Forum Thread: Windows XP Runs 95% of All ATMs Despite Microsoft Ending Support

Yesterday, April 8th, 2014, Microsoft's Windows XP reached its end of life for security and technical support. This means that the millions of computers that still run Windows XP will be without security updates, among other things. Windows XP, despite its age and well-known vulnerabilities, is still among the most widely used operating systems on the planet.

Windows XP is still in wide use among the developing economies, and surprisingly, among corporate environments. It maintains its place in these corporate environments, very often, because specialized applications were written for it.

After 12 years, the application developers have not created an updated application that uses one of the newer operating systems, or to change the operating system and application would require a new and expensive re-certification.

One application that still widely uses Windows XP is the ubiquitous ATM. It is estimated that over 95% of the over 210,000 ATMs worldwide use Windows XP as its operating system!

The operators of these ATMs, largely big banks, will no longer automatically be getting security updates. It has been reported that many of the largest banks have private contracts with Microsoft to continue to service XP with security and other updates, but that leaves the vast majority of these systems without any security updates. These non-bank ATM owners and the regional bank ATM owners may likely become the target of hackers looking to exploit old and new Windows XP vulnerabilities.

Hacking the ATM

A few years back, the legendary security researcher, Barnaby Jack—who passed away last year from an accidental drug overdose—demonstrated at the 2010 annual Black Hat conference in Las Vegas that he could trick an ATM to spit out all of its cash. All he needed was the IP address of the machine and he could then access the management console in the system and he could get it to play a jaunty little tune, while spitting out hundreds of $20 bills.

In addition, he revealed that many of these systems are still connected via dial-up connections and could be found by war-dialing (how is that for a blast from the past!). He was also able to access the users' account PINs.

The Important Lesson

It's a common mistake of the human condition to assume that everyone is like us. If we like something or use something, then EVERYONE else must be as well. This is a foolish mistake to make in all disciplines, but in our discipline can lead to the myopia of missed opportunities.

I have heard comments from some of you about my Windows XP and Windows Server 2003 hacks that they are a "waste of time" and "NO one uses those old operating systems anymore". "Everyone is using Windows 8".

That mindset is a reflection of the myopia I am referring to.

I have been in many corporate and military environments where XP is still in wide use (I just returned from an engagement with a major hospital system that had XP still running numerous critical systems). The most common reason is that the corporation has an application that has never been developed for the newer operating systems. In other cases, it's simply the human cost of transition.

I point all this out because I don't want you to lose sight that probably one-third of the systems on this planet are still using XP or 2003. Probably most importantly, those systems often are critical to the operation of the institution. If they weren't, they would upgrade them.

Don't discount learning to hack XP systems just because you and all your friends are running Windows 8. Windows 8 might be fun to hack to demonstrate your hacking prowess to your girlfriend, but often the rewards of hacking XP can be much greater than burnishing your ego!

22 Responses

Didn't know some ATM were running Windows XP

Not some ATM's, 95% of ATM's! That's pretty much all of them. Some are even still running Windows 2000.

Master :

Can you do some tutorial for this ?

X-OR45

On how to hack into an ATM? If it is Windows XP and connected to the net, you can try any of the XP exploits I have shown you. Unfortunately, most of those vulnerabilities have been closed, so you will likely new a new one.

OTW

It still blows my mind how many systems are still running, what I would call, a legacy OS.

I mean, yeah it was great back in its heyday, but now it's been superseded three times and all support from the vendor has ceased.

ghost_

concerning ATMs, i don't know if the 95% stat is world wide or just in the US but i can vouch for xp being used in ATMs in my country.

I just would like to add a little point in favor of XP. Many companies are using XP not only because their applications are not available or for cost considerations, but most importantly because XP is one of the greatest if it is not the greatest OS developed by windows on so many level. Principaly in terms of resilience, stability, and security (yes it has many exploits but what OS doesn't have exploits??). This is why XP was able to quickly replace previous OS versions, while new OS versions were not able t do the same (vista, 7 and 8)

Master OTW please make some tutorials to hack ATM machines, turn Traffic lights off/on and house lights on/off etcetera. PLEASE!

Also Cellphone hacking.

please inform me if you're going to teach us all these!

Dragon Hunt3r:

This isn't Watch Dogs.

ghost_

Dragon:

I definitely have cellphone hacking on my near term agenda. As for ATM machines, probably not. If you wanted to hack ATM's, you would need to apply the principles I have developed here in Null Byte and apply them. First, you would need to find their IP addresses, so try some scanning.

I think the same applies to traffic lights and house lights. I can give you general principles and then you need to apply them. Of course, it goes without saying that to hack any light system remotely, it would require that the system have a network interface.

OTW

Am now feeling hungry :)

Thanks
Master

As a way of showing appreciation to you...every hack I do i will have to give you a shout out as the master. Kindly advice if that is ok.

Evil Genious

Evil Genious:

While flattering; somehow I don't think that's something a fellow hacker wants. Especially if what you're doing is illegal.

But that's just me.

ghost_

master oTW...can you make a write up on what you know about heartbleed? thanks :)

@Ghost

Thank you for the advice. I am a system admin. so i am a whitehat not a black hat. what i meant was a referential signature.

Evil Genious

if i scan ip's of poker rooms i only get the server ip
i dont get of the pepol in the room

sorry im from holland and i cant speak the language verry wel

Sam:

That is all you should get. To get the IP's of the other users, you will need to embed a listener somewhere on the server or on the wire leading to the server.

OTW

and how do i do that

tank u otw

Read my tutorial on Metasploit and other hacking techniques.

i did but how do i get a listener on a server ??
have you a tutorial where you explain that

thank u otw

All of my Metasploit tutorials show you how to put a listerner/shell on the server.

i lookd in to your metaploit tutorials and can see one where you explain how to put a listener on a server

Sam:

All of my metasploit tutorials show how to put a listener on the target system.

OTW

Share Your Thoughts

  • Hot
  • Active