back to article Is ATM security threatened by Windows XP support cutoff? Well, yes, but …

Many of the 65,000 ATMs in the UK will become less secure once Microsoft ends extended support for the embedded version of its Windows XP operating system next month, according to security experts. From January 2016, Microsoft will be issuing no further security patches or updates for flavours of Windows still used by the …

  1. Phil O'Sophical Silver badge

    will become less secure once Microsoft ends extended support for the embedded version of its Windows XP operating system next month

    Not so, they will simply remain exactly as (in)secure as they are now.

    1. John Robson Silver badge

      Nearly - but if I had a zero day on XP embedded in my pocket now I woulnd't use it for a couple of weeks.

      Then I know that if it still works it will always work. AND I can also check the patches issued for whatever followed WinXP Embedded to see if the flaws fixed also existed in the older OS - and again, I know they won't be patched.

      The opportunities for exploit are much higher if I know that the systems will never be patched.

    2. This post has been deleted by a moderator

      1. Phil O'Sophical Silver badge

        And what does any of that have to do with the fact that XP won't magically become less secure just because it is out of support? It's been EOL for years, going EOSL won't change that.

        And I'm not a child, I have 15 years more embedded programming experience than you. None of which, fortunately, was on windows. I also prefer to build systems where I have a copy of the code. All of it.

        1. BillG
          Thumb Up

          And what does any of that have to do with the fact that XP won't magically become less secure just because it is out of support?

          You are confusing XP for the desktop with XP Embedded. XPE is extremely slimmed down and omits things like the shell, file browsing, control panel, start menu, address bar, etc. Because it is configured for a single purpose (an XPE ATM machine can't browse the web, an XPE sales kiosk can't check your email), once set up it is inflexible. On XPE a user can't change system settings, can't force a stack overflow, it will always boot in a predictable way, etc.

          On an XPE ATM the user has the touch-screen interface and keypad, period. A keyboard interface is available for debug and status use only, on the back of the machine safely under lock and key. Hit too many strange keypad combinations and the machine will lock down while your picture is taken (go ahead, try it!).

          The source code with documentation is useful for those with enough experience to make use of it. Typically embedded source code of this type comes with extensive documentation along with a support contract which might include telephone and/or on-site support, training, tutorials, and a network of 3rd party contractors.

          While XPE is very well secure, I'd prefer a solution from WindRiver before I'd look at XPE.

          And I'm not a child, I have 15 years more embedded programming experience than you.

          Not sure exactly what embedded project you were working on back in 1980. I wrote my first code for a hybrid VAX/VMS system (remember timesharing?) in 1976, and coded a 68000 SBC in assembly in 1985-ish. First time I coded a microcontroller I had no compiler so I did it in binary (don't do that). But making silly one-line brand-biased statements for laughs, well, to me that's childish and unprofessional.

          1. Phil O'Sophical Silver badge

            You are confusing XP for the desktop with XP Embedded.

            No, I am not.

            Not sure exactly what embedded project you were working on back in 1980.

            The project won't mean anything to you even if I named it. It was RT11, then RSX11. Ported that to an M68K system whose name escapes me (it was the runtime for code written in RTL/2) and wrote the drivers for that in assembler.

            I wrote my first code for a hybrid VAX/VMS system (remember timesharing?) in 1976,

            I do remember timesharing, and I remember that VMS VAXen (hybrid? in what way?) came out in 1977. Macro32 was a pleasant change from writing PLAN for ICL systems.

            First time I coded a microcontroller I had no compiler so I did it in binary (don't do that).

            No, I wouldn't do that again, I did enough of it on 6502s and 6800s. Nice chips, though. VMware on PowerPC wasn't bad either.

            But making silly one-line brand-biased statements for laughs, well, to me that's childish and unprofessional.

            Puzzling, where do you think I did that? And if you don't like it, why are you reading The Register?

            1. Moonunit

              Off-topic slightly ... but manly handshakes re RTL/2

              Made my (greyish) day you did, what with mention of RTL/2! Worked on some RTL/2 bits on an EW system in the 80s - probably 10 years after you did, but still, there's someone else who knows what RTL/2 is, and RSX11 ... *warm fuzzies*.

              Thank you. I shall now hide my wrinkles and see where I left off ...

            2. Anonymous Coward
              Anonymous Coward

              ATMs (from the main vendors) don't run XPE, they run XP Pro under an XPE licence.

              OS hardening is dependant on how the bank wants to do it (usually in line with the ATM vendors' recommendations).

            3. BillG

              > I wrote my first code for a hybrid VAX/VMS system (remember timesharing?) in 1976,

              I do remember timesharing, and I remember that VMS VAXen (hybrid? in what way?) came out in 1977. Macro32 was a pleasant change from writing PLAN for ICL systems.

              My bad, fading memory yad yada yada. In 1976 I wrote my first code for a hybrid HP system. Later in 1984 I first sat down at a VAX/VMS terminal and was also introduced to my first hack. I was able to spoof any username when using the PHONE system (that two-windowed ACII "chat" interface). But technically my very first program (if it can even be called that) was the Digi-Comp in about 1968; although nowhere near on the level you were doing, it got me hooked on programming.

              Not familiar with RT11 or RSX11, and I won't try to snow you by googling it, but kudos to you for programming when no one knew what that meant.

              No I would never program in binary again either, but I feel every serious programmer should be forced to do it just once (just as I feel everyone should wait tables just once). IMO too many embedded programmers take C for granted and expect magic code optimizations, especially when it comes to bit manipulation.

          2. Rob Daglish

            Are there different levels of XPE?

            Because I've used Point of Sale and some Carl zeiss meditec equipment running XP Embedded which had "shell, file browsing, control panel, start menu, address bar, etc."

            One of the meditec had the default shell changed, but the other you'd have been hard pressed to tell it wasn't desktop XP

            1. patrickstar

              Re: Are there different levels of XPE?

              (With the reservation that it was long ago and I might be confusing it with a different flavor of Windows) XPE lets you build a custom install image including just the stuff you want. So any unneeded services, or God forbid, an actual desktop Environment with standard applications, means the vendor didn't do a proper job when setting it up.

              I think you can get it down to around 10MB + drivers, and that certainly won't include IE or the shell...

              Also, very funny that another commenter suggested using RPi's instead since now there's Windows for them as well :-). It's called Win IoT though - no idea how, if any, that differs from Embedded.

              As a sidenote, even the x86 Windows appliances tend to not be that much bigger than a RPi. There are even x86 SoCs; in fact, many el cheapo WLAN routers are actually x86, though at the 286 level or so. And even when it's not a SoC it's still nothing resembling a full-sized motherboard.

            2. jelabarre59 Silver badge

              Re: Are there different levels of XPE?

              > Because I've used Point of Sale and some Carl zeiss meditec equipment running XP

              > Embedded which had "shell, file browsing, control panel, start menu, address bar, etc.

              Yeah, I remember seeing some Point-of-Sale systems at the office cafeteria, where one had the "desktop" up rather than the PoS GUI, and right there with the rest of the icons was Internyet Exploder. I remember wondering why a PoS terminal needed a web browser.

              Of course, the hardware was made by IBM, so "PoS" had more than one meaning there...

          3. AlbertH

            Not sure exactly what embedded project you were working on back in 1980. I wrote my first code for a hybrid VAX/VMS system (remember timesharing?) in 1976, and coded a 68000 SBC in assembly in 1985-ish. First time I coded a microcontroller I had no compiler so I did it in binary (don't do that).

            My first embedded project (actually an 8-bit ASIC processor) was 1982 for a big Japanese electronics corporation. It was a very early example of microprocessor-based ASIC and derivatives of it still turn up in products to this day! The first iteration of it was written in binary. Once I'd demonstrated that it would work, they gave me time to write a compiler, a bootloader and several other useful tools (that are still in use!).

      2. Anonymous Coward
        Anonymous Coward

        So you'd have the source. But realistically, how are companies unwilling to update or pay extended support more likely to hire a team of skilled programmers to maintain an obsolete OS source code, with tha acompanying red tape of code audits and delivery process? They already switched to Windows XP on PC hardware to cut costs in the first place.

        Or even find those programmers with the needed skills, for that matter, because maintaining old code that's not yours is an excruciatingly boring job. And it might not be a long-term career, once the ATM's are scrapped, finding a new job in the cloud against the cheaper kidz with current skills won't be fun.

        Source code, yes, it's good to have it, but it's not a magic bullet, it doesn't fix itself.

        1. Doctor Syntax Silver badge

          "But realistically, how are companies unwilling to update or pay extended support more likely to hire a team of skilled programmers to maintain an obsolete OS source code, with tha acompanying red tape of code audits and delivery process? They already switched to Windows XP on PC hardware to cut costs in the first place."

          The problem arises where the PC, OS, application and a hugely expensive piece of machinery were bought as a single package where the choice of OS was the vendor's. If the OS goes out of support would you rather (a) scrap and replace the machinery, possibly disrupting production for a while in the process or (b) hire a freelancer to maintain the S/W as and when required?

    3. Anonymous Coward
      Anonymous Coward

      Of course it fails to mention that XPe doesn't use service packs, as an update mechanism, but DUA

      But then this is yet more scareware stories from secuirty "experts"

  2. theOtherJT

    How many ATM's are properly updated anyway?

    I genuinely have no idea - but do we really believe that every ATM running XP is getting security patches applied immediately upon release every time?

    1. Anonymous Coward
      Anonymous Coward

      Re: How many ATM's are properly updated anyway?

      I know the bank I used to work for hadn't applied updates for years... although to be fair they hadn't had any problems either.

      This particular bank is till using XP on the majority of its desktops... again to be fair they haven't had any problems there either.

      I know some will say that the problems may be undetected but I think if un-patched XP on the desktop was going to bite them it would have done so by now. Mind you there'll come a time when there Virsu and Firewall software will go out of support and that might cause a few problems......

      1. Roland6 Silver badge

        Re: How many ATM's are properly updated anyway?

        Mind you there'll come a time when there Virsu and Firewall software will go out of support and that might cause a few problems......

        Given that some business grade AV & firewall vendors are still supporting Win2000 (SP4) in their current products, that might be some time off, provided customers keep paying ...

      2. Anonymous Coward
        Anonymous Coward

        Re: How many ATM's are properly updated anyway?

        You don't apply updates to XP embedded, its not like XP desktop. It has a service that recieves pushed updates over the network and silently installs them

        Also because its componentized, its likely to be the the the bare minimum OS (the bare minimum on xpe can be as low as a 50mb kernel and win32 runtime system or anything upwards of that), and having much less in the way of attack vectors. It almost certainly don't have IE, nor many of the other system service vectors of desktop windows.

        I worked with XPe for years and only about 1 in 50 patches were actually applicable to our deployed images, the vast majority of them were low priority, and given the closed nature of a cashpoint (no way of loading malware, unless you are tom cruise), I'm far from worried. Changing systems were be far riskier

        1. jelabarre59 Silver badge

          Re: How many ATM's are properly updated anyway?

          > (no way of loading malware, unless you are tom cruise),

          Ah, he's going to stand next to it and rant about Scientology? Or will he actually make it watch one of his movies? Either way, the hardware will fry itself just to be relieved of it's misery.

    2. Anonymous Coward
      Anonymous Coward

      Re: How many ATM's are properly updated anyway?

      but do we really believe that every ATM running XP is getting security patches applied immediately upon release every time?

      You can imagine wanting to get some cash on a Wednesday morning, for the machine to say "Installing updates (5 of 43). Please do not take any money."

      "It took ages at the bank this morning, they fucked up the updates again..."

  3. chivo243 Silver badge

    How to tell

    Any savvy people out there have a way to know which ATM's are running xp embedded? I would avoid them if they can be identified.

    1. Anonymous Coward
      Anonymous Coward

      Re: How to tell

      I would avoid them if they can be identified

      Then you may want to schedule regular visits to your friendly cashier as you'll find a huge chunk of machines do. then there are you POS machines you may want to avoid as well.

      1. chivo243 Silver badge

        Re: How to tell

        @Lost all faith

        Thanks for the ATM advice, I will stick to ATM's in the bank lobby where a camera can see me withdraw cash from my account if the teller is not available. And from my post about a week ago on POS...

        "As I just told the missus...

        We will pay cash when ever POSsible! Glad we're not in the US"

      2. Lord_Beavis
        Childcatcher

        Re: How to tell

        For the longest time, the "self check out" lanes at my local Kroger grocery store used Windows NT... in to 2012.

        I would laugh my ass off every time I went by one of them and it had crashed to the desktop or had a BSOD on it.

        1. Anonymous Coward
          Anonymous Coward

          Re: How to tell

          dont look too closely youre travelling on rail ... you might not have enough left to keep laughing ...

          1. Anonymous Coward
            Anonymous Coward

            Re: How to tell

            >dont look too closely youre travelling on rail ...

            Unless the requirements have changed in recent years none of the critical systems on the UK's railways ie. those that actually control the movement of trains, will be running an MS OS! because the contractual requirement on the supplier was for a 20 year minimum operational life; XPE only had a 15 year life and no source code access...

    2. Ugotta B. Kiddingme

      Re: How to tell

      I live in an area prone to hurricanes and other power-interrupting weather events. On two occasions, I happened to be been near an ATM when the power came back on. One of those was a "through the wall at a bank" device and the other a "freestanding in a convenience store/chemist's" type. The bank device gave no clue as to operating system but the freestanding one very briefly showed the familiar XP logo.

      I don't know what the rules are on your side of the pond but, here in Yankville, freestanding ATMs often charge exhorbitant fees on top of any transaction fees imposed by your bank. My personal policy is to never trust these since A) you never know who's been able to poke around the device and B) I'm too cheap to pay the extra fee unless I'm in absolute dire straits for cash. Given that I've never seen a USB port or hatch leading to one on a "through the wall" bank ATM, I believe these less likely to be compromised or even ABLE to be compromised in any manner that could be described as easy. I could, of course, be very wrong...

  4. heyrick Silver badge

    Why is this a problem?

    Surely an ATM should, by basic definition, be connected to a private "secure" network and not the public Internet? Additionally there should be no accessible ports without having physical access to the device (in which case the problem is your staff, not your hardware).

    1. Duncan Macdonald Silver badge

      Re: Why is this a problem?

      One rogue staff member with access to one ATM - then let the internal "secure" network carry the malware to every other ATM - can you say "PAYDAY".

      For ATMs (and other sensitive systems), the program loader should be modified so that only digitally signed executables (including DLLs) can be loaded - this would reduce the possibility of malware execution.

      1. Adam 1

        Re: Why is this a problem?

        > the program loader should be modified so that only digitally signed executables (including DLLs) can be loaded - this would reduce the possibility of malware execution.

        Correct. No, wait hang on. We're not talking about Dell or Lenovo are we?

    2. theOtherJT

      Re: Why is this a problem?

      Because sometimes we find flaws in things that let you escape from the secure mode in which you're supposed to be trapped. Sure, I'd hope that with a cash machine that wouldn't be possible, but sometimes really _weird_ shit gets through.

      I heard a story of a PoS terminal many years ago where one of the custom buttons on the unit mapped directly to shift. Hold down for 8 seconds and up came the "Do you want to turn on accessibility mode?" dialogue, which brought the start menu to the foreground with it. From there one could get at the "Run" menu and bad things happened.

      Again, I'd hope that you couldn't pull such a trivial trick on a cash machine... but you never know. All it takes is for someone to work out that you _can_ and then it's just a race between the machine being robbed dry and the bank taking it out of service if there's no patch available.

    3. a_yank_lurker Silver badge

      Re: Why is this a problem?

      Basic rule of security, if it is connected in some way to a device on the Internet it is on the Internet. ATMs are connected to the bank's computers so they know customer PINS, accounts, and balances. These computers are also accessible via the Internet for online banking. Therefore ATMs are connected, albeit, indirectly to the Internet.

      Now getting access to the ATM and doing something is probably very difficult. But in principle and with some sloppiness, bugs, etc. an ATM could be hacked from the outside and the inside.

      And true there much easier ways to defraud people and the bank than attacking the ATM itself such as skimmers. And this lowers the possibility of an attack on the ATM.

      1. Daniel B.
        Boffin

        Re: Why is this a problem?

        Basic rule of security, if it is connected in some way to a device on the Internet it is on the Internet. ATMs are connected to the bank's computers so they know customer PINS, accounts, and balances. These computers are also accessible via the Internet for online banking. Therefore ATMs are connected, albeit, indirectly to the Internet.

        Most ATMs are usually connected directly to the bank via some oldie goldie connections (X.25, maybe some DS0s for more modern ones). They usually connect to a network that is heavily isolated from the true internet. Pretty much anything going through to the mainframes will be firewalled as hell, and there's no way you'll get out to the internet if you're entering through the ATM links. And that's if you even have TCP/IP access. Last time I checked, many ATMs were still using propietary protocols from the pre-TCP/IP world like SNA. Then again, that was when most ATMs were still running OS/2 WARP.

        That said ... the easiest way to get stuff off those XPe devices might just be a USB port.

  5. MJI Silver badge

    Could they just do?

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]

    "Installed"=dword:00000001

    1. chivo243 Silver badge

      Re: Could they just do?

      I don't think this will help when support ends... in 2016! I read this is a hack to extend xp sp3, but not proven stable?

      1. Anonymous Coward
        Anonymous Coward

        Re: Could they just do?

        It's against licensing terms to add that registry key, but POSReady 2009 is supported until 2019. It should in theory work, but it may not be stable.

        1. MJI Silver badge

          Re: Could they just do?

          Seems fine on a PC at home

          1. Anonymous Coward
            Anonymous Coward

            Re: Could they just do?

            "Seems fine on a PC at home"

            With that sort of reasoning, I hope you're not involved with any mission-critical systems.

            1. MJI Silver badge

              Re: Could they just do?

              Why?

              Just because the OS I put on the PC when built (just before 7 release) still works and does what I need it to with no whinging about 16 bit programs, or that Alt-Enter gives me a full size CMD prompt.

              Can't see why I should pay more for another OS when the one on it works.

              And I do have an escape route a 500GB drive with Linux Mint Cinnamon on it and WINE, it can access C and D as well which are the two NTFS drives.

              Not all games though work in Linux

        2. The Average Joe

          Re: Could they just do?

          No it will not work.

          XPE is a slimmed down OS, no windows updates or if you do you fill up the flash.

          I had a young developer helping in IT when we tried to deploy Neoware XPE thin clients to do RDP to a terminal server farm. He said it was locked down so they could ONLY run RDP. 6 months later they are connecting to the un-encrypted city WIFI, surfing porn and have a fake AV trojan running on it.

          LOL as soon as I seen that they got a HP running ThinPro(Linux) for RDP and the issue was solved.

          The same intern tried to get the Cisco VPN client, McAfee Enterprise client, Sun JRE for our ERP system and Sprint 3G modem to work and found out XPE looks like windows but is really missing too much windows to get windows apps to work.

  6. Sleep deprived
    Happy

    Could they just move them back to OS/2?

    Good ol' Warp use to run lots of ATM.

    1. Anonymous Coward
      Anonymous Coward

      Re: Could they just move them back to OS/2?

      also iirc it ran some rail ticketing machines in UK - the DLR comes to mind for some reason, but I may well be wrong there (I'm talking about ten years ago, prob more - but still a long time after Warp was no longer shipping)

    2. s2bu

      Re: Could they just move them back to OS/2?

      I wish! The OS/2 ATMs were so much faster than these damn XPe ones. They're so crazy slow it's aggravating!

    3. Daniel B.
      Boffin

      Re: Could they just move them back to OS/2?

      Good ol' Warp use to run lots of ATM.

      I second that motion. The OS/2 ATM era was very good.

  7. Anonymous Coward
    Anonymous Coward

    vendors

    If the atm manufacturers were serious about security then they would not be cancelling support on 'old' atm's that have an upgrade path to win7 - in the case of one vendor they even went so far as to sell upgrade kits only to advise customer that they were cancelling support end of 2016 AFTER the customers bough the upgrade kits - and when a new installed atm is close to 50k then it's to be expected that there will be many atm's that are still running winxp after support ends...

    as a caveat (and as someone mentioned ealier) most banks do run atm's in a completely private and separate network, going direct to the system driving the atm....this makes the chances of something happening much lower - and there have to be 2 staff present whenever an ATM is serviced - so the likelihood of a staff member install a virus is also a limited vector...

  8. Someone Else Silver badge
    Coat

    I see a marketing opportunity here...

    Any machine still running Windows XP Embedded Service Pack 3 (SP3) from mid January onwards is therefore at greater risk because software updates and support have been withdrawn. The plug gets pulled on Windows Embedded for Point of Service SP3 slightly later on 12 April 2016.

    Can't wait until these ATMs start displaying a solicitation to install Windows 10 Embedded in the lower right-hand corner of the screen....

  9. azaks

    Yawn...

    Just another crisis invented by a company with the silver bullet that will fix it.

    Would it really be cheaper to license this software, test it so that it doesn't do more harm than good, and then deploy it to every ATM or just move to a supported OS?

    And as many have pointed out, ATMs are extremely limited in their ability to interact with any untrusted code, so the usual rules don't apply.

  10. Anonymous Coward
    Anonymous Coward

    Why the F*#k are they using windows?

    Seriously, this should be a cut-down Linux purpose built for the task.

    I blame lazy IT managers for this.

    And I say that from a position of knowledge of one particular company that an in-law worked at. Their IT manager told the systems design folks to just use Windows because it was easier. I think he just wanted his bonus.

    Anon because I think there may still be some contractual stuff that still applies to the in-law.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why the F*#k are they using windows?

      There should be no practical difference to using a cut down, purpose built, Linux OS, to using a cut down, purpose built, windows OS for the task. This is not a consumer windows system with all sorts of services running in the background doing who knows what, it is the bare minimum to run one single, specific, application.

      If you recall the fairly recent hacking competition where they had the full windows, Linux and OSX primed to be hacked, first to compromise it wins a laptop etc. No-one even bothered to try on the first day when it was just the OS installed. All the attack vectors were through things installed on top of the base OS.

      I'd be far more worried about the less-than-minimum-wage guy in India who wrote the bank's application running on the thing, compromising it at source, than someone breaching Windows.

  11. Cynic_999 Silver badge

    Why on Earth does an ATM need to use a complex OS at all? ISTM that a simple board with one of the plethora of low-end SoC chips and a few hundred kB of RAM and Flash (if that) would easily be able to cope with the functions required of an ATM - and while obscurity does not equate to security, it would be more difficult to find an attack vector for an embedded SoC running relatively simple custom code than a complex multi-tasking general OS that is readily available to potential attackers - and a heck of a lot easier to check the code for security flaws before deployment. After all, the required functionality is not all that more complex than a modern washing machine - albeit with a lot more checks & guards in the code to ensure that memory corruptions and hardware/mechanical faults result in a safe failure mode. In fact everything apart from encryption and VGA screen driver could be achieved using an 8 bit PIC running at a few MHz. I'm sure the money saved by using a Raspberry Pi instead of a full PC motherboard would pay for a couple of competent SoC programmers - which is all you'd need to develop & maintain it.

    1. Ken Hagan Gold badge

      Maybe if all the banks clubbed together they could afford this sort of bespoke development. :)

      As an extra benefit, if all banks were using a common ATM design, there would be less to harmonise when the next merger happened. (That might be sooner than they'd like if some of them are relying on XP to keep their cash safe.)

      1. JassMan
        Happy

        @Ken Hagan

        Yup! Many car manufacturers have got together and created the GENIVI alliance to run a Linux core on CANBUS systems with just the display layer being tweaked by individual manufacturers to give branding.

        Surely it would make sense for the banks to do something similar. If they used a cut down Linux system, it would give a new lease of life to all that creaking old hardware.

        1. John Tserkezis

          Re: @Ken Hagan

          "Yup! Many car manufacturers have got together and created the GENIVI alliance to run a Linux core on CANBUS systems with just the display layer being tweaked by individual manufacturers to give branding."

          Yep. That's why you can hack those car with just their IP address.

  12. Bladeforce

    Who the hell...

    ..thought an ATM running windows was a good idea knowing full well they will be at the whim of a corporation's beck and call? I mean come on, FORWARD THINKING PEOPLE. Windows should never be used on any corporations machines for THIS reason alone

    1. martinusher Silver badge

      Re: Who the hell...

      Windows turns up in a lot more places than you'd think prudent. A lot of industrial control systems run on Windows. Windows XP, in fact. You can't just "upgrade" them because Microsoft has effectively rendered a lot of peripherals and language libraries obsolete when they went to Win7.

      The moral of the tale, of course, is that nobody in their right mind should be using Windows for anything more exacting than a desktop running simple user software. Unfortunately corporate management -- and a lot of programmers -- aren't in their right minds these days so Windows persists. Its good to be more-or-less retired; I don't have to deal with this any more.

      1. Roland6 Silver badge

        Re: Who the hell...

        In some respects it is funny that MS having spent the 80's and 90's getting the world to use it's OS's - which the world did with 2003/XP, making these the bedrock of much of our modern IT environment -

        decided it would be a good idea to simply ditch these OS's and deliver a whole series of cocked up OS's (Win7 was really just the production ready version of Vista, and Win10 still has a long way to go before it can be regarded as a production ready version of Win8).

        I expect many in the embedded market to be seriously thinking about what to replace these legacy XP systems with - it wouldn't surprise me if MS has already been put on the list of non-contenders...

        Perhaps I should be brushing up my RTOS & VRTX skills...

      2. Paul Hovnanian Silver badge

        Re: Who the hell...

        "A lot of industrial control systems run on Windows. Windows XP, in fact."

        This.

        And I've seen some HMI software look for IE6 before starting. Not that the HMI actually uses IE6, but it was written by a Microsoft shop with Microsoft tools. And those tools appear to have been written to keep people from porting the code away from Windows. And stick customers with upgrade fees triggered by MS upgrades. Small shops (without IT departments) just kept their systems on XP/IE6 and now they are stuck. Any maintenance will require an old system for development or rip out the PLCs, take the ladder logic diagrams and start over. With their luck, using a development platform locked to IE10.

    2. Someone Else Silver badge
      WTF?

      @bladeforce -- Re: Who the hell...

      I mean come on, FORWARD THINKING PEOPLE.

      Are you outcherfukinmind?!? These are banks, people! They stand as much chance of thinking forward as I have winning the lottery. Twice. In the same Day! With different numbers!!

      1. Paul Hovnanian Silver badge

        Re: @bladeforce -- Who the hell...

        "winning the lottery. Twice. In the same Day! With different numbers!!"

        But banks are used to winning the lottery every day. Thanks to the Federal Reserve (or the national bank of your choice) forcing truckloads of free money on them in the form of quantitative easing.

        Maybe they are waiting for the ATM fairy to appear, wave her wand over their configuration mess and make it all better.

    3. Anonymous Coward
      Anonymous Coward

      Re: Who the hell...

      Most of the big ATM manufacturers - namely Diebold, Wincor and NCR - not sure about Triton, but they're mainly into cash dispensers...

      I've asked the same question year after year since they shifted from os2 to windows - and have yet to hear a reason from anyone...

      The fact that it's a locked down version doesn't really help much - anyone with physical access can always change things in a negative way....

      1. Anonymous Coward
        Anonymous Coward

        Re: Who the hell...

        No - they can't. Physical access to the unit doesn't provide access to the OS - even with diagnostics access.

        1. Hans 1 Silver badge

          Re: Who the hell...

          >No - they can't. Physical access to the unit doesn't provide access to the OS - even with diagnostics access.

          Oh, come on ... Some bloke managed to rip off a piece of plastic and access a CD-ROM drive, put a CD with malware on it, autorun and 0pla, 0wned. Others have been 0wned via USB as well ... It has happened, not all ATM's are locked-down ... I have seen, and others have reported here, that some ATM's run Windows XP Pro, I have seen BSOD's on several which confirm that - I doubt a dumbed-down XPE system has "Windows XP Professional" printed on the BSOD, right ?

    4. John Tserkezis

      Re: Who the hell...

      "Windows should never be used on any corporations machines for THIS reason alone"

      Nice, but unfortnately, I'll never happen - Windows programmers are cheaper than any of the alternatives.

  13. Anonymous Coward
    Linux

    Secret Integrity Sauce™

    "UK startup Abatis is marketing .. Host Integrity Technology, as a means to defend against malware"

    Didn't this used to be called a ROM. Which begs the question as to why an Embedded OS needs protection against malware. Of course no one in his right mind would run an ATM on Windows in the first place.

  14. Herby

    It isn't only ATM's!!

    Many medical instruments are attached to some form of Windoze. I worked for a company that made pacemakers, and while the pacemaker itself was a low power 8 bit micro, they usually had an interface to a more powerful (read windows) computer. Some medical instruments also use Windows as a nice "shiny-shiny" interface to those who can only deal with a mouse.

    I've heard stories of medical equipment that was "certified" by the FDA and "locked down" in hospital environment. Then used as an email machine by the operator only to be nicely infected. But since it was "certified" and now allowed updates, they couldn't even put an anti-virus on it.

    And we thought computers made things better. Guess again if you are using vulnerable software.

  15. Anonymous South African Coward Silver badge

    Was also thinking of going back to OS/2 - but then the ne'er-do-wells will start to code and target OS/2 as well.

    A hardened, minimal Linux distro should do the trick.

    Unfortunately, no matter the OS, the weak point is the technical person maintaining/installing the system... if you can get said tech in your pocket, then you're guaranteed access to the kingdom.

    Unless said machines are set up and tested before they're getting rolled out, and the field install tech only need to plop it down and switch it on. Also, said field install tech will NOT have the password(s) for the currently installed OS.

    Meh, can be going on for hours like this. There's too many security vulnerabilities.

  16. JaitcH
    Happy

    ATM security threatened by Windows XP support cutoff? What about Vietnamese police?

    Almost every street level Vietnamese police station and office, as well as the data entry centres for the Internal Security Police, are filled with aged computers running that great OS - Windows XP.

    Another curious feature is the fact most have the same serial number! Of course, since the very same police monitor software piracy, the latter shouldn't prove an insurmountable problem.

    Perhaps the solution is to switch to Linux to avoid a big hardware bill.

  17. Anonymous Coward
    Anonymous Coward

    Some clarity

    - Most (there are some exceptions) ATMs run Windows XP Pro not embedded.

    - Many are moving to Windows 7

    - These ATMs have most Windows services disabled and most common desktop attack vectors aren't available (no outlook, web browsing etc).

    - Windows is the platform of choice because it has an abstraction layer called XFS that gives a standard interface to the underlying devices so (theoretically) one ATM application can run on any vendor's ATM. This isn't going to change any time soon.

    - These ATMs also have virus scanners installed - which can cause more problems than they solve because they're not designed for an 'unattended' environment where the user can't babysit them.

    - The most prepared banks have fit for purpose security products installed which are designed for ATMs and include AV, HDD encryption, firewalls, whitelisting, USB device control/blocking etc

    - A different OS won't add much more (if any) security beyond what is already available to the banks today.

    1. Hans 1 Silver badge
      Windows

      Re: Some clarity

      >- Windows is the platform of choice because it has an abstraction layer called XFS that gives a standard interface to the underlying devices so (theoretically) one ATM application can run on any vendor's ATM. This isn't going to change any time soon.

      J/XFS

      1. Dan 55 Silver badge

        Re: Some clarity

        J/XFS

        Hmm, from MS to Oracle (with new special Java SE rates come January 2019). It's a tough sell.

  18. patrickstar

    This reminds me of an appliance running XP Embedded I worked with many years ago. It actually got Conficker! But this wasn't some hyper-slimmed down version but rather vanilla no-service-pack XP without some of the fluff - you could plug in a monitor or RDP to it and use it just like a normal desktop. AFAIK XPE means you build a custom install image and can enable exactly what you need - I guess a certain vendor didn't bother.

    On an ATM related note, I've actually found an ATM with the UI made in Flash! Fiddle with the touchscreen a bit and it gives you. the right-click menu from the standalone Flash Player... atleast they could've used AIR so it resembled a normal application.

  19. oomwat
    Trollface

    Can we have a popcorn icon please?

  20. Anonymous Coward
    Anonymous Coward

    Go behind the ATM and connect directly, not through netwrok.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020