to disable the Applications Launch Control functionality by sending a special request to the klif.sys driver.
If your job involves Kaspersky and ATMs, look out for critical fix KB13520. The update was quietly pushed out at the end of June. After waiting around three weeks for ATM owners to update their security, Positive Technologies let us know about the problem on Thursday.
Positive's researchers have previous form in uncovering problems in ATM security software. For example, last year their security research team detected a dangerous vulnerability in the Solidcore system included in McAfee Application Control. ®