Windows XP Runs 95% of All ATMs Despite Microsoft Ending Support
Yesterday, April 8th, 2014, Microsoft's Windows XP reached its end of life for security and technical support. This means that the millions of computers that still run Windows XP will be without security updates, among other things. Windows XP, despite its age and well-known vulnerabilities, is still among the most widely used operating systems on the planet.
Windows XP is still in wide use among the developing economies, and surprisingly, among corporate environments. It maintains its place in these corporate environments, very often, because specialized applications were written for it.
After 12 years, the application developers have not created an updated application that uses one of the newer operating systems, or to change the operating system and application would require a new and expensive re-certification.
One application that still widely uses Windows XP is the ubiquitous ATM. It is estimated that over 95% of the over 210,000 ATMs worldwide use Windows XP as its operating system!
The operators of these ATMs, largely big banks, will no longer automatically be getting security updates. It has been reported that many of the largest banks have private contracts with Microsoft to continue to service XP with security and other updates, but that leaves the vast majority of these systems without any security updates. These non-bank ATM owners and the regional bank ATM owners may likely become the target of hackers looking to exploit old and new Windows XP vulnerabilities.
A few years back, the legendary security researcher, Barnaby Jack—who passed away last year from an accidental drug overdose—demonstrated at the 2010 annual Black Hat conference in Las Vegas that he could trick an ATM to spit out all of its cash. All he needed was the IP address of the machine and he could then access the management console in the system and he could get it to play a jaunty little tune, while spitting out hundreds of $20 bills.
In addition, he revealed that many of these systems are still connected via dial-up connections and could be found by war-dialing (how is that for a blast from the past!). He was also able to access the users' account PINs.
It's a common mistake of the human condition to assume that everyone is like us. If we like something or use something, then EVERYONE else must be as well. This is a foolish mistake to make in all disciplines, but in our discipline can lead to the myopia of missed opportunities.
I have heard comments from some of you about my Windows XP and Windows Server 2003 hacks that they are a "waste of time" and "NO one uses those old operating systems anymore". "Everyone is using Windows 8".
That mindset is a reflection of the myopia I am referring to.
I have been in many corporate and military environments where XP is still in wide use (I just returned from an engagement with a major hospital system that had XP still running numerous critical systems). The most common reason is that the corporation has an application that has never been developed for the newer operating systems. In other cases, it's simply the human cost of transition.
I point all this out because I don't want you to lose sight that probably one-third of the systems on this planet are still using XP or 2003. Probably most importantly, those systems often are critical to the operation of the institution. If they weren't, they would upgrade them.
Don't discount learning to hack XP systems just because you and all your friends are running Windows 8. Windows 8 might be fun to hack to demonstrate your hacking prowess to your girlfriend, but often the rewards of hacking XP can be much greater than burnishing your ego!