Improving ATM security
While the security of Automated Teller Machines is not necessarily ‘life critical’ as with many other industries (think transportation, medical and some industrial applications), there are certainly financial and identity theft risks associated with these devices. There is much data on the web regarding the various ATM attack vectors, the estimated number of annual hacks and the cost to the industry.
Guest blog by Rick Anderson, Wind River.
The question we will ponder here is very specific – would replacement of the Windows Operating System in an ATM with a Linux-based one improve security? Most experts believe the answer is YES!
Today’s ATM looks very much like a Personal Computer on your desk – it runs the world’s most popular desktop operating system, Windows, on the world’s most popular hardware, Intel motherboards. But therein lies part of the problem. By being ‘most popular’, there are few barriers for the ‘bad guys’ to simulate the internals of a typical ATM. This fact alone makes Windows more prone to attack than alternatives.
While Linux has a much smaller market share, that still means lots of systems. But it has something else going for it – open source. Data suggests that open source solutions provide the best security. This is because the code is readily available for anyone to inspect and there are literally thousands of eyes scrutinising every code change.
Under Windows, users are given a fair amount of system access by default. While ATM vendors attempt to lock these down, it’s difficult to find and secure every area. Linux is built differently and many things are protected by default. Although these can be overridden by the system administrator, selecting a locked-down system as a starting point versus an open one has a small advantage.
Another advantage of Linux is that it has many security tools built into the distribution, and these tools have been in place a long time. With Windows, you need to select your firewall, your anti-virus tool, another solution for whitelisting key applications, an encryption solution, a firmware over the air program, etc. These might or might not work well together and could expose additional security flaws. Most Linux distributions come with a complete security suite that has been hardened together for quite some time.
Each new version of Windows is supported on only the newest hardware. This causes all kinds of problems for ATM vendors. Do they upgrade their hardware at a cost of millions every few years, do they try to run it on unsupported hardware or do they not upgrade and therefore have an unsupported solution. There are no easy answers here, as most ATM vendors are facing this problem right now with the expiration of Windows 7 support and the need to move to Windows 10. Linux, on the other hand, often supports hardware for a very long time. This is because the open source community demands it. As long as someone is running motherboard X and peripheral Y and they are willing to keep the code moving forward, it will be supported. Because the code is open, you are not handcuffed by Microsoft to determine whether it’s supported or not. You, your OEM or your ODM can take up support if really required.
Linux might also have an advantage over Windows in that security flaws are patched more quickly. While this is hard to prove, Windows service pack and patch Tuesday methodology seems more rigorous than most Linux methods. What’s more, Linux patches are often smaller because they include only the security flaw fix, while Windows security patches get combined with many of fixes.
A final point worth mentioning: from a footprint perspective, Linux has fewer lines of code than Windows. This means the attack vector is less. Another advantage for Linux.
These days, security is an absolute requirement. Indeed, for those companies that secure their products, it can be a differentiator. And those that don’t do a good job? Well, they face increasing threats, fines and indeed, their very existence could be at risk. And make no mistake about it – things will continue to get worse before they get better.
Courtesy of Wind River.